Another common failure is deploying what might be perceived as a defense-in-depth implementation when, in reality, the deployment still possesses a single point of security failure. Take many Web-based e-commerce applications, for example: While a given deployment may involve firewalls and intrusion-detection systems, if the application requires a single user name and password combination to access critical data, does the strategy truly possess any depth? How many effective controls sit between an intruder and critical data sets?
Traditional perimeter-centric and attacker-centric protection models face future problems as well. Still in the making is one of the biggest Challenges: Web-services. As companies collaborate, and internal systems engage in higher levels of interoperability with foreign systems, one organization's lax attitude is another's security nightmare. The ever-evolving perimeter, combined with components, subroutines and data exchanges that organizations no longer control will bring new meaning to the phrase "target-rich environment."
Other people's problems invading your computing environment won't be the exception, it will be the norm. Technologies such as SOAP and XML-RPC promote asset-centric data sharing, rendering most perimeter controls useless. Perimeter- and attack-centric models won't help here: Organizations must move to more asset-centric controls or face increased risk and exposure.
Many organizations are seeing the first wave of these threats, albeit as scaled-down versions, in their extranets. For example, the outbreak of automated worms such as Nimbda left many companies in the precarious position of having third-party systems attacking their own internal machines. The problem resulted from Microsoft IIS-based systems that were owned and operated by third parties, resided on local networks and were used by local users but hadn't kept up with the latest patches. The result: An outsider's negligence caused damage to internal resources--resources that did not fall under the protection of perimeter controls. Further network segmentation, and more tiers of defenses, would have helped prevent these situations.
Looking Ahead
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
