With reports that more than half of US states have banned or restricted access to TikTok on government devices, many cybersecurity professionals are asking, “How can you take a well-intentioned policy from vision to execution?” The answer is operational governance.
Cybersecurity tends to focus on preventing ransomware and advanced persistent threats. This is essential work, but it can overshadow the foundation of an effective cybersecurity program. Fundamentally, cybersecurity is about enforcing corporate policies. Yet enforcement falls flat far too often because organizations lack visibility into what is happening on their network.
Many policies are intended to prevent attacks, but other traditional examples include preventing access to gambling websites and other illicit content. Governance, risk, and compliance (GRC) programs are intended to demonstrate compliance for audits or to assess the security posture of another organization during a corporate merger or acquisition.
TikTok is just one recent example of banning access to an app. New York City public schools have banned ChatGPT. And there are ongoing concerns that a rogue employee could install cryptomining software on a corporate network. Of course, preventing and detecting these risks and threats has become substantially harder since cloud computing, mobile devices, and the Internet of Things have radically transformed the network perimeter.
The network perimeter has been atomized by decades of digital transformation, which means it has become dispersed, ephemeral, encrypted, and diverse. Mobile and remote workers are accessing data and applications scattered across multicloud, hybrid-cloud, and on-premises infrastructure. Legacy application appliances have been retrofitted to interoperate with cloud environments. IT/OT convergence is enabling applications to access physical environments as easily as IT networks.
A Paper Tiger: Policy Without Enforcement
As organizations have moved to adopt zero-trust security, network security and identity-based access controls have been lagging behind endpoint and detection and response (EDR) deployments. Unfortunately, identity-based threats can elevate endpoint privileges to disable EDR agents and to access the network, where threat actors can hide between the gaps of disconnected technologies and the teams that manage them.
Furthermore, many endpoint and network devices, such as IoT devices, serverless platforms, routers, switches, and SCADA systems are incapable of running EDR agents in the first place. And all of this assumes that the cybersecurity team is aware of every endpoint connected to the network and has a way to control them, which is not always the case.
Entire classes of devices may be left unprotected, so having an effective network security architecture beyond access control and access brokering is even more important. However, the chaotic nature of network traffic makes visibility difficult. Traditional solutions usually don’t support the cloud, and cloud-based approaches tend to focus on specific cloud environments. Detecting and stopping attacks is incredibly difficult, given the opacity and gaps.
One major concern with TikTok and other apps is the potential for unauthorized access to the network and devices through excessive permissions or embedded spyware, which may be used for espionage. To address these concerns, it is important to categorize the types of infrastructure and the traffic that needs to be monitored. By mapping out the infrastructure and analyzing real-time data, it is possible to identify and alert on policy violations and to integrate these alerts into existing workflows.
Invent the Universe: Comprehensive Visibility and Real-Time Verification
The famed astrophysicist Carl Sagan once quipped, “If you wish to make an apple pie from scratch, you must first invent the universe.” The same goes for enforcing cybersecurity. Without comprehensive visibility of the network and real-time verification of governance policies, it can be difficult to know if they are being enforced. This is especially true when relying on outdated technologies or host-based monitoring, which may not provide a comprehensive view of network activity.
For example, I recently spoke with a company that discovered one of its factory machines — which was in production and should have been isolated from other networks — was browsing TikTok and Facebook. This was a clear indication that policy enforcement had failed, leaving the machine compromised.
And just as you cannot bake without precisely measuring your ingredients and knowing the temperature of the oven, you cannot enforce cybersecurity policy without comprehensive and real-time visibility into endpoint devices and network traffic. Visibility is a foundation of cybersecurity, which is why so many compliance frameworks, such as SOC 2 and ISO 27001 include the creation of an asset inventory among their first requirements.
It can be easy to be drawn in by the allure of shiny new solutions — and certainly cybersecurity professionals do need to monitor emerging risks, threats and trends like these recent TikTok bans — but I would contend that the majority of cybersecurity challenges can be fixed with a focus on the fundamentals: enforcing corporate policy with the visibility needed to do so.