Legacy Cybersecurity is an Albatross: Digital Success Needs a Better Model

This blog was originally published by CXO REvolutionaries here.

Written by Rohit Adlakha, Chief Digital & Information Officer and Global Head, Wipro HOLMES™ (former).

The security market is growing exponentially. But is it growing the right way, or is it just more of the same?

Digital disruption is here to stay, and entrepreneurial spirit will keep accelerating it. Consider how the subscription economy and freemium products permeate every sphere of our lives, connecting us to services, applications, assets, and on-demand services. Every minute, the internet sees 404,000 hours of Netflix streamed, 347,000 Instagram stories posted, 208,000 Zoom meetings attended, 41.7 million WhatsApp messages sent, and 319 Twitter accounts created.

Digital is an integral part of life. There are roughly 4.78 billion mobile phone users globally, with close to three-fourths being smartphones. We communicate on the go. The power of information in our hands and our appetite for speedy delivery, instant gratification, instant dissemination, instant response, instant rewards drive the continued increase in computing power and immediacy. The human race is a superorganism.

This brings us to a crux: cybersecurity. We built these connections live on an open system: the Internet. As we connect more people to apps and services housed in the cloud, transmit more data from point to point, there is more opportunity to intercept, access, and misuse our personal data.

The irony of modern cybersecurity

I like Romantic poetry. One of my favorites poems is The Rime of the Ancient Mariner, by Samuel Taylor Coleridge, which has the famous line, “Water, water everywhere, nor any drop to drink.” This suggests the irony of being surrounded by something that should help, but doesn’t.

Ask any business using digital means to provide services to users and customers: what is your biggest fear? Most will reply, “Getting hacked.” And they aren’t wrong to worry: with 3,950 confirmed data breaches in 2020, data is re-emerging as the most valuable asset. With multiple privacy policy frameworks like GDPR and CCPA in place, the result is a greater emphasis on security, and it is turning out to be everyone’s responsibility.

The security industry is valued at $150 billion US in 2020 and is expected to cross $350 billion US within five years. Increasing breaches and attacks, coupled with more stringent privacy and security regulations, drive the rapid growth in the cybersecurity market. Estimates place the total global cost of cybercrime at a trillion US dollar last year.

The massive change to work-from-anywhere over the last year has most likely increased both the opportunity and value of cyberattacks. Newly deployed infrastructure that supports work from anywhere must be protected, and we are likely to see more ransomware, malware, phishing, and DoS attacks targeting this new paradigm.

Layers of traditional, legacy security solutions heaped on top of infrastructure that stretches farther out of the network perimeter are also problems for the end-user experience. It creates bottlenecks for traffic workflows—especially if that traffic must be sent back to the corporate datacenter before heading out to a cloud SaaS, IaaS, or PaaS. This latency degrades performance and productivity and limits an organization’s ability to adapt and scale to make changes and overcome competitive threats.

So while it’s true that the security market is growing exponentially, is it growing with the right solutions? Or are governments and enterprises facing a similar situation to our Mariner: “Security, security everywhere, nor any protection had!”

Removing the albatross

So how do you approach cybersecurity, address legacy infrastructure, and balance user experience? The answer is zero trust. Zero trust architectures use an underlying philosophy of “trust nothing, verify everything.” The zero trust model was created in 2010 by John Kindervag and embodies a philosophy that organizations should not automatically trust anything inside or outside their perimeters and verify everything before granting access. This philosophy is implemented through controls like least-privilege access, micro-segmentation at the application level without network segmentation, applications and networks to remain invisible to the open internet, and encrypted micro tunnels on the internet.

Most organizations are racing to adopt cloud- and mobile-based technologies that enhance agility, resilience, speed, and productivity to enable work from anywhere using the public internet instead of the corporate network. Security based in an HQ doesn’t provide the immediacy needed for direct connections. Thus, as Gartner and others define, zero trust must occur as close to the end-user as possible. This is only possible if security is delivered as a cloud service. Zero trust, delivered as a cloud service, provides least-privileged access creates context-based identity, and reduces the attack surface by removing advertisements from the network to the internet at large.

There is no more network to speak of—the internet becomes the corporate network. The cloud is the corporate data center, with security delivered at the connection between the user and the application, asset, or service being accessed. By moving security to the edge and close to the end-user, you can improve the user experience and mitigate lateral threat movement.

Sailing into a digital realm

The way to secure our digital enterprise is zero trust, and our mantra should be “trust no one.” While it can be difficult moving from legacy security models, it’s a necessary step to guarantee secure, resilient, and responsive connections between users and corporate assets, no matter where either lives.

Zero trust principles are based on adopting a least-privilege strategy and strictly enforcing access control. As enterprises adopt more cloud solutions to achieve business goals faster and with less expense, security remains a significant stumbling block. The way forward is abandoning legacy hub-and-spoke networking models and castle-and-moat security strategies that advertise the network in favor of perimeter-less models that let corporate assets and applications go dark to the internet.