Palo Alto Networks Systems Engineer Professional: DataCenter
Is it Time for a Cyber National Guard?
For instance, in the United States, we know that our federal, state, and local governments are communicating that our information technology infrastructure is outdated and vulnerable to cyberattacks. We also know they are currently trying to pass legislation that will modernize our information technology infrastructure to prevent future cyberattacks. Modernizing information technology infrastructure will help mitigate the risk for cyberattacks; however, you need skilled cybersecurity professionals to continuously identify and evaluate risks, design and implement controls, and assess and monitor the effectiveness of those controls. Just like our outdated technology, we have a shortage of skilled cybersecurity professionals across the government and public sector. How do we solve these problems in the most cost-effective way?
This is important to understand because it’s already difficult to find cybersecurity professionals with necessary credentials to protect information technology infrastructure in the private sector. It’s even more difficult to find these professionals in the government and public sector. Do we just continue to communicate the shortage? Or do we provide an opportunity for private sector cybersecurity professionals to serve their country?
Two members of the US House of Representatives, Ruben Gallego (D-Arizona) and William Hurd (R-Texas), have proposed a Cyber National Guard, which would be similar to the existing Army or Air National Guard. This reserve force would not complete boot camp or use guns in battle. Instead, this reserve force would be called to protect the country against cyber threats and strengthen our national security on the digital battlefield. These resources would identify and patch bugs, upgrade outdated systems to be compliant with policies, and audit and report on information technology infrastructure.
Just like the existing reserves of the National Guard, these cybersecurity professionals would commit to serve their country by volunteering their skills, knowledge, and experience to protect the country from malicious attacks or unintentional changes to the technology infrastructure that supports the government. In return, they would receive the same benefits that anyone serving in the National Guard would receive, including additional pay, tuition reimbursement and other financial benefits. The overarching reward for most of these individuals, though, would be the opportunity to serve their country.
It would be a time commitment both personally and professionally that potential participants would need to consider. However, it would be an opportunity to give back to the country. If former US President John F. Kennedy were around today, would he make the same call to action in the context of this current skills crisis: “Ask not what your country can do for you, but what you can do for your country”? I know that I would consider a Cyber National Guard to be my opportunity to give back to my country.
Michael Podemski, CISA, CISM, CRISC, CIPM, CIPT, Senior Manager, Risk Advisory Services at EY
[ISACA Now Blog]
Clarifying What Zero Trust Is – and Is Not
Last fall, I wrote about how people were beginning to understand the essence of Zero Trust. Since then, there seems to have been an inflection point in industry’s embrace of Zero Trust, and now, even more people are advocating it, more vendors are posturing it as a go-to-market message, and more enterprises are moving towards adopting it.
However, as the concept gains popularity, I find that more people are mistaken about what it really is.
The Concept of Trust
One way to see if someone understands Zero Trust is to analyze how they talk about the word “trust.” If a pundit is trying to get you to a “trusted” state, then they don’t understand Zero Trust. The point of Zero Trust is not to make networks, clouds or endpoints more trusted; it’s to eliminate the concept of trust from digital systems altogether. The “trust” level is zero, hence Zero Trust. Simple!
Trust is a human emotion that refers to the level of confidence someone has in something, but it’s a vulnerability and an exploit in a digital system. It has no purpose in digital systems, such as networks. There is no use for “trust” in these systems, except to be used by malicious actors, who exploit “trust” for their own nefarious gain. The only thing that can happen to trust in a digital system is for it be exploited, and the only outcome for trust is some type of betrayal.
What typically confuses people is the anthropomorphization of the network that has happened over time. People and trust in the physical world is not the same as packets and vulnerabilities in a digital system. People are not on the network; packets are. Most people confuse the trustworthiness of human beings with the trustworthiness of packets. By depersonalizing packets, we can do what we need to do, which is inspect that packet and apply access control methodologies. This way, the packet only gets access to approved resources at the approved time – and all of that is logged and analyzed – so we can assess if there was an appropriate digital behavior.
So, for folks trying to move to a Zero Trust environment, step one is to eliminate the word “trust” from your vocabulary as it relates to digital systems. Trust is binary; it is on or off. Think about using the term “confidence” instead. Confidence can exist on a continuum. It’s an important distinction.
The old model of trying to create “trusted” digital systems has never worked to prevent breaches. As people mature their thinking around Zero Trust, it is imperative that they understand the most fundamental principle of the concept: trust is not the desired state; trust is the failure point you want to avoid.
