Reducing the cyber security footprint exposure
If you want to have a chance at stronger cyber security working, you have to reduce the publicly exposed footprint.
When adding services to a company that need to be publicly accessible from the outside (traditional public web servers) or roaming employees, we generally just keep adding more servers and services into a DMZ. Each time we add another service, we increase the risk of a failure in cyber security. It's time to review just how much we have out there and consider ways to reduce the footprint. Simple right, but I see those footprints being made larger.
For instance, BYOD, virtual workers, traveling workers all make this problem worse. While in the past we may have kept some resources purely internal, we now have to add them to the edge even when only internal people (employees and perhaps contractors) need to access them versus the public at large. Fundamentally that's a flawed approach as we're making internal resources accessible from the internet.
Worse, mainly due to BYOD, while we might have used some kind of client VPNs in the past, we now directly expose these services and count on the firewalls to protect and defend those services. That's a very flawed approach. The only things we should make directly publicly accessible would be classical web servers and the incoming mail exchanges (that's another subject). Merely placing an internal web resource in a DMZ with authentication and behind a firewall is no longer enough and frankly reckless.
Almost all resources not generally publicly available need to be hidden in a special or multiple VPN service zones and then use remote access solutions with strong authentication and role based access (to limit where they can get to) to be gatekeepers to these internal services, and those gatekeeper devices need to be protected by firewalls and potentially web application firewalls and other defend/inspect/detect solutions as well.
We also have to remember that our total public footprint includes not only devices from our data centers and DMZs, but also all the various SaaS services we might be using (file sharing, Email, CRM, etc.). We cannot and should not assume those services are secure and keep in mind the additional risk and exposure from SaaS solutions due to SSO risks related to credential theft along with minimal detection abilities for access or breach concerns. This is a very real threat and not receiving the amount of publicity or attention it needs to.