Making Security Simpler for Organizations Big and Small

By: Kathleen Moriarty, CIS CTO

Making security simpler in an organizations' zero-trust journeys is a tremendous opportunity for democratizing security.

Over the past few years, we have learned so much about the threats facing every organization, regardless of size. These efforts include determining potential entry points as well as ones that provide broad access. Supply chain attacks are not necessarily more sophisticated than other attacks but, even so, they constitute an increasingly prominent threat.

Calls for security to be built-in and managed over time are growing in response to U.S. Executive Orders, European National Directives, and other government mandates. True, organizations that lack resources can use cloud and hosted environments to achieve their security goals. But even hosted environments require resources to manage security controls. Also, the controls often vary between platforms.

The move to require built-in security from vendors signifies an opportunity to scale security management. As we transition to zero trust, security controls become more pervasive and granular. How we implement these changes and establish security management architectural patterns will determine if we have enabled a secure supply chain for the future. Simultaneously, it will reveal if we’ve made it sustainable.

A Journey of Making Security Simpler

At the Center for Internet Security (CIS), we strive to make the connected world a safer place. One of our goals is to improve security for the under-served and under-resourced, which includes U.S. State, Local, Tribal, and Territorial (SLTT) organizations. This objective is a key reason why I joined CIS a little over a year ago as CTO.

Joining CIS marked a logical step in my journey. While researching evolving standards as a former Internet Engineering Task Force (IETF) Security Area Director, I came up with a path to make security simpler. I laid out this path in “Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain,” published in July 2020. The book challenges the architectural patterns we have been creating and deploying for software and operating systems, including add-on security products.

I recently developed the CIS white paper, “Simplifying Security,” after seeing the hurdles that under-resourced organizations experience in implementing the foundations of a security control framework. The white paper provides examples of how we might automate at scale the foundational control areas to any security program from the vendor. It focuses on asset management, software asset management, and system posture assurance at purchase and over time. Along the way, it considers technologies, protocols, and open-source initiatives that have the potential to democratize security if implemented with scale in mind.

Vendor Support of a Transformation

As the March 2022 chair for RSA Conference webinars, I had the opportunity to host a fantastic panel session on “Making Security Simpler.” The panelists included: Rudy Bauer from Dell, Luke Hinds from RedHat, Tony Jeffs from Cisco, and Kay Williams from Microsoft. The session provided much hope for the transformation of security over the next 2-5 years for built-in security at scale. The session was powerful and inspiring. The panelists offered insight into real projects that align to the goals outlined in "Simplifying Security," with the CIS Controls and other control frameworks acting as a starting point.

Here are just some of the highlights from our discussion:

• Bauer touted Dell's Secured Component Verification (SCV) program for supply chain assurance using attestation technology. This work demonstrates the ability of a vendor to assure a product to an expected set of policies and measurements with little expectation from organizations for ongoing management to assure a trusted boot process.
• Williams highlighted Microsoft's robust platform to update client machines when new vulnerabilities emerge. Patching has improved greatly over the last few years, allowing for vendors to fully automate patching and for organizations to minimize if not eliminate the need for distributed testing across their environments. 
• Hinds said that RedHat has been breaking ground with the SigStore open-source project's mission to create a free resource for code signing on Software Bill of Material (SBOM) manifests. It's an initiative that's similar to how a Let's Encrypt launched a free service to automate certificate management for web servers with the Automated Certificate Management Environment (ACME) protocol, thus helping to encrypt the web more fully.
• Jeffs stated that product development environments are an avenue for infiltration, with Cisco learning that scale and agility are very important as the world (threat landscape) changes. A combination of centralized security architecture and privacy to develop consistency across these areas will be necessary. It’s a journey that begins with automating the inventory of assets following a set of controls and principles, mitigating risks automatically in the process.

The Right to Expect Security

Williams ended our panel session with a powerful pronouncement. “Security is like clean air and clean water," she said. "Individuals should be able to expect it."

This bodes well for the future of product security...and for making security simpler overall.