Shrinking security perimeters
In an environment characterised by disruptive technologies and growing risk, enterprises should stop focusing on anti-virus and firewalls.
This is the view of Henk van der Heijden, VP of security sales at CA Technologies.
Van der Heijden, a veteran information security professional, clarifies: “Identity is the new perimeter.” With social media, mobility and BYOD raising a series of new concerns for IT security professionals, Van der Heijden says narrowing down security to the individual will make control and risk mitigation simpler and more effective.
“We see boundaries disappearing in organisations,” he says. “In the past, security was inside the organisation. Now, with companies communicating through social media with partners and customers, and consumerisation of IT, gateway protection has disappeared. Now, IT must mitigate risk while enabling the enterprise to reach out to external stakeholders.”
Several recent research studies have found that risk management and governance are a top concern for CIOs and CISOs embarking on cloud, social media and mobility strategies.
[EMBEDDED]Van der Heijden says of these worries: “We shouldn't focus on anti-virus, firewalls and traditional infrastructures. We should stop trying to control the devices, but look to controlling identity instead.”
With efficient identity management, access and user behaviour can be controlled, tracked and managed, he points out. The device and platform become irrelevant - the user privileges assigned to each identity become the security controls.
“We see financial companies doing this already,” he says. “With a user ID, you can track who the user is, what their usage patterns are, and a great deal more. The resulting data can be used to calculate risk, and this benefits both the bank and the end user.”
Noting that users are accustomed to enrolling for services, Van der Heijden says, identity management for enterprise applications will enable the enterprise to restrict access to certain information or track use.
“Depending on the type of service being accessed, the identity management may be non-invasive - something like a Facebook ID. But for financial transactions and corporate data, you may need more stringent enrolment with higher level authentication. This allows much more information to be gathered about the user, and better risk balancing.”
Van der Heijden will speak on the subject at the CA IT Management Africa symposium at the Sandton Convention Centre on 4 September. For more information about this event, click here.