DZone Research: The Most Important Security Elements

To understand the current and future state of the cybersecurity landscape, we spoke to (and/or received written responses from) 50 security professionals. We asked them, "What are the most important elements of application and data security?"

Previously, we learned what respondents told us about visibility, mitigation/remediation, prioritization, and encryption. But there are many other elements to consider. See below: 

Access/Identification

• For data security, it is important to ensure that only authorized personnel have access to the data and the infrastructure that supports it. This is critical for maintaining data confidentiality, integrity, and availability. If an unauthorized person gains access, whether by mistake or due to a design flaw, that person can put the data at risk. 
• To combat the ever-growing security crisis, a robust security model that works across the many different paradigms of device communication is necessary. End-to-end encryption, token-based access management, and compliance are key.
  1) With end-to-end encryption, Transportation Layer Security (TLS) is an industry standard communication layer for sending encrypted data over a wide area network (WAN) that can be paired with AES encryption to provide true end to end security. TLS/SSL protects the top level of data streaming between devices, encrypting the data from device-to-device at the endpoint when the data is transferred. While TLS/SSL is suitable for data transmission security, data generated from devices are still vulnerable over the network unless it is encrypted. For true end-to-end security, the data itself should be encrypted with the Advanced Encryption Standard (AES) encryption specification.
  2) Another major challenge is fine grain access control over who and what can transmit and receive data. With potentially millions of devices trying to listen to the correct channels and topics, it is extremely inefficient and insecure to ask end devices to filter out topics they don’t subscribe to. Instead, the network should handle the bulk of this task. Within a publish/subscribe paradigm, a token-based access control approach can be used to distribute tokens to devices to grant access to specific data channels. This approach enables fine-grained control over which tokens are created, which devices receive those tokens, and to which data those tokens grant access. It also enables centralized control over when and how tokens are revoked, cutting of data stream access from non-paying customers, for example. In doing so, the network effectively serves as a traffic cop, both authorizing device access and managing which devices can speak and listen on the network based on the tokens the network distributes.
  3) Lastly, compliance is an important element of application and data security. HIPAA-compliance, for example, shows that your infrastructure is ready to handle the complexities of healthcare security. SOC 2 is an indicator that your company takes internal and client data secure. Privacy Shield Certification is a mechanism for data protection requirements between the EU and US. Each of these compliances adds another layer of security best practices and infrastructure for handling sensitive data more securely. 
• When it comes to application and data security, it’s important to understand your environment, know what hardware you have, and then go beyond the devices themselves to include intelligence around the applications or software on them, looking at what applications are being used by an individual. All of this insight helps you assess risk. Take, for example, Beth in accounting. It’s not a matter of providing her with a standard image or standard device configuration; rather, you need to look at her role and the applications she uses to support her with a purpose-configured machine. And don't forget the data on her device. Organizations rely on that data, it’s often sensitive, and you need to protect it while empowering users with the data access they need to do their jobs. Organizations benefit from this intent-based approach. Not only is it less wasteful, as you’re not overbuying hardware and software, but you also eliminate many of the security risks by factoring in the user persona and business purpose.

