Often the answers we need are in front of us. For example, SIM swapping is one of the most common attacks on IoT devices over the past five years. Many things can be done such that SIM swapping is of no use to attackers. If the cell carriers got more serious about removing the SIM from the equation, this problem could quickly go away.
When it comes to information security, there are many technologies to make corporate networks and the Internet much more secure. The key here is putting these technologies and solutions into place.
As Kathleen M. Moriarty writes in Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain (Emerald Publishing Limited), many security technologies and trends benefit from not just improving security but also helping to reduce the number of resources needed to implement enterprise-wide information security fully.
For anyone who has walked the seemingly endless aisles on the RSA Conference expo floor, they will have run into hundreds of vendors. But all of these security solutions are slowly collapsing on themselves and are becoming quite challenging to sustain and support.
The five trends the book discusses and details are:
- Increased deployment of encryption
- Strong session encryption to prevent interception
- Transport protocol stack evolution
- Data-center security models
- Users control of data
Don’t let the book’s low page count (200 pages) and small size fool you. Moriarty packs a considerable punch here and offers a vision for a secure future that is readily at hand. The challenge is to get buy-in for that.
That challenge she writes of is that the current set of security solution architectures are geared toward the 1% of organizations that can afford to hire multiple information security professionals. But her vision detailed here has the goal of an improved and intrinsically more secure network environment.
Besides the five trends, Moriarty lays out several key things to be done to put this transformation into place. Perhaps both the most strategic and controversial idea of hers is to eliminate middle-box solutions that intercept and decrypt encrypted traffic. See suggests using solutions at the endpoint or network edge where secure communications terminate. This is to improve efficiency in terms of resources needed to manage systems and leverage emerging automated technologies that embrace the evolving network protocol stack and strong encryption trends.
The book is a valuable guide to putting its title into place. Critical security topics include DNS over TLS, and identity proofing while dealing with simple issues that can obviate all of those technologies, via social engineering.
While all of the technologies and solutions detailed in this valuable book are available today, this is not a book of quick and silver-bullet solutions. The shifts needed to fully transform information security will take time.
Moriarty concludes writing that it’s up to vendors to drive this shift, and customers to require the patterns in purchasing decisions. The vendors seem to be ready to carry out their customer’s desires. An educated information security consumer will undoubtedly want to read this book, so the vendors can help them do their job.