CISOs focus on their network perimeter in an effort to prevent exploits.
Often they fail.
Why? Because no one can control criminal exploits. And with the advent of enterprise mobility and the widespread adoption of cloud, the enterprise has lost control of endpoints, networks and even applications. That’s why headlines and industry publications are full of dire warnings about the latest phishing scam or malevolent machinations by cybercriminals.
All is not lost. It’s time to let go of what we can’t control and start focusing on what we can: identities.
Imagine the scenario: an employee uses their personal iPhone to access a work file from Dropbox over their provider’s network while they’re on their commute.
It’s a pretty common picture. And it’s one where you have no control over the application, hosted in someone else’s data centre; no control over the third-party network the employee is using to access the data; and no control over the endpoint the data ends up on.
The combination of enterprise mobility, the always-on culture and the increasingly easy access to the cloud means that the old idea of an organisation’s security perimeter surrounding the office walls no longer applies.
Whereas once the hardware was the criminals’ target – the servers, the laptops, the office blocks – the intended target has shifted to the users. The humans who use the hardware are fallible. They are susceptible to the scams and the cons. It’s their actions, purposefully or not, which often pose the security threat.
The traditional security paradigm has disappeared, and this is why.
Mobility means that people are accessing sensitive data, from inside and outside the corporate network, on a range of devices, some provided by the company, others owned by the individual.
This is a problem. This year, 28% of respondents to PwC’s Global State of Information Security Survey reported security compromises of mobile devices. And as such, securing smartphones and tablets is now a priority.
Always-on culture means that employees expect instant, easy access to whatever they need to do their job, whenever and wherever they are. This leads to two problems:
Finally, the adoption of cloud services not only means that data no longer flows through the corporate network, it also creates new administrators who have access to your data but who aren’t part of your organisation. As Forrester says:
“Adoption of infrastructure-as-a-service (IaaS) (from providers like AWS, Azure, and Rackspace) and software-as-a-service (SaaS) (like Salesforce and Office 365), public cloud applications, private cloud, and outsourcing creates a new kind of administrator (or privileged user): one who is an employee of the public or private cloud provider (AWS, Azure, SoftLayer, etc.) and interacts with your workloads on their behalf.”
All of this would sound pretty dire if there wasn’t an alternative to the old security perimeter. Thankfully security professionals can do something to keep the enterprise safe: focus on the robust management of data and user identity.
After all, it’s data that’s of value to cybercriminals and it’s data you ultimately want to protect. If you embed security controls in the data itself, then if criminals do get hold of it or if there is a non-malicious breach, the data offers no value and poses no risk to your organisation.
The problem is, thanks to the distribution of data that secular megatrends have sparked, it’s now hard to track down where all your data is and what kind of data you have.
Only 16% of companies know the location of sensitive structured data and, even worse, only 7% know the location of sensitive unstructured data according to research by Ponemon Institute.
So before you can embed security in your data you have to ask a few questions that will not only help you in your security efforts but will also help you make a case to the business for investment in data security:
Once you have a clear picture of what data you have, its value and where it travels, you can begin to implement your new security perimeter.
The tools you use will vary depending on the data you are protecting, but will likely include at least one of the three most common:
This should be a minimum for enterprise data, whether it’s at rest or being downloaded to an employee device. You can also create automatic rules based on that encryption. For example, you can prevent encrypted files being synced to a non-approved app to reduce the risk of sensitive data leaking into a shadow IT infrastructure.
This can be ideal for data sets that fall under regulation; for example, PCI DSS regulations for sensitive payment data. Once you substitute a sensitive data element with a non-sensitive equivalent, referred to as a token, that data no longer has extrinsic or exploitable meaning or value. This often means the data set is no longer in scope of regulation, making compliance much easier to achieve.
This method is particularly good for big data sets or data used in software testing because it creates a functional substitute of the data but doesn’t leave sensitive or identifiable information exposed.
Of course, as you apply these measures you also have to think very carefully about identity and access management. There is no point opening data up to unnecessary risk: with encryption, for example, the data is only safe if the encryption keys remain secure.
Considering that Forrester estimates that 80% of security breaches involve privileged credentials, it’s important to define and implement role-specific access controls as part of your wider data security practice.
“Data centric controls are the hot commodity,” says Bill Burns, CISO, Informatica.
If you are holding up department requests for new cloud services apps and trying to rein everyone back inside the old network perimeter, then you are effectively closing the stable door after the horse has bolted.
There’s no doubt that re-drawing the security perimeter and shifting the focus to data itself is a challenge. But it’s a challenge CISO’s can and must meet. And it’s a challenge worth meeting because, rather than the old, breached perimeter, it actually has a good chance of keeping your enterprise safe.
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, Security and Compliance.
Oxford Computer Group UK officially rebranded as ThirdSpace in the UK on 16 October. This rebrand reflects our broadening identity and security solutions, as working practices extend from the office and home into working flexibly and collaboratively from anywhere – Your "ThirdSpace".Continue to ThirdSpace
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.