Planning

• Look for vulnerabilities on your network that expose you to ransomware and other malware and other vulnerabilities that can lead to a compromise. Set up a plan to remediate and remove to reduce the attack surface. 
• Take a risk-centric approach to existing problems. Vulnerability management is more focused on the network side of things. Organizations are managing applications. We help them do risk analysis based on any testing or monitoring tools they have on hand like static analysis, dynamic web app, software testing analysis tools. Ensure asset inventories are consistent, accurate, and in place. It helps to have context around applications – both ownership and escalation. Collect data and build into the risk analysis process. 
• 1) Have a plan. Ask if this is this the most important thing to spend our time and money on? Have priorities. Go according to the plan and don’t buy things haphazardly.
  2) Have visibility into what has happened retroactively. Something will fail, you will get hacked. Be able to go back and see what happened and why. You need to have some kind of visibility. 
• A robust security architecture requires a defense in depth approach to application and data security. This includes layering security protections to mitigate damage from a breach or vulnerability, such as encryption and data minimization to maintain confidentiality if data is exposed as well as proactive measures like vulnerability scanning and penetration testing to find and remediate vulnerabilities. 
• Understand risk and map your portfolio of security solutions to use cases.  Evaluate every stage of the information lifecycle and understand where data needs to go for long-term archiving and storage. Have the ability to address problems holistically along with data governance. Compliance and security should be an integrated solution. 
• There are multiple areas that are critical for application and data security. These include: 1) Secure-by-Design: Integrating security throughout the entire systems development life cycle (SDLC) is critical to the success of application security. Not only does the integration allow security architects to provide business solutions and have a holistic view of the functionality of the application, but secure SDLC practices have also shown to reduce the overall cost of secure software development.
  2) DevSecOps: Embedding security controls in the DevOps process provides development teams with the ability to automate security testing processes, while at the same time influence culture and security measurement through lean development methodologies for sharing across the enterprise. The construct of DevSecOps provides developers with the necessary security guardrails through continuous integration across the development pipeline. This enables application teams to meet customer demands in line with the speed of deployment. New security technologies such as Integrated Application Security Testing (IAST), Software Composition Analysis (SCA) and Runtime Application Self Protection (RASP) may offer benefits to enterprises compared to some of the legacy security testing tools and techniques.
  3) Service-oriented operations: Successful operations in application security focus on ensuring automated and manual assessment methodologies are measured by acceptable service-level agreements (SLAs) to drive these practices in a consistent manner across the broad portfolio and reduce organizational risk. These operations should also be integrated with the Governance, Risk and Compliance systems, bug tracking mechanisms and ticketing systems in the organization.
  4) Development education: Educated development team members not only make fewer errors but also drive a heightened sense of security awareness for the organization. When paired with security partners in the business and given adequate training, the right security behaviors are embedding across the organization and reduce the frequency of security defects. 
• There is no one silver bullet in security. For example, when considering application security, there are reactive elements and proactive elements to implement. Conducting internal application security reviews should be part of best practices, but while that is a proactive element, it’s important to plan for when internal application security reviews miss catching a vulnerability. For those reactive measures, it helps to have a public bug bounty program for vulnerability disclosure, as well as build an internal red team and hire external security assessors. A security team should also consider network security elements, as source code vulnerabilities are not the only means for attack vectors.
• Organizations are in a race to create and launch revolutionary applications and services to differentiate themselves from the competition and deliver an exceptional customer experience. Fortunately, the adoption of transformative technologies – like DevOps, artificial intelligence, machine learning and robotic process automation – make this possible. These technologies, however, also expand organizations’ attack surfaces, creating heightened levels of risk that attackers are eager to exploit. Organizations like Uber may have grown to be billion-dollar behemoths by embracing innovations like DevOps to dramatically scale and growth, but this same innovation was the cause of the massive data breach at Uber that cost the company more than $150 million in settlement fees and fines. The solution to this growing problem is not to eschew modern technology, but to account for the risks that these technologies introduce and to make them a part of the solution. Attackers typically prefer going after older technologies with well-known vulnerabilities. Your digital transformation may actually put you a step ahead of attackers – as long as you’re planning accordingly. Privileged and administrative accounts in cloud environments need to be managed, protected and monitored just like privileged accounts in traditional datacenter. Organizations should establish a single control point to manage the credentials of cloud administrators, developers and other users accessing the management consoles and portals of the various cloud platforms.

Education

• Robust data encryption and endpoint access controls are essential for safeguarding any organization’s sensitive data and systems. However, improper employee behavior has the power to defeat even the most carefully-applied cybersecurity defenses. Therefore, employee training regimens that teach secure best practices – such as to never leave credentialed sessions unattended, how to recognize phishing scams, and practicing good password hygiene – should be considered a crucial foundational element in any security strategy. 

