IT security issues are top of mind in enterprise IT departments today, with a large focus on the protection of data. Moving into 2014, organizations still need to maintain their perimeter defenses, such as firewalls and intrusion-detection systems. The unfortunate truth is that the growth of mobile devices and cloud systems has made legacy security solutions practically obsolete.
Back in the good old days, security goals were directed towards the protection of physical devices. That was before companies placed their intellectual property and technology in clouds, before they allowed employees to access to corporate networks and data from personal smartphones and tablets. The general rule of thumb was that if the organization protected the device, the data was also protected.
Today, data protection has become the primary objective. Organizations cannot always protect the device on which data resides or from which it is accessed. Cloud solutions, by definition, exist outside the perimeter of the core enterprise environment. Depending on the applications, they typically require access to systems within the enterprise network. What’s more, firewalls and traditional security solutions are configured to allow mobile devices to bypass security configurations and access applications inside their protected networks.
If that’s not enough to keep IT security managers up at night, add to these challenges the fact that hackers, organized crime, and state-sponsored cyber-attackers are directing great amounts of attention to the development of malicious applications and processes that take advantage of both cloud configurations and the weaknesses of mobile devices. Regardless, executives in corner offices continue to maintain unrealistic expectations that IT departments provide the same levels of security to their systems that existed prior to the advent of such destructive new malware and threats.
A layered approach
Security solutions that help mitigate the risks of theft, loss, and corruption of systems and data are much more limited than the tools available to hackers to cause such problems. As a result, it’s important to develop a layered approach to IT security that focuses on three critical areas:
Prior to implementing a full, complex security solution, organizations need to know what they need to secure. This is accomplished through the process of data categorization and classification. Types of classifications can include confidential, financial, intellectual property, client and employee personal information, and public, to name a few. Different categories and classifications of data will also have different security requirements, and may also have mandated requirements due to federal, state, or industry compliance.
These categories and classifications should be used to define security and access requirements. For example, data containing client or personnel health information must adhere to HIPAA standards. If the organization is considering placing this information in the cloud, the cloud provider would have to be HIPAA compliant and provide audit information performed by an independent third-party assessor to periodically document the CSPs business processes, security systems, and practices.
Strong service-level agreements
Even when an organization outsources its systems and applications to cloud providers, the responsibility for the security, reliability, and access to those systems remains their own. In order to accept that responsibility, the organization must develop and maintain contractual requirements, including service level agreements and independent reporting requirements in order to ensure that the cloud provider is fulfilling its requirements.
Policy-based and automated device management
You can’t rely on technology alone to head off data-security issues that arise when employees log on to corporate networks with personal devices. Consequently, many of the security and management tasks you need to develop and maintain will also be manual and policy-based. These start with acceptable usage and BYOD policies that spell out -- in writing -- an organization’s rights and potential actions, including denying access for nonstandard devices or to employees failing to meet company requirements. When possible, it’s also a good idea to pair these policies with MDM (Mobile Device Management), or MAM (Mobile Application Management) solutions that automate the management and security of employee devices.
Through the combination of manual policies and processes, the classification of data, and the implementation of automated device management systems, organizations should be able to manage and control data more securely and efficiently. How many of your security teams have started to move beyond legacy security comfort zones? Let’s chat in the comments about your plans and challenges for 2014.
Jerry Irvine is a member of the National Cyber Security Task Force and the CIO of Schaumburg, Ill.-based Prescient Solutions, an IT outsourcing firm.