Sometimes, things that once seemed like good ideas (such as plumbing homes with lead pipes) turn out to be not so smart after all.
That lesson applies to IT security, too. While many of the security best practices that you may have learned in the past still hold true, some have changed.
Here’s a look at a few security strategies or practices that fall into that category.
Mandatory password changes
Whether you’re a security admin or just a humble end-user, you’re probably familiar with mandatory password changes. It’s a common practice for an organization to require users to change their passwords on a regular basis — usually, every 60 days or so.
The idea behind mandatory password changes is that they help mitigate security risks in the event that an attacker knows the password of a user but has not yet exploited that information.
In the past few years, however, that logic has come under question, with the Federal Trade Commission leading the charge. Security researchers now say there’s little evidence that mandatory password changes actually make things much more secure.
Forcing users to change their passwords frequently increases the likelihood that your users will start writing their passwords down or using passwords that are easy to guess, because it’s otherwise too difficult for them to remember a new password every time they have to change it.
Some admins disagree and say that mandatory password changes are still a good idea. But by and large, this practice, once seen as a critical way to improve security, is fading away.
Treating VPNs as security blankets
Virtual Private Networks, or VPNs, have several common uses. They encrypt network traffic that might otherwise be transmitted in plaintext. They provide off-site access to resources that sit behind firewalls. They can theoretically prevent network eavesdroppers from tracking a user’s network activity.
That’s all good and well. The problem with VPNs, however, is that they turn out not to be as bulletprooffrom a security perspective as some folks assume them to be. They can reveal private information due to a flaw known as IPv6 leakage. They also don’t provide much protection from attackers who have already breached the VPN that users connect to.
This isn’t to say that VPNs do not provide some useful security features. They certainly do.
The risk that VPNs pose, however, is that they can create a false sense of total security. They lead users to assume that because they have connected to a VPN, their information will remain totally private, and they can fully trust any sites they visit.
The practice that needs to change, then, is to treat VPNs as a catch-all security solution. VPNs continue to have an important role to play, but security admins can no longer think of VPNs as a simple and total solution for keeping all user data secure.
Hiding behind the firewall
Like VPNs, firewalls are another security tool that is no longer as effective for providing blanket security as they once were.
Until about a decade ago, placing all of your organization’s resources behind a firewall was a practical way to provide a strong line of defense.
Today, firewalls no longer work as well, for two main reasons. One is that it’s impossible in many cases to put all resources behind a firewall due to the complex nature of modern infrastructure and environments. The second is that firewalls are only good at detecting security issues at the network level.
This is not to say that you should not use a firewall at all. Firewalls are still useful tools. But treating firewalls as the be-all, end-all of network security is no longer a best practice.
Avoiding the cloud
When cloud computing started becoming popular in the mid-2000s, the mantra repeated by security admins everywhere was that moving workloads to the cloud was inherently risky. You were entrusting your data and applications to someone else’s infrastructure, they said, and you might be violating all manner of compliance requirements.
We now know that that is not the case. Compliance frameworks have been updated in recent years to become cloud-aware, and a new generation of security tools makes it possible to secure cloud-based workloads effectively, no matter what level of access and control admins have over cloud infrastructure.
In short, avoiding the cloud as a matter of security policy is no longer the right way to think. While in certain cases there may still be good reasons to keep workloads on-premises, it’s not true that cloud apps and services are inherently less secure. But they do require proper management.
Worrying only about data theft
In the past, the chief goal of many attackers was to steal data, such as private information about individuals or passwords.
Attackers still do these things today. However, their motivations have expanded. Many cyberattacks now aim not to steal data, but to disrupt business operations via DDoS attacks.
And as technologies like serverless have hit the scene, a new type of attack has become possible: spinning up massive amounts of infrastructure in order to run up a victim’s cloud computing bill.
What this means is that security admins should no longer focus on data security alone. They also need to design strategies and implement toolsets that can monitor for other types of abuse.
Unless you entered the IT world right now, you probably learned security strategies in the past that are not as effective today as they used to be. Infrastructures and application architectures have changed. So has the nature of threats. If your IT security strategy (or, for that matter, your security toolset) is built upon concepts from the 1990s or 2000s, it’s time to revisit them.