• SMEs are under the most focus from a threat perspective because they have not done enough. They should use MSPs (managed service providers) to reach and educate, onboard computers, patches, and back-up software. We are still trying to get them to understand they are still a target. Just because you’re on the internet you are a target. We help them understand their risk statement. 
• In the cloud, the same security and compliance policies from the data center still apply. But if you’re using cloud-native services, the configuration of those services becomes your primary security and compliance concern. In the data center, you have the responsibility of securing both your underlying infrastructure and your applications. With the Shared Responsibility Model for cloud security, the Cloud Service Provider (CSP) is responsible for the security of the underlying infrastructure. You’re responsible for how you use those resources, and that comes down to how they’re configured. Cloud-related data breaches are almost always the result of misconfiguration of cloud resources, and that’s always the fault of the cloud customer. Focus on establishing known-good cloud configuration baselines that adhere to internal and compliance policies, and automation to revert configuration drift for critical resources back to your baseline to protect data and ensure continuous compliance. 
• 1) We see that the most important element of all is the education of designers and developers. It is not the mechanisms, the libraries, the frameworks that win the day in security. It is always down to the actual people making decisions – big design decisions and small code changes – to keep the systems secure.
  2) We know that in the actual product the security problems originate from security libraries and security mechanisms less than 10% of the time. Most of the problems are in regular code that does not actually perform security-related functions but is written incorrectly and can be exploited by an attacker.
  3) The reviews, automated scanners, and penetration testing can only go so far. Non-trivial problems require expertise in security and a deep understanding of the software. The developers must understand security and secure code writing techniques before they start developing. Knowing security basics improves the security of the written code and also has a positive impact on the quality of the code. Developer training is the most efficient and important step to improve security drastically.

Other

• Start by making an inventory to understand what and where your assets are so you can secure them. Large companies have a significant real estate footprint, multiple clouds and on-prem and have humongous data. They must protect users', commercial, and corporate data. Different companies want to collaborate with one another. Banks want to share data to improve AI/ML to prevent money laundering. Runtime encryption allows two parties to collaborate and share data to enrich AI/ML algorithms but nothing else. Figure out the most valuable and more at risk digital assets and protect them. Secure PII which must be protected because of GDPR. Pick the most recent deployment that was put into production. 
• When you look at the history of security, it’s about building a hardened environment. The reality is things in the environment are antiquated and they don’t have full coverage. Focus on the silos of data. 
• Be mindful of data at rest and on the wire. Security cannot slack off. You must pay attention to how data is securely at rest and transmitted over the wire and to the cloud. Data used to just reside on-prem and in data centers. Now we're going to third-party hosts so data on the wire has to be secure. Use the best technologies you can afford. Always look at upcoming technology and platforms to secure your data.
• Point the AI tool at the repositories and create groupings with minimal user interaction. We’re then able to align what we found with user policies to ensure the data is protected correctly. Clients are then able to feed categories with defined sensitivity or classification into DLP to make it more effective. Make decisions based on findings and knowledge from AI.
• More companies are walking the talk these days. The news is catching up to people starting with Equifax. 
• A holistic approach is necessary with attention to every detail and a mindset which acknowledges the capability and ingenuity of cyber actors.
• Embed security into the DevOps process. DevSecOps is becoming more of a thing. It's surprising that it took this long but we’re seeing security is in a state of crisis. There is currently one security person for every 100 developers. The classic way of screening applications will not scale in any way. It is really important that whatever security you want to apply to software is embedded in the SDLC, codified in processes, and verified every step of the way. What is really important in the different phases of the SDLC the way you apply security will differ by phase. Perhaps a severe warning in dev is OK but not in other phases. Security has been in the gatekeeper role, but organizations will not accept that today. Integrate security into the development environment of the developer so they get feedback as they are writing code and adding dependencies.
• The most important element is consistency.  As an industry, we spend a lot of time “chasing” the latest security headline, but we don’t do the basic blocking and tackling on a consistent basis - which leads to easy gaps which attackers exploit.  In the recent Verizon Data Breach report which analyzed hundreds of data breaches, one of the conclusions with regards to patching was that “a methodological approach that emphasizes consistency and coverage is more important than expedient patching.”
• Build SD WAN networks one segment at a time, building a WAN for each app. Micro-segmentation network for payment, POS, WIFI on an app by app basis to reduce the risk of Target-like breach. It’s more effective to scale security when bringing services to the cloud rather than doing at every site. Build a virtual applications network that connects to the cloud. This lets you put your gateways closer to where the customer applications reside in the cloud.
• Organizations depend on software applications to grow their business. But the challenge of software security is that it does not scale with this growth, thus creating significant business risk. To combat this, organizations need access to application security testing-as-a-service that provides accuracy, breadth, and speed, via a combination of automation and artificial and human intelligence.

