Debt is a big topic of discussion these days — household debt in inflationary times, tax debt following the income tax filing deadline, the debate over raising the government's debt ceiling. But one kind of debt that can haunt organizations long term doesn't get as much attention: security debt.
Just like not doing what needs to be done in time can leave you behind on your taxes or your bills and piles on interest, leaving your cybersecurity by the wayside as you build your organization can cost you more in the long term. When you don't put the building blocks in place early and pay for things upfront, the overall debt will grow as time marches on.
Many organizations deploy applications without incorporating security into the development life cycle. As a result, they often must go back and reengineer the software down to its fundamental building blocks because of inherent security flaws, which costs exponentially more than if they had built in those security checks early on.
The growth in cloud services and the move of more operations to the cloud only magnifies this effect. Since cloud applications can be spun up by anyone with a credit card, developers can potentially put valuable data and business assets at risk. Before the cloud, if a business unit wanted to deploy a new application, it would have to engage the IT organization, generally ensuring some level of security oversight. Today, a business unit can outsource the development of a custom environment on any cloud platform, without IT. Additionally, when IT and the information security team finds out about these assets, they often have limited visibility into the cloud infrastructure and configuration.
With companies constantly scrambling to build and deploy apps faster using cloud infrastructure-as-a-service platforms, security debt can mount faster than credit card charges in the drive to be agile. Obviously, the worst-case scenario of security debt is a breach — a ransomware attack, vandalism, theft, or some other attack — but there are many other casualties of security debt that can also be quantified. For example, the costs of reengineering security after the fact for compliance in highly regulated industries such as retail and finance can be substantial. Meanwhile, regulators are increasingly willing to lay down fines and penalties for companies that suffered data breaches because their security was noncompliant and insufficient.
How to Prevent Security Debt
Establishing baselines and aligning with some basic security frameworks can be useful tools to prevent the buildup of security debt. A security program assessment (SPA) can look holistically across multiple domains of security — including security awareness, vulnerability management or identity and access management — and evaluate best practices in any one of those domains to give an overall assessment against industry-specific best practices. The Center for Internet Security (CIS), for example, provides valuable control and benchmark guidelines.
Aligning with one of those frameworks accomplishes a similar role for cyber defenses as a building code does in construction, getting the organization to a baseline of safety practices that can prevent a catastrophe. The building code will not get you the fanciest mansion, but it will produce a safe home; in the same way, having a cyber baseline will provide the basic minimum benchmark for safety.
Just like building codes vary geographically — hurricanes are a bigger concern in Florida than Maine — the baselines for data security vary by industry. A retailer may be more concerned about complying with the Payment Card Industry (PCI) Data Security Standard, while other industries may be more concerned with meeting the baseline set by the National Institute of Standards and Technology (NIST) and its Cyber Security Framework (CSF).
Aligning with a security framework provides some guidance on best practices, but an organization needs to fine-tune the guidelines for their unique environment and requirements. Here are some recommendations for preventing security debt in the cloud:
- Integrate security into the software development life cycle: Do this with the aim to secure the software development process by integrating security early and throughout its life cycle.
- Review your security posture early and often: Automate security checks and the notifications of their findings to ensure vulnerabilities or insecure configurations are discovered early, assessed, and remediated in a timely fashion.
- Ensure you restrict access as you move toward production: Required entitlements are often unknown early on in the life cycle and are thus very permissive. However, as functional testing moves toward completion entitlements also need to be assessed, as entitlements form a perimeter in the cloud, and are often overlooked as workloads move to production.
- Reduce your attack surface: Do this by mitigating commonly exploited cloud misconfigurations and exploitation techniques, and monitoring cloud infrastructure for vulnerabilities to detect risk and anomalies.
- Perform a cyber-threat profile assessment: Cyber-threat actors, from nation-states to opportunistic hackers, have different motivations. Some have geopolitical agendas, while others are out for financial gain, target intellectual property, or merely want to cause chaos. Understand threats specific to your cloud architecture and the top security risks you face.
- Do penetration testing: Do this to get third-party validation on whether your cloud is at risk. This can help identify complex "toxic combinations" before attackers exploit them, and provide quantitative data to help measure the risk associated with your cloud assets
Security debt exists in traditional on-premises data centers as well as newer cloud platforms. Preventing it from accumulating in the cloud, however, requires a different set of skills, processes, and tools. Following the recommendations above can help pay down existing security debt before the next big breach, and avoid racking up new ones.