30 years of the website: securing the future of the web

This is the third in a four-post series that honors the 30th anniversary of the website, as well as examines how we expect web infrastructure and user experiences to evolve in the next 30 years.

Even in the early days of the internet, the potential for crime was acknowledged (for proof, look no further than the 1995 film, “Hackers”). But what was perhaps more unimaginable then was the sheer size of the attack space. The internet doesn’t just refer to the web’s fiber-optic underpinnings, but every machine, device, and data repository attached to it. Over time, it’s become not just an outlier but another prime avenue for crime and theft.

In our last blog post, we explored why we should embrace a more dynamic mindset as we build the web and reconsider the tools we need to get there. Part of that challenge will require approaching security in a new way. Our needs for privacy and security have grown exponentially since the birth of the web, when we couldn’t have imagined the threats that would exist today. 

To effectively create more secure and resilient online experiences, we must design, build, and execute applications with security top of mind, and consider how the lessons of the past 30 years inform how we think about the future of security. 

A look back

The Aurora Attack marked one of the biggest security wake-up calls that changed the course of the internet. On Jan. 10, 2010, Google announced it was the victim of a cyber intrusion originating from China. According to the company, the purpose of the operation was to access the Gmail accounts of Chinese human rights activists, but the attackers also stole valuable source code from Google. It was one of the first published examples of state-sponsored cyber espionage aimed at gathering industrial secrets from a commercial organization. 

Previously, there had been a line in the sand that nation states would only launch cyber attacks against other nation states. After Aurora, it was clear attackers were willing to take whatever path required to get into an application. To compromise code and ultimately access valuable data on your network, they’re willing to attack the web applications developers build in order to access valuable data or engage in malicious activity — and they’re willing to spend six months or more to pull it off.

Traditional waterhole attacks use this approach. Attackers get into the supply chain to go after customers’ data downstream. We’re seeing a great deal of that now with exploits like the SolarWinds attack by the Russian state that compromised parts of the Department of Defense, the Department of Homeland Security, the Department of State, the Department of Energy, the National Nuclear Security Administration, and the Treasury. Equally affected were 100 private companies, including Microsoft, Cisco, Intel, Deloitte, and AT&T. 

And it’s no longer only about data theft, but about data integrity too. Sometimes it’s more valuable to an intruder to alter data and leave it in place. Financial institutions are now seeing subtle changes to time stamps on transactions as crooks attempt to siphon off money. Some attackers are manipulating time stamps to game stock purchases. Data integrity attacks can also erode trust in our institutions — a key objective of some adversaries. And paranoia about election data integrity continues to bog down U.S. democracy.

The takeaway here is that malicious actors are always going to find new avenues of attack, and we must recognize and accept this — and build in the appropriate defenses. 

Adopting zero trust and a security-first culture 

Security used to be perimeter-based: the idea being that we built security around a physical space, but that everything inside of that space was wide open. Organizations were focused on keeping attacks out, while assuming that once you were on the network, it was safe to provide access to everything. 

Now, security is increasingly moving toward a zero-trust model, which is based on identity rather than location. This model assumes you can’t trust anything both outside and inside your organization and must verify the identity of anything trying to connect to your systems before granting access. 

To embrace zero trust, organizations must create a security-first culture and integrate security into their DevOps practices. From the very beginning, as many attack avenues as possible should be identified, with testing and remediation implemented earlier in the development process. As remote work becomes ever-more prevalent, and organizations lose the ability to control the networks and devices employees access data on, this approach will only become increasingly important. 

There’s a better path forward

On the path to zero trust, many organizations struggle to overcome the perception that security stands in the way of development and innovation. Key to doing that is ensuring that you have the proper tools in place. 

Organizations need tools built with the modern, decentralized enterprise in mind. On average, organizations spend $2.6 million on 11 web application and API security tools every year, according to our recent report “Reaching the Tipping Point of Web Application and API Security.” 

The complexity of security is often a deterrent for many DevOps teams and blocks effective collaboration between DevOps and security teams. The result is that tools are not used to their full potential, leaving the door open for malicious attacks. 

We need tools that plug directly into the development process and integrate with the tools DevOps teams use daily. Security solutions must provide automation, coverage for different architectures, and high levels of visibility and insight so that security becomes an enabler of innovation, not a blocker. And we should leverage a more efficient, programmable network to ensure scalability along the way.

In the future, we’re going to see more granular access control to these tools. The concept refers to the practice of granting differing levels of access to a resource to a particular user, but we must find a way to do it that doesn’t impede speed and performance. Clear user authentication is key, and moving it to the edge improves performance and privacy. 

It’s about mindset, not just tools

At the end of the day, zero trust is not just about implementing new technology — it’s also about embracing a new mindset and redesigning processes to turn it into something tangible. 

We need to do a better job of thinking ahead to the internet’s next 30 years. We know so much more than networking pioneers did in the 1970s because we stand on their shoulders. Sophisticated independent and state-sponsored cyberattacks are now a given. Straightforward protection against those threats should be the same.

In our next blog post, we’ll wrap up our series on the website’s 30th anniversary by exploring five lessons today’s builders can use to drive the future of the web.

Mike Johnson
Chief Information Security Officer
Published
Want to continue the conversation?
Schedule time with an expert
Share this post
Mike Johnson
Chief Information Security Officer

Mike Johnson serves as the CISO of Fastly, where he leads teams focused on the security of Fastly’s network, products, services, and systems trusted by the world’s leading companies. Prior to joining Fastly, Mike served as the CISO of Lyft, and also led Detection and Response at Salesforce.