When it comes to disruptive technologies, the humble traditional perimeter should no longer be an organisation's only risk focus. In fact, security on its own shouldn't be either ? availability and uptime are also becoming increasingly important in the South African landscape, among factors such as load shedding, which is especially significant in a third party reliance context.
"Today, there is a fundamental change in the way IT is run and delivered. It's characterised by disruptive forces such as mobile access and cloud infrastructure," says RSA's chief security architect Rashmi Knowles.
She reminisces about when, not so long ago, IT's reach was well-defined and well-controlled. "Most applications required a comparatively small amount of access, little or no information was shared externally. Key corporate applications and data stores sat inside our own datacentres. There was a well-defined and well-known set of users for our applications. There was a clear distinction between internal and external networks, and a small number of ingress and egress points. IT security could defend a well-defined perimeter by using preventative tools like anti-virus, firewalls and IDS. These tools could use static rules and signatures to effectively stop threats. And we could effectively implement and apply policies and governance across the environment. With this level of control, organisational risk was relatively easy to understand and manage."
All of this has dramatically changed in today's threat landscape. An often-used threat factor is cloud computing, where much of an organisation's data is housed by a third-party vendor, including customer data. As Knowles points out: "More and more applications are delivered as a service, or run in a cloud-based data centre outside the organisation's boundaries, and some of these services may be 'shadow IT' initiated by the business outside of IT's view and processes, as they seek to gain rapid access to new capabilities that will help them innovate and compete better. Today, many former in-house tasks are conducted outside the organisation's traditional 'four walls'."
This is why, as Knowles puts it: "Managing organisational risk is like pushing water up a hill."
Disruptive technologies provide a Catch-22 situation for the enterprise, because despite security risks, they afford a lot of freedom to both workers and the enterprise. CEO at PAMOJA, Albie Bester, recounts how the dawn of end-user computing in the 1990s was the first step towards computing freedom for the information worker, and the advent of mobile devices and the cloud have given end-users even more freedom in how and when they do their jobs.
"But in a world where workers are freed from the chains of the desktop and the internal corporate network, IT departments need to be vigilant about managing the growing list of IT security risks," he says.
Overstep bounds
Bester believes these risks can still be broken down to people, processes and technology, and managed through a combination of the right systems, policies and procedures.
As a cloud services provider, in order to install confidence, focuses largely on security. According to Bester, the company makes sure it follows all best practices for securing its customer data.
The company also ensures it employs staff it can trust and ensures policies are in place, and that staff members are adequately monitored, audited, and restricted.
Managing organisational risk is like pushing water up a hill.
Rashmi Knowles, chief security architect, RSA
Bester says the bar is set much higher for cloud service providers than for an SME or even a large organisation running their own IT systems, and they are held to a much higher standard.
When it comes to lessons learned, he says PAMOJA is grateful to the banking industry. "Online banking is based on the same technology as our cloud computing services. Banks have paved the way and probably took most of the earlier bullets."
When it comes to client data availability, Bester says the best way to ensure this is through duplicated data. "Everything we host is duplicated somewhere else. We have a platform running in Kenya, one in Midrand and one in Mtunzini."
Know no bounds
Trusting in your cloud service provider might not be enough, despite the stringent security and availability measure that might be put in place. As SAS Institute system engineer Colin Hill points out, the final onus should still lie with the data's owner.
"Many people think a contract protects you, but it's only a piece of paper, and only as valuable as the piece of paper it's written on. Organisations should ensure their provider is actually delivering on their promises as set out in the SLA. Have you done due diligence to make sure they are protecting your data? And that the firewalls they claim to have are in place?"
A contract is only a piece of paper, and it is only as valuable as the piece of paper it is written on.
Colin Hill, system engineer, SAS Institute
At the end of the day, Hill argues, the cloud vendor is there to make money, and what stops it from only putting the bare minimum in place? "You need to make sure on a regular basis that the controls your cloud provider has put in place are working."