[Palo Alto Networks Research Center]
Cultural Considerations of Adopting Application Container Technology
Application containers allow developers to easily modify and test because applications are siloed in their own containers. So, the benefits are appealing from a cost savings perspective as well as support of DevOps deployment. Is there a downside, though?
Perhaps it is not a downside as much as a consideration, but as organizations adopt application containerization, some cultural shifts are necessary. These shifts relate to operational processes that organizations may already have in place; however, containerization requires doing those familiar processes differently. Because the change is for an existing process rather than the implementation of something new, the change is more cultural than operational. For example, in a traditional application environment, generally, there is a structured process for code review, which the time to deployment accommodates. As deployment time is shortened (as in a scenario involving DevOps and application containers), organizations may be challenged in how they perform formal, structured code reviews. So, a cultural shift to identify (and accept) solutions that provide assurance around secure coding in the containerized environment despite the rapid speed of deployment may be required.
Another area where a cultural shift may be required relates to access. Unless an organization develops a strategy around administrator access, it is possible for administrators to have access to multiple hosts, containers and images rather than the specific hosts, containers and images to which the administrator needs access to perform job responsibilities. Ensuring that a least privilege strategy is implemented would addresses this. Also, beyond internal expectations, several compliance initiatives, such as the Health Insurance Portability Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR) rely on strong access controls.
Lastly, an organization’s approach to authentication may require a cultural shift. In administering workloads, orchestrators potentially place workloads that have varying levels of sensitivity on the same host. To address this, an orchestrator may have its own authentication directory. This directory, however, may be separate from other non-orchestrator authentication directories in use. As a result, the orchestrator’s authentication directory may have different authentication practices. A concerted effort to ensure alignment of authentication practices for all directories (orchestrator-related or not) may be necessary. These efforts may include, but are not limited to, restricting administrator authentication access to specific repositories rather than multiple repositories.
The benefits of adopting application containers are appealing. More application instances may be possible without incurring the cost of additional hardware and deployment time may be reduced. Effective adoption, however, depends on how organizations can modify existing protocols to accommodate the containerized environment. Code review, access and authentication are examples of areas for which organizations routinely have controls but where a cultural shift is necessary. Once these shifts have been made, the benefits or application containers can be fully realized.
Robin Lyons, Technical Research Manager, ISACA
[ISACA Now Blog]
Are You Google Cloud Ready?
Public Cloud Security Represents a Massive Opportunity for NextWave Partners
Organizations adopt public cloud solutions for greater network agility and scalability, higher performance and faster access to innovative technologies, but they need help keeping their data secure. 451 Group predicts that by 2018, 60 percent of all workloads will reside in the public cloud while 91 percent of cybersecurity professionals have concerns about cloud security*. The top three challenges they face include protecting against data loss and leakage (67%), threats to data privacy (61%), and breaches of confidentiality (53%). Helping our mutual customers move to the cloud while addressing these challenges represents a massive opportunity for NextWave partners to provide their security expertise and position the benefits of our Security Operating Platform, which supports all major public cloud services, including Amazon Web Services, Microsoft Azure and Google Cloud Platform, or GCP.
Become Familiar With Google Cloud Platform
Whether you are curious about GCP or want to dig into technical details, we have a starting place for you! The Google Cloud Platform Learning Guide is the latest addition to our Learning Guide series, providing info on how to get hands-on experience.
Start or Grow Your Knowledge
As organizations expand their adoption of GCP for big data, analytics and machine learning initiatives, protecting from threats and data loss becomes a top priority. This Learning Guide provides overviews and in-depth material on GCP, including GCP Launcher, Google Deployment Manager, Google Kubernetes Engine and networking concepts.
Palo Alto Networks VM-Series for GCP protects applications and data deployed on GCP with the same next-generation security that protects more than 51,000 networks around the world today. We provide training on GCP and Palo Alto Networks VM-Series virtualized firewalls, including deployment guidelines, architectures such as hybrid, scale-in and scale-out, and for technical roles, we have administrator guides.
Choose Your Own Learning Track
Either follow the learning guide step by step or simply skip ahead to specific topics based on your current knowledge.
Check out everything we can do now in the cloud with GCP. Get the Google Cloud Platform Learning Guide now.
* “Voice of the Enterprise: Cloud Transformation Survey of IT Buyers,” 451 Research, September 2016
[Palo Alto Networks Research Center]
