Not if but When (Part2)
September 16, 2014
3 minute readsecurity
Complex networks offer greater freedom and new potential but they present challenges too. Because it’s no longer a question of ‘if’ an organisation will be attacked, but ‘when’, security needs to be enforced at every level of infrastructure. While this means that organisations need to change the way they look at the security of their IT infrastructure, strong efforts to safeguard it will be rewarded.
Many companies still base their security strategy on their network and on perimeter defence but, with such wide and flexible networks, it’s important to include further protective and detective controls. The reach of your network can no longer be reliably defined, so data and access to it needs to be protected — beyond relying on network and systems security that safeguard its transport and storage.
On the one hand, data itself needs to be secured independently of where it’s stored or accessed. As a first measure, a data classification is required which allows mapping sensitive data to the different parts of the infrastructure where they may be kept or processed. Given this mapping, appropriate defence for the data can be defined and cost-effectively implemented. For example, it’s usually not possible to simply encrypt all data at all-times — but for the ‘crown jewels’, encryption in transit and at rest may be warranted. Companies dealing with payment data are familiar with this approach (which is mandated by PCI Data Security Standards) but it should be exercised for all sensitive data if you really want to protect it properly.
Additionally, to truly embrace the art of connecting, identity management has to extend beyond just employees to partners and customers too. Since data is always accessed by users, the importance of proper access control increases. It pays to treat all users with caution — regardless of where or who they are. This requires enhancing provisioning capabilities to use trustworthy sources of information for all user accounts, not only for employees. If customers, partners or suppliers need easy and fast access to their data and you’re unable to meet them face-to-face, added security measures need to be included in the registration process, so you can trust that they really are who they claim to be.
Based on proper provisioning, tight access control needs to be implemented which, in turn, requires sufficiently strong authentication. This can include simple social logins for low-risk consumer access or more elaborate federation mechanisms for business partners and suppliers.
Finally, access control should be implemented based on roles and attributes of the users rather than be assigned in an ad-hoc fashion. This approach not only improves the security but also eases regular checks if all permissions are still correctly set and only the people with an approved business need are granted access.