Written by Leo Taddeo on August 01, 2019
Capital One: the Latest Victim of Complexity
Increasingly complicated security systems are leading to massive data breaches – it’s time to simplify.
Over the last few days, the Capital One breach has dominated the news cycle as the latest high-profile security incident. I’m sure that we’ll all learn more about this incident as the investigation progresses, but I’d like to focus on a common, often-overlooked thread across many such incidents: complexity.
Having examined multiple large-scale breaches throughout my career, there is no doubt in my mind that effective enterprise security remains an intricate and massive undertaking. It is this complexity, combined, of course, with inevitable human error, that is the root cause of the majority of these incidents – not the exotic “zero day” exploits that we see in movies.
Cloud IaaS platforms, like the one used in this case, are generally very difficult to breach from a technical point of view – their security is robust and highly resistant to exploitation. However, most enterprises secure access to these cloud environments with traditional security tools, such as firewalls, NACs, and VPNs. The problem is these legacy tools simply aren’t designed for today’s modern, hybrid environments. Taken as individual tools, these point solutions have a purpose and add some value, but together, they result in siloed security models and forced integrations. Too frequently, they lead to the misconfigurations that cause the types of breaches we see so often.
Complexity is the enemy of security. In fact, it appears Capital One may be the victim of a common security challenge; organizations have too many rules, too many tools, too many vendors, and too many options. When security and IT professionals have to deploy, configure, manage, and maintain over a dozen point solutions that all help protect some small piece of the puzzle, the massive operational scope and maintenance complexity create not only an enormous attack surface, but also an enormous surface for misconfiguration.
It’s time for a shift in how we secure the different avenues that lead to data compromise: network, workloads, people, and devices.
The good news is that security is evolving. A Software-Defined Perimeter that enables a single, unified policy framework to secure all network access for any user, device, server, or workload, in any location, embodies the principles of Zero Trust.
Many organizations, including WW (formerly known as Weight Watchers), FINRA, and Rackspace, are embracing this approach. They have augmented the native security capabilities of public clouds with AppGate SDP, allowing them to:
- Grant access to resources based on contextual data such user profile, environment, and enterprise
- Reduce the risk of lateral movement
- Gain network transparency and auditability
- Eliminate the manual complexity of firewall rules
There is no silver bullet when it comes to protecting enterprises. To increase our protection, we should seek to simplify wherever we can. The use of AppGate SDP can help enterprises move in that direction by providing a unified security policy across all environments. This helps automate security and operations while enforcing fine-grained access controls across our heterogeneous infrastructure. In this specific case, AppGate SDP would have been able to simplify the use of AWS' IP restriction capabilities in their platform while reducing complexity. It ensures that only authorized users have access to the resources, enforcing it in an identity-centric and strongly authenticated way.
The high-profile breach this week is the latest with complexity at its core, and unfortunately won’t be the last. But that doesn’t mean enterprises can’t reduce their attack surface and make it much harder for the adversary. With the right approach and the right security platform, it's possible to dramatically simplify security.