With the SolarWinds Cyber event, Quantum Computing, & advances in Artificial Intelligence (AI) all in mind, cryptography will evolve in the 2020's. To what degree, I don't know.
Geopolitical events & circumstances, IMHO, will be a key factor.
As events unfold, the international community will have to determine, with the private sector contributing, where we go from here.
https://devops.com/the-best-iam-practices-for-devops/
Most orgs fail to have an internal IAM policy, a partner IAM strategy (B2B), as well as a customer (B2C) strategy. Due to that, the orgs is all over the place.
Furthermore, the article discusses unstructured data (cloud storage) that is often an issue for orgs as the lack of a strategy leads to a lack of data governance (classification, access controls, etc).
https://threatpost.com/cloud-king-software-security-trends-2021/162442/
This article touches upon the need to have better tracking mechanisms between product teams, divisions, lines of business, & supply chains. Couple this need with the Cybersecurity Maturity Model Certification (CMMC), & a dip in the US economy, & executives will want better tracking mechanisms to identify return on investment (ROI).
We're working on an AppSec/DevSecOps answer to this equation.
https://www.csoonline.com/article/3535797/the-cybersecurity-maturity-model-certification-explained-what-defense-contractors-need-to-know.html
While reading this enumeration of EDA software patterns I had to think of the need for available Cyber reference architectures (RAs) and minimum security baselines (MSBs) to complement misuse test cases, especially for logic.
With cloud-native and FaaS gaining ground, as well as no/low code, Cyber will need to collaborate even closer with QA to determine any confidentiality, integrity &/or availability (CIA) issues.
I'll always remember looking at a 4GL (fourth generation language) telecom app in late 2012 at an insurance company. It was used to route, via prompts, the caller to the right service desk.
So, I embarked on an informal security assessment/threat model by handwriting on my notepad "sources | sinks" then enumerating my perceived/observed of each. After that we walked through the business logic, error/exception handling & misuse cases. It was not the most thorough affair, but it was a value-add to the Cyber folks.
As the industry embraces more no/low code solutions (Power Apps, Honeycode, AppSheet) it behooves Cyber professionals to use a methodology to assess these solutions. Here's a take on such a methodology that I'll pronounce DASL:
D for Data: classification/sensitivity/compliance requirements/retention
A for Application: underlying platform (Cloud Service Provider: CSP) & security/risk/SRE/DR posture
S for Sources/Sinks: ecosystem/supply chain
L for Logic: ruleset, QA testing, misuse cases
While orgs want to deploy a finished product immediately, that isn't practical. From a Cyber, as well as Ops perspective, it's better to incrementally develop & deploy a solution.
Edison didn't succeed overnight; so, why should enterprises....
Continuous integration / delivery / deployment / verification (CI/CD/CV) all need to be segmented in org's processes.
While this may be more difficult for on-premise deployments (Jenkins / Bamboo), most cloud PaaS offerings make this easier, especially AWS with their Code* portfolio (CodePipeline / CodeBuild / CodeDeploy).
https://techbeacon.com/enterprise-it/7-container-design-patterns-you-need-know
When performing a threat model for cloud-native environments I advocate for a comparison to the design patterns articulated above, especially how security-centric services are deployed. To execute on segregation of duties one must abide by said best practices.
https://kubernetes.io/docs/concepts/security/overview/
The 4C's described above do not explicitly include securing the data. Orgs need to secure their data (crytpo, masking) before it goes to the cloud, onsite, or otherwise...
While some Cyber solutions certainly deliver as promised, there is a multitude of solutions that seem to be wanting.
Namely, cloud security posture management (CSPM) and secure access service edge (SASE) solutions.
Akin to first-generation web application firewalls (WAFs), CSPM and SASE solutions seem to promise a lot while skeptically delivering value. Like WAFs, I believe organizations will see these as a tool in the Cyber toolbox that can COMPLIMENT solid hygiene versus SUPPLEMENT said governance.
Many orgs use a control framework (NIST 800-53, HITRUST CSF, COBIT, SIG, ISF SoGP, ISO 27002, CSA CCM) that doesnt completely express that orgs security/privacy/risk mgmt posture.
It behooves those orgs to use a hybrid mapped back to those frameworks.
Many orgs focus too long on assessing the risk before deciding to onboard a vendor.
Multiple control frameworks (COBIT, ISF, ISO, NIST, HITRUST) include hundreds of questions that are often redundant.
Furthermore, these assessments couple the vendor governance witht the actual solution. Hence, orgs spending weeks on evaluating each vendor.
The solution here is a laser-focused framework that includes a base for the vendor, along with specific questions for the solution. I would also advocate for a vulnerability scan of the solution by the specific org doing the assessment.
A vendor's (security/privacy) holistic governance is not the same as the security/privacy posture of the solution a larger organization is looking to procure.
The reality is that many startups/SMBs have solutions that are (considerably) different, from a cyber perspective, then their general posture. Many (startup/SMB solutions) are based/hosted with cloud service providers (CSPs), and.therefore, require a separate level of review.
Third-party risk management (TPRM) processes and teams are prevalent in corporate organizations; however, experience shows a generic coupling of the solution with the vendor that seems inadequate.
So, it is advocated that larger organizations focus on high-level governance for the vendor-at-large, coupled with low-level verification of the solution at hand.
How is this accomplished? Well, focus on control frameworks (NIST, ISO, SIG, HITRUST, ISF, COBIT) for the vendor, coupled with specific deep-dives on the solution at large. Deep-dives should include recent vulnerability scans/penetration tests/risk assessments of the specific solution from an objective third-party, with a control mapping of said solution back to organizational governance, as well as benchmarks against CSP well-architected frameworks (that are prevalent these days).
A multitude of corporate IT/Cyber departments attempt to replicate their network architecture in the cloud. Unfortunately, that is not the way to go regarding cloud transformation. When organizations use the cloud it makes the most sense to leverage native solutions as much as possible.
While trusting cloud service providers (CSP) completely is not prudent, many CSPs have matured their services, especially security-centric solutions. With that said, if there are any doubts/concerns, the most pragmatic choice is to leverage enterprise data protection solutions before data is migrated to the cloud. Said solution could negate concerns about a CSP's data handling procedures.
The short answer is, not alone. Attestations outside of penetration testing reports, or the ability for an org (that desires to provision said provider's services) to run a vulnerability scan, are not acceptable.
As an individual who has provided internal security assessments, as well as many external, the scope of attestation much too often is extremely limited in scope. Therefore, these reviews do not provide an adequate benchmark of security &/or privacy compliance or posture.
So, kick the proverbial tires; while not requiring an expensive onsite audit....
CSPs now have created thought leadership for architecting cloud-based workloads:
Amazon (AWS): https://docs.aws.amazon.com/wellarchitected/latest/framework/wellarchitected-framework.pdf
Microsoft Azure: https://azure.microsoft.com/en-us/blog/introducing-the-microsoft-azure-wellarchitected-framework/
Google (GCP): https://cloud.google.com/architecture/framework
Oracle (OCI): https://www.oracle.com/cloud/architecture-center.html
