Ramses Gallego, security strategist and evangelist, Dell Software, explains how companies can use IAM and Network Security tools to increase security ratings
How can a CIO or IT decision maker (ITDM) rate the efficiency of an IT security implementation? How can they know when they have reached a level of security that will protect them from both internal and external threats (intended and unintended)? All the while still empowering employees to do their job better?
The starting point is access rights. By ensuring that employees are able to access the correct applications, files and servers to complete their work effectively, without feeling demotivated or untrusted should they have to repeatedly ask for access rights, an organisation is on the right path.
The security approach should encompass three key factors:
1) Be adaptive to threat
2) Meet evolving business requirements, including the use of more sophisticated applications and services within the corporate infrastructure
3) Be fully and easily adopted by employees and/or end users
These factors can be summarised as a ‘Triple A’ security approach. By achieving this, you strengthen overall security and grant your organisation a ‘Triple A’ security rating enabling the business to be ‘ever-ready.’
We are rapidly moving away from siloed IT infrastructures towards a world of convergence. Therefore, security infrastructures need to adapt and interconnect in order to be effective. An adaptive security architecture should be preventative, detective, retrospective, communicative and predictive. In addition, a rounded security approach should be contextually aware.
Gartner outlined the top six trends driving the need for adaptive, context aware security infrastructures as: mobilisation, externalisation and collaboration, virtualisation, cloud computing, consumerisation and the industrialisation of hackers. But what exactly does context aware security mean? Gartner defines it as “the use of supplemental information to improve security decisions at the time the decisions are made,” and predicts that by 2015, 90 percent of enterprise security solutions deployed will be context aware.
The premise of the argument for adaptive, context aware security is that all security decisions should be based on information from multiple sources. This starts by looking at the context of the request and then allowing or denying it based on the information available e.g. the method of authentication used, the time of day, geography, etc. By working in this manner, the organisation can set specific user rights for certain applications, as well as quarantine applications suspected of being infected with malware. By taking this adaptive approach security can be improved, breaking down silos and providing a more central approach to the entire network.
There are dozens of solutions that combine to form a patchwork from multiple vendors each requiring an admin specialist and decreasing in productivity through constant training and updates. Conversely, there are monolithic off the shelf security frameworks that attempt to address every aspect of security in one single solution, but they are inflexible, expensive and divorced from the business objectives of the organisations they’re designed to support, leading to security gaps.
Organisations should approach security with simplicity, efficiency and connectivity as the key principals to bring all parts of the IT security into one integrated solution, capable of sharing insights across the organisation. This is possible by implementing a tailored security infrastructure while working with a reseller or vendor who understands your business segment.
This type of security solution ensures that the approach is adaptive, therefore able to meet the specific requirements and business objectives of the organisation, rather than a one size fits all approach. In order to also provide the end user with the rights that are required, it is highly recommendable to provide the line of business with the administrator rights, to provision each user in the their team, rather than having IT set pre-determined levels.
Another essential aspect to any security approach is ensuring that employees understand and adopt security policies. IT and security infrastructures are in place to secure and support business growth and a great example of this is how IT enables employees to be mobile, therefore increasing productivity. However, at the same time it is vital that employees adhere to security policies and are able to access the relevant data and business applications in order to mitigate the security risk, as well as further supporting the business growth.
Looking at the example of mobility, BYOD is one of the most common ways in which employees can increase their organisation vulnerability to attacks. To some extent this explains why some companies in the UK are reluctant to enable workers to access company networks using personal devices. In fact, 24 percent of UK respondents said less than a tenth of employees use personal devices, lower than the global average of 13 percent. Taking all this into account, it is more important than ever to fully educate employees on access rights, security attacks and protection.
All too often people think security tools hamper employee productivity and impact business processes. In the real world, if users don’t like the way a system works and they perceive it as getting in the way of productivity, they will not use it and hence the value of having the system is diminished, not to mention the network protection.
By providing employees with training and guidelines around cyber security and ensuring that the correct access rights are in place, there is a further incentive for employees to be fully compliant with the network, as this will increase their productivity.
If your overall security policy ticks the categories above, then you have a very high level of protection on your corporate network, however, this is not a one-off assessment. To protect against internal and external threats, it is advisable to run through this checklist regularly to ensure a maximum security level is achieved and maintained at all times. It is also important that any security solutions implemented enable your organisation to grow on demand without there being any impact on the existing part of the infrastructure.
By implementing a ‘Triple A’ rating on your security infrastructure, it becomes possible to ensure that all areas of your corporate network, data and applications are protected at all times as well as being able to identify any potential gaps, helping to prevent against future attacks.
How much do you know about the 2015’s biggest data breaches? Try our quiz!