.png)
1 month ago
9
_NicoElNino_Alamy.jpg?width=1280&auto=webp&quality=80&format=jpg&disable=upscale "Man (blurred out) reaches toward an icon of a padlock")
Source: NicoElNino via Alamy Stock Image
COMMENTARY
For years, the cybersecurity industry has put an emphasis on protecting network infrastructure. But as innovations have focused on firewalls and intrusion detection systems, other forms of IT infrastructure — which are mission-critical to operations — were left exposed.
Beyond the perimeter, IT infrastructure remains one of the most overlooked attack surfaces in the enterprise. Increasing complexity in hybrid environments has complicated matters, both impeding zero-trust adoption and creating a target for adversaries.
Recent reports tracing a massive AT&T breach to a cloud provider offer another reminder of the ever-present threat at the baseline, where attacks can cause headline-grabbing financial damage, downtime, and the erosion of customer trust that took years to build.
Reducing exposure is often viewed as a cybersecurity problem, but the responsibility for safeguarding infrastructure does not fall solely on security teams. Managing always-on, always-evolving systems requires collaboration throughout the enterprise. Information moves:
Across cloud and on-premises environments
Between security and engineering teams
Through operations and legal teams
Too frequently, responsibilities transfer between these functions without a shared vocabulary or a common understanding of benchmarks, allowing security vulnerabilities to slip through the cracks in the process.
Related:French Advisory Sheds Light on Apple Spyware Activity
To close these gaps, organizations must embed security at every step as teams build, provision, operate, and maintain infrastructure. Secure by Design principles, as outlined by the Cybersecurity and Infrastructure Security Agency (CISA), can inform a new roadmap for security control management, where infrastructure security becomes proactive, flexible, and continuous.
Cloud Complexity, Compounded Risk
Cloud environments reshaped IT infrastructure, unlocking storage capacity and flexibility essential for our digital era. But this transformation also introduced more operational complexity (especially for large organizations).
At most multinational, multiproduct companies, IT infrastructure is a diverse mix of multiple public cloud, private cloud, and on-prem deployments, and environments are constantly being reworked as business needs change and technology advances.
Gone are the days when a single, isolated on-prem infrastructure could be managed through a single pane of glass. Today, infrastructure is dynamic and often fragmented, expanding the zone of potential exploitation. IBM's "Cost of a Data Breach Report" 2024 found that about 40% of all breaches involve data distributed across multiple environments.
Related:'Gentlemen' Ransomware Abuses Vulnerable Driver to Kill Security Gear
In a hybrid world where new infrastructure spins up constantly, security and engineering teams are facing new pressures:
Every deployment is different, and each requires security controls that are tailored to standards and regulations that change with every environment, industry, and geography.
Benchmarks must be assessed and monitored continuously.
Configuration drift has to be remediated quickly so that security stays ahead of attackers.
Despite all of the new workflows and tools that were spawned by the cloud transformation, the process of securing infrastructure is often slowed by a manual back-and-forth between engineering and security teams. Typically, a security team hands off a spreadsheet with requirements to engineers, who must research what to build and how to build it on their own. When security scans the results, they find more issues, and hand them back to engineers.
The result? Critical controls are implemented late, or not at all.
Updating existing infrastructure is another minefield. Engineers, legal teams, and third parties often work on systems over the weekend and manually reconfigure security controls. These temporary configurations can leave backdoors open when security teams fail to reset them amid competing priorities.
Related:Apple CarPlay RCE Exploit Left Unaddressed in Most Cars
Despite the best intentions, miscommunication and errors leave misconfigurations in their wake. The Capital One breach of 2019 was a wake-up call, but the industry-wide problem persists.
Secure by Design: Expanding the Movement
As infrastructure complexity grows and time is of the essence, existing security approaches are falling behind. We operate in a multicloud, hybrid world, yet outdated processes still reflect on-premise thinking.
Governance and compliance platforms help teams see gaps, but they rarely do the work to close them. Visibility is necessary, but insufficient if remediation doesn't keep pace with fast-moving threats and continuous deployment cycles.
To protect modern infrastructure, security must be woven into every stage and every team's workflow, not bolted on as an afterthought. Cybersecurity is much like home security. We need more than a way to determine if the door is unlocked or the windows are open. True security demands proactive measures — checking the doors and windows — before an environment is operational.
With the release of the Secure by Design framework, CISA showed a new way forward. In software, Secure by Design became more than a set of technical steps to implement; it turned into an industry-wide movement to make security a priority throughout the software development life cycle.
Secure by Design infrastructure will shift security and compliance from a tedious back-and-forth between security and engineering to a continuous cycle of security control management that closes gaps and integrates seamlessly with engineering practices.
By applying Secure by Design to infrastructure, we can transform security from a static set of guidelines into an always-on process that prioritizes quick action. This requires a new set of principles for building Secure by Design infrastructure. Several steps could include:
Create and customize security control policies that tailor standards to a company's industry, geography, and environment, whether it is cloud, on-prem, or hybrid.
Continuously assess and validate the security posture of controls using proprietary or publicly available scanners.
Deliver security scan results as discrete engineering tasks, so they can be integrated with workflows such as DevSecOps.
Remediate changes stemming from user actions, software updates, or the evolving threat landscape.
Building a Resilient Infrastructure
CISA planted a flag. Now, it's incumbent on all of those who care about safeguarding systems to pick up the torch and take action to secure systems throughout the enterprise. Secure by Design must extend from applications and code to the foundations that support them.
By integrating each of the steps we explored with agile workflows and applying automation, we will create new opportunities to accelerate deployment — and enhance security in the process. A new generation of tools will not only identify weaknesses and show results, but enable action to fix problems before adversaries discover them.
In security, the term "shift left" calls on technologists to implement security as early as possible. Following rapid adoption of Secure by Design in software, use of security control management practices can shift infrastructure as far left as possible and shore up the flanks often left exposed in the cybersecurity battle.
