I was reading an article about the NSA’s quantum-resistant algorithms and that made me reflect on the relentless progress of technology, both for cyberattacks and cyber defense. Not all things are made obsolete at the same time—thank goodness—but we’re not still protecting our floppy disks from being illegally copied with bad sectors. All things must pass when their day is done.
I’m also reviewing a zero-trust framework from only a few years ago. Already, I see where we’ve made improvements and adjustments. I’m not even reviewing documents older than this one – best to just completely rewrite with current conditions in mind. And how long will these last? I can’t say for sure, but I’ll likely look back on these in a few years with the same nostalgia that I’m currently experiencing.
The principles don’t change: we still want to protect and defend. We still have data that we want to secure and various paths to that data that we want to block unauthorized agents from accessing. What has changed over time is the location of that data and the paths available to access it. What’s also changed is the impact of increased computing power, both in the hands of the attacker and defender.
There are games and sports whose rules seem written in stone. Chess, Monopoly, golf, checkers, tic-tac-toe, and seven-card stud are all the same games they were decades ago. The rules have not changed, so the general approaches to play remain the same. While psychology can give new advantages in poker, new gear can modify the golf game, and strategy trends influence chess, we’re still looking at the same games that have existed for ages. These are all poor analogies for cybersecurity.
There are games that change dramatically over time. I’ve played the Civilization series since it first came out in 1991. The strategies I used in Civilization I are totally inadequate for Civilization VI, the current iteration of the series. While I could have a single modification running in my Civilization II game, I now have thousands of mods on my Civ 6 game, with fundamental impacts on how I play. That’s more like cybersecurity. We’re still in the same game we were in 30 years ago, but we can’t play it the same way that we once did.
Now, look at the tools and processes you have in place. Are you still thinking about defeating the cyber attacker of a bygone age? That question requires other, follow-up questions. Are there any obsolete encryption protocols used by your enterprise? Do you have MFA enabled for all your applications? Is your network segmented? Are your admin and service accounts participating in a PAM arrangement?
The key to all these new questions comes back to identity. We should no longer assume that a username and password are good enough for access, as we once did. And even if an attacker can’t guess our passwords, if that attacker has access to our personal information from any number of breaches that have happened, that attacker could potentially get our passwords reset to something more to their liking. That is unless we have additional safeguards around our credentials with stricter identity management tools.
Will things change in the future? Will I one day be talking about something else as a key component of security? Of course. For now, the discussion today is identity. That’s the area to really focus on to deal with the attackers of today.