When Edge-to-Edge cybersecurity becomes hard to ignore

Cybersecurity expert talks about staying safe in a software-defined world

by Asmara Hadi, Director of Marketing Communications, AT&T Business

In a software-defined world, can companies achieve security from edge to edge?

The answer is, “yes,” according to our latest AT&T cybersecurity insights report, Cybersecurity for today’s digital world. The report contains the recommendations of 15 experts from inside and outside of AT&T about protecting your endpoints, networks, and cloud services.

Our research consisted of interviews with the experts. I’d like to share the abridged interview with Todd Waskelis, vice president of security consulting services at AT&T.

Q: What are the main cybersecurity challenges when considering transitioning to a software-defined infrastructure?

A: One of the key issues organizations are thinking about is the overall risk impact of moving to a new technology environment. The transition changes how we govern data, handle access control, and mitigate risk.

Probably the most common step organizations skip when moving to the cloud is getting an enterprise risk assessment to know what data they have and where that data is going to be moved. Transitioning towards a new technology environment—such as SDN (software-defined network)—comes with its own set of operational, regulatory, and third-party risks.

As we see with GDPR (General Data Protection Regulation) compliance, and other compliance factors that we must consider, the risk is well beyond just the technical exposure that you may have. The risk now includes the impact on the overall business from a regulatory perspective. So, you have to be aware of where your most valuable data is located in your new cloud environment and how the latest threat vectors can impact that data.

Q: How do companies set out to identify the key risks and the compliance issues within their own company? I mean, how would you walk them through the process?

A: It’s about shifting from, what Kevin L. Jackson calls, the traditional “wall-and-moat” approach to network security and taking a risk-based, data-centric view of information security.

First, an organization should determine what comprises their most valuable revenue streams, business processes, assets, and facilities. We refer to these collectively as “crown jewels.”

After these are identified, the next step is to understand where they are located and who has access to them. An organization has to know and understand its data classification scheme, and most companies have gone through this exercise already.

The next step is to provide for proper classification of the data moving to a new cloud environment. Identify what's public, what's private, what's confidential, etcetera. From there, you can answer the questions: “What new controls have to go around my data as I move it to the cloud?” “How do I make sure those controls stay with my data as it moves out of my traditional boundaries?”

Q: For data that moves outside of your control, like data in your supply chain, how do you have processes in place to provide that the data is still protected wherever it goes?

A: I think what some companies fail to do is to hold their partners accountable for protecting that data. One of the interesting things about moving data through the supply chain is that the data owner may not always be the data custodian. Often the failure occurs where the data owner shares the information that they're using with somebody else, who then becomes the custodian, but doesn't share the controls that need to go along with that data.

So, it's one thing to say, "Are you protecting the data?" But it's another thing to say, "These are the controls that you need to protect it with. Are you using these controls in your environment?" So, companies need to see to it that the controls travel with the data appropriately.

Q: How do you enforce that supply chain partners do take on the controls? That they do respect your cybersecurity strategy?

A: First, you need to make sure you document, communicate, and periodically validate the controls you expect to be in place to protect the data. Second, provide for contractual accountability, so if there is an issue of some sort, then the custodian, in this case, the supply chain partner, has the requirement and the responsibility to protect the data.

You have to define the expectations of the custodians. You need to say, "These are the controls that have to be around this data. Let me validate that you have them in place and show me that you have an ongoing program to provide that those controls are kept up to date and validated."

You can evaluate risk from your supply chain partners by having them do questionnaires, or by showing up at their offices to do your own inspection. Or you could have an independent risk assessment from a neutral third party. The method you choose may depend on the criticality of the data and the ability of your in-house resources.

Q: Is that something AT&T Business would offer to do for clients?

A: Yes, we've done both. We can help an organization define and implement a robust third-party management program. That varies by the types of data, the criticality of that data, and the types of partners the organization has.

So, defining the partner tiers based on the type of data they handle, and then helping them build a program that says, "Every year, you're going to do this remotely. Every two years, you're going to go onsite, etcetera." We will build the program, train their resources on the tools and reporting, and turn it back to the client to run it.

Or, we can run it on behalf of the client. In that case, we would execute assessments and conduct third-party validation, reporting back around a framework that's specific to their environment.

Q: What are some of the typical mistakes enterprises make when considering the overall issue of cybersecurity? Is it lack of budget, lack of coordination, or lack of data security prioritization? What are some of the typical blunders you find?

A: I think the typical things we find are lack of cybersecurity awareness in an organization, underpinned by the mindset of, "It's not going to happen to us," and this is almost always supported by, "Well, I don't have any data that anybody's going to want." We see this, especially in medium-sized enterprises.

Many organizations say, "Why would anybody want to break into my environment? I know that it's important to me, but it's not going to be useful to anyone else." So, that's often a challenge when getting executive buy-in from the leadership.

More and more, we see the operations and network teams understand the criticality of cybersecurity, because they're dealing with the fires that are being set all over the place. What they often fail to get is support from upper management to build and execute an enterprise-wide cybersecurity program. So, security is often fragmented across departments, and it's not a concerted effort throughout the company.

Q: You talk about getting support from upper management. How do you go about building the case for a strong cybersecurity program that ultimately gets presented to the board?

A: Like all long-term, complex risks, cybersecurity has multiple interconnected elements, including technical, economic, and business operational aspects. Once you move away from a quick-fix mindset and start treating cybersecurity as a long-term risk management issue, then you can implement an effective integrated set of technologies, business practices, and policies that address all these factors. This approach can materially lower your risk.

For example, organizations should build and maintain a controlled, well-managed IT environment where known vulnerabilities are mitigated. Achieving this state has much more to do with organizational decisions and prioritizations than it has to do with technology.

When I talk to companies about risk management, I get a lot of different answers from the same people about who is responsible. My question becomes, "When you have a data breach and lose this information, who's going to get fired?” That's usually the person that we want to start talking to, because they’ve got a stake in the game.

When you start having those conversations, risk management gets more attention. The next step is to conduct a quantifiable risk assessment—even if it's as basic as going back to data discovery and classification. A lot of organizations know what data they have, but they realize they don’t know where they have it. By not knowing where they have it, they have no real understanding of their risk exposure.

They may find they have sensitive information on laptops from salespeople that are floating around without proper encryption techniques. They may have third parties that have access to data feeds that are managed improperly and have an impact from a regulatory perspective.

A risk assessment shows companies where their data is and what risk exposure they have to a breach or data loss. A risk assessment makes the case for comprehensive or edge-to-edge cybersecurity pretty hard to ignore.

This interview has been abridged. Catch the rest of Todd’s recommendations in Cybersecurity for today’s digital world.