Here’s who shared their insights:

• Josh Mayfield, Director of Security Strategy, Absolute
• Jim Souders, CEO, and Anne Baker, V.P. of Marketing, Adaptiva
• Steven Aiello, security and compliance solutions principal, AHEAD
• Gadi Naor, CTO and Co-founder, Alcide
• Omer Benedict, Senior Director of Product Management, Aqua Security
• Tom Maher, CTO, Asavie
• Gaurav Banga, CEO and Founder, Balbix
• Nitzan Miron, V.P. Product Management, Application Security Services, Barracuda
• Cam Roberson, Director of the Reseller Channel, Beachhead Solutions
• Anurag Kahol, CTO, Bitglass
• Syed Abdur, Director of Product Management and Design, Brinqa
• Laura Lee, Executive Vice President of Rapid Prototyping, Circadence
• Andrew Lev, CEO, Cliff Duffey, Founder and President, Bethany Allee, Vice President Marketing, Cybera
• Brian Kelly, Head of Conjur Engineering, CyberArk
• Doug Dooley, COO, Data Theorem
• Jason Mical, Cyber Security Evangelist, Devo Technology
• OJ Ngo, CTO, DH2i
• Tom DeSot, EVP CIO, Digital Defense, Inc.
• Chris DeRamus, Co-founder and CTO, DivvyCloud
• Alan Weintraub, Office of the CTO, DocAuthority
• Tom Conklin, CISO, Druva
• Anders Wallgren, CTO, Electric Cloud
• Satish Abburi, founder, Elysium Analytics
• Sean Wessman, Americas Cyber Markets, Sectors and Business Development Leader, EY
• Ambuj Kumar, Co-founder and CEO, Fortanix
• Josh Stella, co-founder and CTO, Fugue 
• Amith Nair, VP Product Marketing, HashiCorp 
• Kathy Wang, Senior Director of Security, GitLab
• Mike Puglia, Chief Customer Marketing Officer, Kaseya
• Nathan Turajski, Director of Product Marketing, Micro Focus
• Gary Duan, Chief Technology Officer, NeuVector
• Gary Watson, CTO and Founder, Nexsan
• Stephen Blum, CTO and co-founder, PubNub
• Chuck Yoo, President, Resecurity
  
• Roey Eliyahu, CEO and Co-founder, Chris Westphal, Head of Product Marketing, Salt Security
• Sivan Rauscher, CEO and Co-founder, SAM Seamless Networks
• Igor Baikalov, Chief Scientist, Securonix 
• Oege de Moor, CEO and Co-founder, Semmle
• Dana Tamir, VP Market Strategy, Silverfort
• Logan Kipp, Technical Architect, SiteLock
• Albert Zenkoff, Security Architect, Software AG
• Tim Brown, V.P. Security Architecture, SolarWinds
• Todd Feinman, Co-founder and Chief Strategy Officer, Spirion
• Tim Buntel, VP of Application Security Products, Threat Stack
• Andrew Useckas, Founder and CTO, ThreatX, Inc.
• Joseph Feiman, Chief Strategy Officer, WhiteHat Security
• Vincent Lussenberg, Director of DevOps Strategy, XebiaLabs
• Robert Hawk, Operations Security Lead, xMatters