Frontiers

Why Businesses and Governments Need to Stop Trying to Secure Their Networks

Moving to a zero-trust network, where all the services an organization needs — including file sharing and email — are hosted in the cloud, is the best way to contain the damage of any single hack.

James T. Lotspeich Reading Time: 6 min 

Topics

Frontiers

An MIT SMR initiative exploring how technology is reshaping the practice of management.
More in this series
Net Security Business Government Trust Risk Network

Fifty years of computer network design have enabled big companies to share information and applications with employees around the world, keeping them in sync, growing businesses, and generating wealth. Networks are the fabric of globalization, and access to them is based on trust: If you have the right credentials, you are allowed in.

But the time for trust is over. All new employees — and every new digital device that they carry — increase the risk of bad actors on the outside (and inside) of an organization getting into its network and then moving from machine to machine to do mischief.

The only way to shut this door is to dismantle the privileged intranet and treat every login as a potential threat. (Some companies, albeit very few, have done this already.)

Most network breaches are caused by human error. People, no matter how well trained, will forget their laptops in bathrooms and cabs, connect to insecure public Wi-Fi at a café or restaurant, visit websites and click on emails they shouldn’t, and download, consciously or not, attachments carrying malware. Or they’ll pick up a thumb drive lying in a parking lot and plug it into their authenticated machine. This was how the U.S. Department of Defense (DoD) was breached in 2008 when a malware-infected flash drive was inserted into a military laptop at a base in the Middle East. The malware worm propagated itself across U.S. defense systems, sending data back to its masters, which DoD investigators believe were Russian. It took the Pentagon 14 months to contain the worm, and the incident led to the creation of the U.S. Cyber Command.

The root cause of this event was people being people, and as the workforce becomes more mobile and carries more self-provisioned devices (laptops, tablets, phones) that connect to the internet everywhere — and through that to government and corporate networks — those networks remain perpetually vulnerable to vandals and criminals.

To counter this threat, organizations burn considerable money and manpower managing client devices, and patching and monitoring their networks. None of these activities adds value directly, and every organization today is looking to reduce that workload and its attendant costs.

But as technology has progressed, no organization today really needs a network. It needs services. And it can have them without a network, through the cloud.

Topics

Frontiers

An MIT SMR initiative exploring how technology is reshaping the practice of management.
More in this series

About the Author

Lt. Col. James T. Lotspeich is the director of faculty development of the Department of Computer and Cyber Sciences at the United States Air Force Academy, Colorado Springs, Colorado. Immediately prior to his current duties, Lt. Col. Lotspeich served as commander of the 83rd Network Operations Squadron, Langley Air Force Base, Virginia. The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of the United States Air Force, Department of Defense, or the U.S. Government.

Tags:

More Like This

Add a comment

You must to post a comment.

First time here? Sign up for a free account: Comment on articles and get access to many more articles.

Comment (1)
Renzo Cuadros
This really seems to be an article that is more about moving applications to the cloud than actually implementing a zero trust model.

Also - the idea that you can move things to the cloud and jettison your network and security teams is incorrect and very risky.

If you move everything to the cloud - you are still responsible for ensuring the security of the endpoints.  Breaches now originate 50% of the time from endpoints that have been compromised.  

Also - the easiest way to get to the "good stuff" is by bypassing poor authentication and authorization controls (RBAC is what you called it at one point).  When this is left to end users to figure out - they always fail.

Finally - even if you outsource items to the cloud you should still check access logs.  Once again - end users are not trained to do this.

Basically two things 1).  This is not a zero trust model article, and 2) if you move everything to the cloud - you should still have a security expert in your company