Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Monday, 27 June, 2022
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Cyber security in the new Wild West

For millions, work used to be somewhere you go. Now it's something you do

by Nigel Thorpe
September 14, 2020
in Insight
Nigel Thorpe
Share on FacebookShare on Twitter

For millions, work used to be somewhere you go. Now it’s something you do. From an IT point of view, being unable to control the security of the remote working environment is a significant concern. The employee now sits at home on their laptop, connecting to business servers and applications through virtual private networks, remote desktop or using the cloud. This is all within the control of the IT security team.

However, what processes are run on the laptop, which other devices are connected to the home network, and the security of the employee’s Wi-Fi makes the environment a bit like the lawless Wild West. At the same time, hackers have upped their game, with a massive growth in both the quantity and sophistication of phishing, malware and user account compromise attacks.

Picture an apocalyptic landscape where the employee’s laptop is now teeming with hackers intent on stealing any locally saved data, then piggy-backing on the user’s live connections to business servers, extracting more information and maybe even deploying ransomware.

IT security challenge

A little fanciful perhaps, but cyber security must deal with this scenario. We have to assume that the remote network environment is hostile, and that the employee is deliberately or unwittingly a potential threat. Staff working from home unobserved are also more likely to have fewer scruples about stealing data.

Many organisations put their faith in full disk encryption to protect data, but once the employee’s laptop is running, the door is wide open to malware and access any file, fully decrypted.

Zero Trust is just ringfencing

Traditional security solutions were based on the concept of a finite network perimeter, but now that perimeter has changed exponentially. Today’s users and devices are everywhere and we can no longer base our security on the location from which an access request originates.

As a result, organisations have begun moving to a Zero Trust security model, which mandates a ‘never trust, always verify and enforce least privilege’ approach to access from both outside and inside the network. It starts with the idea that traffic inside the perimeter should be no more trusted than that outside of it. The model demands that all requests for network access should be verified and authenticated on a need to know basis and all traffic should be inspected and logged.

Using a Zero Trust approach starts with data classification and process mapping by asking, “if this device were compromised, what data and resources could it access and compromise?” This process is then repeated for every user and device connected to the network. Obviously, there are some limitations. If you restrict access too tightly, or take too long to verify the access request, you create bottle necks which can cripple networks. Also, there are other issues affecting confidentiality, integrity and availability of data which Zero Trust doesn’t address, including DDoS, human error, unintended consequences of patching or network problems.

While Zero Trust is still important, it has now become evident that this approach is no longer adequate alone, and the critical idea for the ‘next future’ is to drive security deep into the data itself.

It’s all about the data

A fundamental assumption on which the traditional approach to security is based is that you can keep the attackers out. This is simply not true, so there needs to be another way of protecting data. IT Security must rethink its traditional ‘castle and moat’ methods of protection and prioritise a ‘data centric’ approach, where security is built into data itself using file encryption. This way, if data is stolen, it remains protected and therefore useless to the thief – even if extracted by a member of staff.

Most data encryption solutions use a single decryption key, then rely on access management to control the visibility of data. While this in principle meets regulatory requirements to encrypt data it does nothing to prevent data theft through compromised user accounts or through malicious insiders.

Authenticated file encryption based on Public Key Infrastructure (PKI) means that each file can only be decrypted using individual keys held by authorised users. In this way, data cannot be decrypted by information thieves. PKI also allows for simple and natural file sharing across user groups, networks and in the cloud

Modern PKI-based file encryption techniques are designed to work completely seamlessly so that neither the application nor the legitimate user is aware of the security functions’ activity. This data centric approach is the only way to ensure data is 100% secure in use, in transit and while stored, and no matter where it gets copied.

Learning the lessons

The rapid roll-out of home working went well and home and remote networks have held up, employers have managed to support staff in this move and web conferencing has become second nature.

However, institutional lax attitudes towards data protection, the alleged Russian antics and Twitter’s woes all illustrate that data remains vulnerable. Add the insecure, uncontrolled environment of the home network and you have a recipe for data theft by both cybercriminals and rogue employees. While technologies such as identity management and Zero Trust rightly remain important, the focus for security must become data-centric. If security is built right into the data itself, then it will no longer matter when information is stolen – it will ultimately be useless to the thief.

 

Contributed by Nigel Thorpe, technical director, SecureAge

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

A unified approach to cybersecurity will help fix your IT blind spots

Next Post

Physical/cybersecurity defence: Waking up to the reality of hybrid attack

Recent News

Jim Dolce

A conversation with Jim Dolce, CEO of Lookout

June 24, 2022
Picture of the US capitol building

Biden signs cyber bills into law

June 23, 2022
Person using blue laptop next to coffee cup

Microsoft Office 365 Feature Could Help Ransomware Attackers Infiltrate Cloud Files

June 23, 2022
Lines of Code

Chinese Hackers Distributing SMS Bomber Tool with Malware Hidden Inside

June 23, 2022

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information