The new ‘Triple As’ and how to be ‘every-ready’ for security breaches
By Ramsés Gallego, Security Strategist & Evangelist at Dell Software
Organisations are spending more than ever on IT security, both to comply with internal and regulatory requirements, comply with credit rating and to protect their data from cyber-threats, according to Dell’s Threat Report.
Triple-A ratings are normally associated with Chief Financial Officers (CFOs), whereby they’re required to keep tab on John Moody’s bond credit rating. In the world of IT, however, how can a CIO or IT decision maker (ITDM) rate the efficiency of an IT security implementation?
IT security is one of the main concerns for ITDMs. With recent attacks including Shellshock and Heartbleed, not to mention identity and access management vulnerabilities, such as Societe Generale affecting organisations globally. With such high risks, ITDMs are taking greater steps to protect the corporate network, data and applications from threats from all angles. However, as it stands, a company’s assets are still at risk from both an internal and external risk stand point.
The consumerisation of IT has led to staff expecting solutions, and access on demand. Some may hold the point of view that security programmes affect the access offered to employees, affecting the use of data.
How can ITDMs know when they have reached a level of security that will protect them from both internal and external threats (intended and unintended)? All the while still empowering employees to do their job better? By having the correct access rights, organisations can ensure that employees are able to access the correct applications, files and servers to complete their work effectively, without feeling demotivated or untrusted should they have to repeatedly ask for access rights . The security approach should encompass three key factors:
- Be adaptive to threats;
- Meet evolving business requirements, including the use of more sophisticated applications and services within the corporate infrastructure; and
- Be fully and easily adopted by employees and/or end users.
These factors can be summarised as a ‘Triple A’ security approach. By achieving this, you can strengthen the overall security posture and grant your organisation a ‘Triple A’ security rating, and enable the business to be ‘ever-ready.’ Read on to find out how you can achieve a security approach worthy of a ‘Triple A’ status and learn how IT security can be a driver of innovation, rather than an obstacle.
However, a sound security strategy is nothing without the infrastructure to match, when implementing any new security solution, it is essential to ensure the vendor is positioned in such a way to aid an organisation’s growth with the new solution, or as I like to say; “better security, better business!”
Adaptive:
In the past we have seen siloed IT infrastructures, however, we are rapidly moving towards a world of convergence. Therefore, security infrastructures need to adapt and connect with one another in order to be effective. An adaptive security architecture should be preventative, detective, retrospective, communicative and predictive. In addition, a rounded security approach should be contextually aware.
Gartner has outlined the top six trends driving the need for adaptive, context aware security infrastructures as: mobilisation, externalisation and collaboration, virtualization, cloud computing, consumerisation and the industrialisation of hackers[i]. But what exactly does context aware security mean? Gartner defines context aware security as “the use of supplemental information to improve security decisions at the time the decisions are made,” and predicts that by 2015, 90% of enterprise security solutions deployed will be context aware.
The premise of the argument for adaptive, context aware security is that all security decisions should be based on information from multiple sources. This starts by looking at the context of the request and then allowing or denying it based on the information available e.g. the method of authentication used, the time of day, geography, etc. By working in this manner, the organisation can set specific user rights for certain applications, as well as quarantine any applications that are suspected of being infected with malware. By taking this adaptive approach security can be improved, breaking down the silos that were seen in organisations, and providing a more central approach to the entire network.
Adaptable:
No two organisations are the same, so why should security implementations be? Security solutions need flexibility to meet the specific business requirements of an organisation. Yet, despite spending more than ever to protect systems and comply with internal and regulatory requirements, malware can still be found inside a corporate network. In fact, 73% of organisations globally have experienced a security breach in the last twelve months according to a Dell commissioned survey by Vanson Bourne.
There are dozens of “best-of-breed” solutions addressing narrow aspects of security. Each solution requires a single specialist to administer the software and leaves gaping holes between them. Patchwork solutions that combine products from multiple vendors inevitably lead to the blame game as well as decrease productivity through constant training and updates.
Conversely, there are monolithic off the shelf security frameworks that attempt to address every aspect of security in one single solution, but they are inflexible and extremely expensive to administer leading to the organisations finding them too costly to run. They are also completely divorced from the business objectives of the organisations they’re designed to support leading to security gaps.
Instead organisations should approach security with simplicity, efficiency, and connectivity as the key principals to bring all parts of the IT security into one integrated solution, capable of sharing insights across the organisation. This is possible by implementing a tailored security infrastructure while working with a reseller or vendor who understands your business segment.
This type of security solution ensures that the approach is adaptive, therefore able to meet the specific requirements and business objectives of the organisation, rather than a one size fits all approach. In order to also provide the end user with the rights that are required, it is highly recommendable to provide the line of business with the administrator rights, to provision each user in the their team, rather than having IT set pre-determined levels.
Adopted:
Another essential aspect to any security approach is ensuring that employees understand and adopt security policies. IT and security infrastructures are in place to secure and support business growth. A great example of this is how IT enables employees to be mobile, therefore increasing productivity. However, at the same time it is vital that employees adhere to security policies and are able to access the relevant data and business applications in order to mitigate the security risk, as well as further supporting the business growth.
Looking at the example of mobility, BYOD is one of the most common ways in which employees can increase their organisation vulnerability to attacks. Data loss on mobile devices is considered a top concern for companies today with 71% of UK businesses citing “increased use of mobile” as a top threat to their IT security in the next five years[ii]. To some extent this explains why some companies in the UK are reluctant to enable workers to access company networks using personal devices. In fact, 24% of UK respondents said less than a tenth of employees use personal devices, lower than the global average of 13%. Taking all this into account, it is more important than ever to fully educate employees on access rights, security attacks and protection.
All too often people think security tools hamper employee productivity and impact business processes. In the real world, if users don’t like the way a system works and they perceive it as getting in the way of productivity, they will not use it and hence the value of having the system is diminished, not to mention the network protection.
By providing employees with training and guidelines around cyber security and ensuring that the correct access rights are in place, there is a further incentive for employees to be fully compliant with the network, as this will increase their productivity.
Triple A
If your overall security policy is able to tick the categories above, then you have a very high level of protection on your corporate network, however, these checks are not something that you should only do just once. To protect against internal and external threats, it is advisable to run through this quick checklist on a regular basis to ensure that a maximum security level is achieved and maintained at all times. It is also important to ensure that any security solutions implemented enables your organisation to grow on demand, without there being any impact on the existing part of the infrastructure.
Overall, the Moody rating scheme is a widely respected and trusted framework outlining the financial status of a country; however, the triple A security is also a good base to test a corporate security infrastructure. By ensuring that it is ‘Triple A’ rated, it becomes possible to ensure that all areas of your corporate network, data and applications are protected at all times as well as can identify potential gaps in the security infrastructure, helping to prevent against future attacks.
[i] Gartner – http://www.bytes.co.uk/files/7313/4383/1104/Gartner_Reprint-_The_Future_of_Information_Security_is_Context_Aware_and_Adaptive.pdf
[ii] Computer Weekly – http://www.computerweekly.com/news/2240214754/Businesses-ignore-unknown-threats-despite-cost-study-shows