This also applies largely to availability. Hill asks that organisations ensure their cloud service provider has a solid business continuity plan in place. "What happens in the case of load shedding? If there is a continuous blackout for three weeks, for instance, will your cloud provider still be up? This is not only an info security risk, it's an operational risk," he stresses.
A risk-based approach
According to Jayson O'Reilly, director of sales and innovation at DRS, organisations are starting to approach security from a risk-based, proactive perspective. "Any good risk-based security strategy needs to establish what the priorities are, and then make decisions through a system of evaluating the confidentiality of the information, the vulnerability of systems and applications, and the likelihood that a threat might occur. Risk-based decisions can help companies develop more realistic and practical security goals, and help them allocate their security budgets accordingly."
He adds that tolerance for risk changes with time. "Any company's risk tolerance is fluid and dynamic, and a risk profile is only indicative of the businesses risk acceptance level at any one point in time. Understand that this will change, and have frequent conversations among executives, technical and department heads, to promote awareness and discuss comfort levels."
Security strategies also need to be consolidated. Companies buy into different technologies that do different things and don't necessarily 'talk to each other' - and neither do the vendors. "Having various disparate technologies running on a single system is exactly the kind of vulnerability that criminals look for," O'Reilly says.
Furthermore, vendors are known to sell their security products and solutions on fear, uncertainty and doubt. "Moving to a risk-based approach is 150% proactive and removes a lot of the fear, uncertainty and doubt," he says.
He adds the ultimate goal for organisations is to be confident enough that, despite what kind of device is brought in, sensitive data is sufficiently protected with regards to access rights.
"We all understand from a risk perspective or security-based cyber crime perspective, it's not a matter of if, but when."
O'Reilly has five steps to risk-based security maturity:
Step 1: Conduct a comprehensive gap/health assessment. This step should consider the following aspects: - information security organisation and structure; information classification; information asset management; network security; identity access control; system security; application security; vulnerability management; cryptography; communication security; physical security; supplier security management; information security incident management; and information security risk and compliance management.
Step 2: Organisation risk tolerance discovery (post-gap analysis)
Step 3: Remediation planning
Step 4: Maturity planning according to risk tolerance analysis
Step 5: Continuous management and measurement
An intelligence-driven security approach
Rashmi Knowles, chief security architect at RSA, believes most authorities would agree the goal of preventing compromise and having a good handle on risk are long gone. "We have to assume we are in a state of compromise and must focus on early detection and remediation to minimise the damage."
She says forward-thinking organisations are adopting an intelligence-driven security strategy that delivers three essential capabilities: visibility, analysis and action.
1. Visibility
Organisations gain visibility by collecting data about what matters.
First is risk - without visibility into risk, organisations can't design optimal defence strategies or appropriately prioritise activities.
Secondly, what is happening on the network? Network visibility needs to go beyond what we have today, from logs and events down to the packet and session level to spot faint signals that indicate advanced threat.
Third is digital identities - organisations need to understand who or what is on their networks, what they are doing, and is that behaviour appropriate.
And, finally, transactions - organisations need to know what's happening inside key applications that drive the business.
2. Analysis
All the data gathered to gain visibility is useless without the ability to extrapolate insight and meaning from it. Analysis involves understanding normal state behaviour and then looking for anomalies. By knowing what's 'normal', organisations can then spot, investigate and root out anomalies that result from malicious activity.
3. Action
Action is the response to confirmed malicious anomalies. Rapid action allows organisations to mitigate potential threats and manage risk by enforcing controls such as access restrictions. Action also results in remediation processes and activity.
Aside from the critical capability to combat today's increasingly dangerous threat landscape, an intelligence-driven security strategy provides focus to drive action based on mitigating the most pressing risks to the business, and ensuring organisations prioritise activity and resources appropriately.
According to Knowles, most organisations' security systems rely on a significant number of disparate solutions, malware analysis, identity and access management, governance, risk and compliance. An intelligence-driven security strategy offers operational benefits by reducing the number of point products, and fuses together otherwise disjointed data sets and tools, increasing both security and risk management. "This strategy empowers organisations to effectively manage risk and address the challenges they have today and those in the future," she concludes.
Share