It’s time we put an end to the castle wall mentality

12th December 2019


Cath Goulding

Cath Goulding
CISO

In cyber security, the outdated ‘castle and moat’ model is proving tough to leave behind. While images of wide trenches and fortified walls fit neatly into popular ideas about protecting precious assets, networking and security have evolved well beyond perimeter-based defense.

Most enterprises have shifted to the cloud or adopted a hybrid strategy that blends on-premise, SaaS and container environments. A hosted or varied approach to IT has proven to be a better fit for digital business models, but the methods we use to protect an increasingly distributed system of networks, applications, services and data have to evolve as well.

Prevention is still necessary but as more infrastructure moves to far-away data centres and more databases and applications sit off-site, where exactly should prevention be located?

Maybe it’s time to leave the idea of a perimeter wall in the past.

Identifying behaviors that could indicate a potential breach is a much more effective way to counter the constant threats we now face. Rather than investing in ever-higher barriers and responding when a bad actor punches through them, actively looking for the signs of attack on the network can help CISOs find vulnerabilities, strengthen defenses and stay one step ahead of cyber criminals.

Walls alone won’t protect us anymore, but better practices designed to adjust security to a new type of digital landscape can. That approach also puts us in a better position to instil confidence in customers, partners and our own board-level stakeholders.

Tips on moving away from the castle wall mentality and securing the cloud

Building stronger security in cloud environments – despite the lack of perimeter

Cloud is a key element of digital transformation but implementing effective cloud security is still a challenge. You have to ensure that the correct measures and requirements are built into cloud deployments from the start. People have been so reliant on the castle mentality, where you’ve got layers of security defence and depth, that there’s a legacy of expectations that have to be overcome. You can’t just assume firewalls and access controls are already in place.

Don’t just negotiate, ask the questions that haven’t been asked

Cloud suppliers often do what is asked of them very well – but you do have to ask. If you don’t put a specific security requirement in the contract, or you don’t fully understand the configuration, you might find yourself without adequate access controls and data that’s open to everybody. It comes back again to leaving the castle mindset behind. When systems and data live in the cloud, you have to make sure the security practices are implemented with the same degree of rigor you would have applied on-premise. It’s just a matter of putting it into the contract and making sure it’s applied properly.

More flexibility but considered access control

The cloud brings huge benefits. It can be really flexible and scalable, as well as facilitating data sharing. With this comes risk however, and people need to be educated about the sensitivities around data and why it shouldn’t just be open to everybody. You have to be in control and know who you’re sharing information with and why, and make sure it’s limited to specific assets.

Win hearts and minds through open discussions

Strengthening cyber means trying to be an enabler for digital business models and helping people see security as a positive. Security shouldn’t be seen as the person that says ‘no’. It’s about putting security and trust at the heart of an organization. Not all decisions will be popular at first, but they may be understood better following a broader conversation of why the solution needs to be incorporated. It’s often a process of education and getting people on board.

View our full interview with Cath as part of our Security Begins Here series.

#SecurityBeginsHere