Corporate networks can be sprawling affairs comprising thousands of connected devices. Securing such networks is too often focused only on locking down access points into the network. But what happens once a user (or intruder) gains access to one of those network entry points? With an ever-evolving cyberthreat environment and a constant barrage of new tools deployed by hackers in their attempts to gain network access, the assumption of every smart cybersecurity team should be that their external defenses will be penetrated.
Network segmentation and segregation have been around for a long while – as long, in fact, as there have been private networks connected to the internet. And while network segmentation is vital and will be familiar to many through its implementation via firewalls and DMZs, network segregation also has a vitally important role to play in cybersecurity.
What if airtight security measures were built into your DevOps processes by design, from conception, and not shoe-horned in after the fact? What if passwords weren’t built into scripts and uploaded to GitHub for all to see? What if an entire DevOps team could work seamlessly and efficiently without ever needing to stop and authenticate each step?
The key objective of any CISO (Chief Information Security Officer) is the prevention of impact to the organization from any form of security breach. This, as we know, is much easier said than done. A good CISO, in fact, comes to work every morning assuming that a breach has already happened, with a view to fixing any vulnerabilities and securing the system to the highest standard possible. Every single day.
In the military, they have a well-known phrase that happens to succinctly describe the definition of the least privilege principle: ‘Need-To-Know Basis’. For the military, this means that sensitive information is only given to those who need that information to perform their duty. In cybersecurity, it’s much the same idea. The ‘least privilege’ principle involves the restriction of individual user access rights within a company to only those which are necessary in order for them to do their job. By the same token, each system process, device, and application should be granted the least authority necessary, to avoid compromising privileged information.