strategy
Business requirements for IT and infosec teams are manifold and often contradictory. The tasks include cost reduction, efficient data use, automation, cloud migration, and weighing up all information security risks. How do the major trends and changes in IT affect a company’s infosec profile, and what should your response to business requirements take into account? We analyzed the most important and practical trends in IT (according to various groups of independent experts and cybersecurity market analysts), focusing on the infosec aspects of each.
IT optimization
Businesses all over the world have good reason to tighten their belts – be it due to geopolitical changes, inflation or economic recession. For the IT team, this means a major review of operating costs. Finance departments currently have cloud expenses under the microscope, as 60% of companies’ data is now stored in the cloud. For many companies, migration to the cloud has been impromptu and unsystematic, resulting in a buildup of underutilized SaaS subscriptions, as well as sub-optimally configured virtual machines and other cloud environments. There’s usually great potential for optimization here, but it mustn’t be a one-off process. Companies need to create a culture in which cloud costs are the concern not only of IT folks, but of the cloud users themselves.
The infosec angle. During optimization and consolidation, cloud services get reconfigured and data is moved around between different cloud environments. It’s important to allocate time and resources to a post-migration system audit to make sure, among other things, that the security settings are correct and that any service accounts needed for migrating ports have been closed. During migration, it’s a good idea to update secrets (access tokens, API keys, etc.) and apply the best-practice password and encryption policies.
If any equipment or cloud services are decommissioned post-migration, these must be wiped of all confidential data and service information (debugging and temporary files, test data, etc.).
Open source
The economic benefits of open-source applications are varied: for example, software development companies reduce costs and time-to-market through the use of off-the-shelf code, while others get a system they can modify and maintain internally, if required.
The infosec angle. The main risk of open source is the presence of vulnerabilities and backdoors in third-party code – especially since it’s not always clear who should correct the code and how. Oftentimes a company will use some library or piece of software without knowing it. Eliminating open-source risks requires code inventory and scanning systems. For an in-depth look at risks and mitigation measures, see our separate post.
Data management
Large companies in practically every industry have been accumulating huge amounts of operational data for around two decades now. In theory, this helps optimize and automate business processes and develop fundamentally new products (sometimes the data itself becomes a sought-after commodity). In practice, however, things are more complicated: lots of data is collected, but often its structure, currentness and form of storage are such that it’s difficult or even impossible to find information and use it.
For real data-driven growth, businesses need clear procedures for collecting, cataloging, storing and using it. A useful strategy here is data management and data governance. These strategies describe the structure and nature of stored information and the full data life-cycle, and allow you to manage its storage and use.
The infosec angle. Data governance is being implemented for economic reasons, but the collateral benefits for information security are huge. After all, knowing where and what data it holds, a company is better placed to assess the risks, provide adequate protection for all data pools, and comply with personal data laws. The infosec team should play an active role in developing and implementing the data management strategy, including: access and encryption policies, compliance control, protection measures for data at rest and in transit, and procedures for gaining access. The strategy must also cover “auxiliary” data types such as backups and proprietary technical information in the cloud (especially SaaS).
Low code & no code
The low-code approach allows business systems to be modified and developed without programmers. Common modifications include changing the interface of applications and websites, creating new data analysis and control scenarios, and robotic process automation (RPA). This helps develop CRM solutions, e-document management, create marketing web pages, etc. Companies benefit from this approach because the involved IT maintenance costs are significantly lower than counterparts that require “real” programmers. Some popular no-code/low-code systems are Microsoft Power Apps, Salesforce, Uipath, and even WordPress.
The infosec angle. Low-code systems harbor significant risks, since by definition they have fairly wide access to data and other corporate IT systems. They’re also configured and used by people without in-depth IT/infosec training. All of this can lead to data leaks, various forms of privilege escalation, insufficient logging, and unauthorized access to information.
In addition, users of such systems regularly leave secrets, such as API keys, directly in the code. And to top it off, almost all no-code systems make active use of plug-in architecture and have their own specific component stores for user projects. Vulnerabilities in such components are often very serious and extremely hard to track and fix promptly using standard infosec tools.
The infosec team should develop specialized policies and procedures for each low-code application used in the company. Application administrators and owners must receive in-depth training in these infosec procedures, while regular users of low-code applications need basic specialized training. As part of this user training, it’s essential to teach safe programming practices and how to use the system. At the absolute minimum, the training must cover the requirements not to store passwords in software code, to check input data and to minimize data-modifying operations.
IT administrators need to pay careful attention to minimizing privileges and controlling access to data through low-code applications. The infosec team should evaluate specialized solutions for protecting specific low-code applications; for example, there is a fairly developed mini-industry around WordPress. More about this quite broad topic can be found in our separate post.
Robustness & resilience
Major IT incidents over the past decade (not necessarily cyberattacks) have taught businesses that investing in IT resilience is cost-effective and worthwhile. Investments here are primarily aimed at eliminating catastrophic losses and ensuring business continuity. But even if major incidents are left out of the equation, resilience brings benefits by improving the user experience for customers and employees, increasing the company’s reputation and encouraging loyalty.
There are several strands to robustness development:
- In-depth testing of IT systems during development (devops, devsecops);
- Designing systems able to continue functioning in case of partial failure (redundancy, duplication);
- Implementing monitoring systems for tracking IT/infosec anomalies and preventing incidents at an early stage (database failure, load imbalance, malware execution, etc.);
- Implementing a multi-layered infosec system in the company;
- Developing automation scenarios to save time and minimize human errors, including scenarios for automatic resolution of IT infrastructure issues;
- Studying the supply chain to rule out incidents related to the code, infrastructure or internal procedures of company suppliers and contractors;
- Implementing incident response and post-incident recovery procedures and testing them in practice.
The infosec angle. Although businesses demand “general resilience” from their IT systems, the IT and infosec requirements here are closely intertwined, such that implementation of any of the above strands will require in-depth collaboration among the relevant departments. Budgets are limited, so it’s important to define the priorities with business decision makers and distribute tasks and projects between “general IT” and infosec, identifying opportunities for optimization and synergy. Ideally, one solution (say, a backup system) should handle IT/infosec tasks concurrently, and defining their requirements, training in their use, etc., should take place jointly. The result for the company will be a holistic cyber-resilience strategy. The first steps to cyber-resilience are covered in detail here.
This post has not said a word about generative AI or various other corporate IT trends still in the “we’re experimenting how to apply it” phase. As regards promising but still raw trends, we plan to release a separate review.
