Any forward-thinking enterprise wants to embrace the latest technologies to enhance productivity in its day-to-day operations, and industry bosses are becoming far more open to concepts like BYOD, cloud computing, and social media. But is this modernist approach to functionality reflected in the security policy of businesses?
Chris Young, Senior Vice President of Security and Government at US giant Cisco, thinks not. Young was speaking to a select press audience including ITProPortal as Cisco hosted a special roundtable discussion in London, and the security chief repeatedly condemned the outdated “castle and moat” mentality of so many organisations.
That is to say that traditional methods of security focus too heavily on simple perimeter defences like gateways and firewalls, rather than imposing a more thorough “layered” system where security tools surround the sensitive data more closely. Thus, when these basic barriers are breached, the attacker has leapt the analogous moat with one strike and has full access to the castle.
“This concept of you’re either in the network or out of the network in many ways is antiquated in itself, so we need to move away from that model and focus on how we push security closer to the sensitive information, data and applications that matter,” said Young. He urged companies to consider tools that “monitor behavioural anomalies” so “it becomes less ‘are you breached or are you not breached’ and more about deterministic behaviour” and user access. If a company can appropriately tailor a user’s account so it can only access certain applications, and a strong user identity system is in place, security becomes much tighter, says Young.
Carefully controlling access has become a particularly relevant issue for security managers due to the aforementioned trends in the workplace. The extensive use of social media among businesses and their employees has made network attacks “more sophisticated, more targeted,” according to Young, who says offenders are utilising social networks to “make themselves look more like legitimate users and finding ways to compromise the end user through normal behaviour.” Paying testament to this is a malware campaign currently proliferating on Twitter, where users are receiving direct messages from followers telling them to open an unsafe link styled as a Facebook URL.
What’s more, Young points out that “a lot of these attackers are going onto social media sites and studying users, figuring out who are the network administrators in an enterprise and targeting those administrators so they can get access to sensitive credentials” - so the threat is twofold. Organisations are broadening their reach and presence through social media, but the risks that come with the sites are extremely apparent in a security context.
Which is why the UK government's proposals to use Facebook and other social networks to support a national identity scheme is coming under fire. If Whitehall does indeed push through the 'Identity Assurance Programme" on the proviso of relying on these vulnerable sites, security experts are sure to have something to say about the logic of handling citizens' personal data in such a manner.
BYOD, or bring your own device, is another trend seeing wide adoption, as more and more bosses see the opportunity to boost productivity and cut costs by allowing employees to use the same tablet or smartphone at home and in the office. But the merging of personal and professional data burdens a device with a great deal of sensitive information, which can be particularly problematic given the relative lack of security solutions for mobile compared to desktop and laptop. And Young says the inherent difficulties of integrating effective security software into a mobile device is preventing progress in this area.
“I think the challenge we’ve got with mobile anti-virus solutions is that it's going to…take a lot of CPU,” he said. “If we have trouble keeping all these solutions up to date on company enterprise-managed laptop computers - with the proliferation of [mobile] devices - that becomes an exponentially harder problem to manage.
“Also, the real estate on the device itself is very limited, in terms of actual storage to be able to place an application on a device, and then the CPU [has] to be able to support a full-scale scan on one of these devices. I just don’t know if the traditional way we’ve thought about anti-malware is going to work on these mobile devices.”
Young was also keen to tackle security issues around cloud computing. But unlike the other business trends highlighted in the discussion, Young says cloud technology is helping security managers. “One of the positives of the cloud is that you have the ability to aggregate large amounts of information from a large scale sensor base… and via the scale of the cloud, propagate it out so you can start to block in real time.
“So when you see a threat, you don’t have to wait to do a file update to do something about it… you can propagate your defence so you can move very quickly, and I think we’ve seen the benefits of this kind of model.” Young says that in particular, Cisco’s SaaS (software as a service) solution ScanSafe is profiting from advances in cloud technology.
The amount of bogus AV Security Suite attacks ScanSafe has blocked over the last 18 months in Europe has doubled, showing how new technologies can support interests on both sides of the security fence.
With a less black-and-white mentality towards network defence and a willingness to implement more sophisticated, multi-layered systems, Young says enterprises can maximise the benefits of new trends in IT without causing undue risk to the safety of their network.