Regular surveys of C-Suite executives around the world consistently show that information security is among their top three concerns. This is hardly surprising. The rising tide of compliance and privacy legislation bringing in potentially crippling fines, customers willing to launch class-action lawsuits and the impact on businesses of a trashed reputation mean that companies can be forced out of business should a breach be severe enough.
This is not just an issue for mid-sized companies. Target and Home Depot in the USA have suffered badly by their high profile breaches. The impact was not limited to share price and compensation to customers but has also led to heads rolling in the boardroom. Nobody is immune from the impact of a poor security policy and this has begun to focus minds around security.
Crucially, the challenges of the current threat landscape means that there is no more room for security lip service.
Technology, processes and people make IT security hard to get right
Modern IT systems are more complex than they have ever been. When users only worked inside the office, security was about hardening the edge of the network. It was a classic military approach of building walls that could not and should not have been breached. But, like early builders of castles, they discovered that unless security is many layered, once the outer wall is penetrated, the soft middle is easy pickings.
The introduction of laptops 25 years ago, mobile phones 15 years ago, tablets, Bring Your Own Device and Cloud computing now means that there is no real boundary to be protected. Data flows onto devices where there is far less protection than inside the enterprise. The result is that technologies that are supposed to make working easier and more efficient are those same technologies that are being easily exploited to steal data and introduce malware into the enterprise.
It might seem that the solution is to install software onto every device. However, not knowing what devices are being brought into the organisation makes it hard to do this. Even where software is generally available, keeping devices up-to-date and ensuring that they are secure from attacks takes a lot of time and requires a regime that does continuous auditing to detect any device and software package that is out-of-date.
It’s unfair to just blame the technology. Current business processes also need to adapt and keep adapting to a changing threat. The problem is that business processes are rarely designed to be flexible. Instead they are chiselled into stone tablets, especially if they are seen as having a security impact. To deal with the changing threat, companies need their processes to be as flexible as the new technologies that they are deploying.
Processes also need to reflect changes in the legal landscape in order to deal with the challenge of compliance. Too often, updates to meet compliance needs are agreed by a committee who then pass a set of general principles to an IT team who have to reinterpret those principles to make them work on IT systems. Without effective oversight, audit and validation, these can often create incompatible security rules that are then weakened in order that the business can function.
A perfect example of this is encryption of data. Companies do not deploy the software to keep data encrypted on all the devices that a user carries and can put data onto because it is seen as being time consuming and expensive. The result is a patchy attempt to protect through encryption which delivers a false sense of security.
User education around the latest threats has to be part of the solution except nobody has budget for training and education. The best most companies do is to create user policies that are often hard to conform to by a mobile workforce. Evidence of this is that a recent study looking at how much data was being moved around London daily on user devices came up with the staggering number of 1.2 Exabytes of data. Users in that study freely admitted to breaching corporate rules in order to get their jobs done.
Picking the right security solution versus building your own
Choosing the right security tools presents its own dilemma. Is it best to choose one vendor who can deliver a full service solution or buy the best of breed tools and create your own solution?
Many customers worry about getting locked into a single vendor for any part of their IT infrastructure, arguing that choice helps to keep cost and complexity down. Commodity hardware and office productivity software are both good examples of how well that can work.
One of the arguments for mix and match is that highly engineered security solutions can end up with weaknesses being aligned across the multiple layers of the software. This creates fracture lines that can be exploited and hard to detect. Using best of breed means that any weaknesses are unaligned, giving a greater chance of detection. However, the complexity of integrating those best of breed products creates its own weaknesses that can be much easier to exploit as hackers exploit their knowledge of the interfaces.
A better solution is to choose a vendor who can deliver a highly scalable security architecture into which products can be connected. The natural inclination will be to use products from the same vendor, but no vendor has a complete set of tools that address every issue. As a result, they already have products from chosen partners as part of their solution and provide a set of interfaces that can be programmed against or used to integrate tools from other vendors.
Any platform must support more than just the data centre. Mobile devices and cloud require deployable security components that can protect devices and data. Governance is also a must if the solution is to be fit for purpose. This will make it much easier to deploy sets of security rules and align them with business processes. Governance is also an essential part of ensuring that audits and security policies can be matched to compliance needs.
The move to cloud requires federated security that spans platforms
One of the big challenges of any security platform today is cloud. There are several reasons for this. Among those reasons is that cloud is often not purchased or approved by the IT department. In the 1980’s, the Business Units (BU) were responsible for many of the PC and even early Local Area Networks (LAN) purchases. Today, the majority of cloud services are being brought into the enterprise the same way.
This means that the IT department has no opportunity to try and align its security tools and processes with those offered by cloud providers. Instead, the first IT often knows about some of the cloud services in use is when something goes wrong. At that point, they are scrambling to integrate security and that means the risk of a breach is increased. This does not mean that the BU should be prevented from using cloud or that it should be controlled by IT but it does mean there is a need for a better approach to integrating security.
While integration of tools is one solution, a better way is to have a properly federated security solution. This changes the integration from a programmable solution, which needs constant updating and alignment to manage disparate product updates, to one where the key is the way credentials are passed and validated by different systems.