Historically, the approach to IT security in a company was clear and relatively simple. There was inside and outside. If you were inside the perimeter fence, you were safe, outside it was a jungle.
With the rise of the home office, mobile and BYOD devices, the start of the exodus to the cloud, the Internet of Things (IOT), and of course the Internet of Everything (IOE), it’s quite possible that network administrators feel that they are the only ones remaining inside the perimeter fence. The corporate network is disappearing under our eyes – and it’s time for us to adapt.
Head in the Clouds
The arrival of Cloud services meant some company networks disappeared in a rush to dispense with unnecessary costs in expensive hardware. This brought its own problems, chief amongst them knowing where the service was running. To begin with there were few operators, so businesses chose the one best perceived of offer value for money. But the landscape is now more complex with not just Cloud companies, but service providers and software vendors too. We no longer own our infrastructure or applications, we consume them on demand.
Businesses, understandably, buy Cloud services delivered and running on stable platforms supported by highly-skilled and experienced staff, and, assuming it’s not cripplingly expensive, what is better than the platform of the vendor itself? But that doesn’t mean we know where our data is stored. Which country is it in? What happens to the backups and where are they? Who can see our data? What happens to it when we change operator? We didn’t think about this too much when the perimeter was up because our data was managed internally. This presents a whole set of challenges when it comes to security.
On the Move
Users want to work from home, they want to connect with home from the office. On the road or on a train, they want to connect to the corporate network. These days, work is location independent, and the device of choice is often the user’s own phone or tablet. It’s convenient and convenience always trumps security. Worse than this, security has to be completely invisible and non-intrusive, or it will be discarded.
Companies accept this way of working because usually the cost to provide the user with a corporate device and the cost to clean the network after a malware infection are managed by two different accounting departments. Companies with BYOD strategies and MDM platforms aside, there has to be a realisation, and soon, that this is not a good idea.
The reason this is still a hot topic is because it has shifted down in enterprise size. When BYOD first arrived, large enterprises were the biggest proponents. Now, it’s SME’s – and that market (and risk) is ten times greater, because they don’t have the staff, the policies or the tools to manage BYOD.
If users are accessing a service, often remotely, not hosted by the company they work for, how can the company be sure it won’t impact on the security of their corporate network?
The Complexity of Networks is not Getting Simpler
New technology we add to the network has to be managed, which incurs a cost and a learning curve. The number of technologies has increased such that a single person couldn’t manage, at high level, both the security of the TCP/IP network and applications, with the degree of knowledge required to protect the entire infrastructure chain. Nowadays we need a pool of experts focused on all elements in the chain, and in a complete and trustworthy relationship with each other.
So, we’ve ended up, through growth and organic changes, in a world where we, as network administrators, don’t have a perimeter, don’t control the accesses, don’t control all the devices, can’t find or control all the data and the day-to-day management of the technology that our companies rely upon is too complex to be managed by a single person.
First Action: Make your data useless
There is one crucial question: why would anyone spend time and money to hack a business network? The answer is simple: the data.
Companies have firewalls (with or without UTM technology). They run regular and timely patch updates for vulnerabilities. They operate managed antivirus or endpoint protection (even the basic version that came with the operating system). They connect remote offices via VPN, segment, separate or micro-segment parts of the network depending on their chosen methodology. They may even have security events forwarded to an administrator or to a screen in the IT department. Largely, organically, we’ve adopted many of the right tools over the years, even if they are patchwork in places. But we are getting to the point when even this isn’t really good enough.
Data is more valuable than oil or gold to the companies that create or use it - and the only reason that someone will spend effort trying to steal it is for the value.
The simplest and most effective approach to enhancing the level of security and protecting company assets is to implement a mechanism that makes the data completely useless to anyone outside the organisation. It is encryption.
Implementation of end-to-end encryption eliminates almost all the dangers that the data itself can find on the path from the repository to the mobile device or at rest in the Cloud or a third-party environment.
The trap that companies fall into with encryption is to believe it fixes everything. It doesn’t. Much like those who still believe that they’re secure because they have a firewall and antivirus installed, some companies view encryption as a panacea.
It doesn’t stop an attacking virus deleting the entire contents of a hard drive. Encryption doesn’t stop ransomware. It doesn’t protect against unauthorised access to, and misuse of, corporate internal networks. Encryption cannot protect or obscure metadata – which in some circumstances is as revealing and valuable as corporate data.
And encryption becomes fundamentally useless if you don’t have a strongly managed methodology and solution for the creation, storage, management and distribution of the encryption keys.
However, encryption – properly implemented and managed with a proven and certified algorithm – is the single biggest improvement companies can make to their security.
Second action – Segment, Separate and use Strong Authentication
When the perimeter went away so did trust and the only real solution to this issue is Strong Authentication.
Not to be confused with two-factor authentication (2FA) or multi-factor authentication (MFA), this is the underlying basis of both – the method of verifying the identity of a user or device that is intrinsically stringent enough to ensure the security of the system it protects by withstanding any attacks it is likely to encounter and by its very nature creating an element of trust in the device or system used.
Both 2FA and MFA are Strong Authentication, but then so are several multi-challenge/response approaches using single-factor (although these rely on multiple points of validation of the knowledge factor).
We need to change our old “reside inside” mindset and establish point-to-point trust between machines, users and applications.
Following a policy of segmentation and separation, whether it is the physical separation of networks into data + security + external, or segmenting networks in application-based, geographical or functional all provide a fundamental basis for the implementation of Strong Authentication. It’s the next big step for consideration.
Third action – Stop Trying to Keep it ALL in-house
It’s hard for IT administrators to admit they cannot do it alone. But the responsibility of network administration in today’s complex and dangerous environment has increased exponentially. There are no other roles or positions where this has occurred, in any industry.
Even the most determined IT security guru can’t manage it all, even for relatively small companies, so if it’s affordable, create a “pool of experts” with segmented responsibilities, or the services of reputable security companies. Outsourcing means they can provide SOC services and a broad range of skills. They can be trusted to be as involved and invested in protecting a company’s data as the company is itself. More so in many cases – any failure on their behalf will be public.
On a final note, I must emphasise the importance of implementing encryption, segmentation/separation and ensuring at least primary systems are protected with strong authentication. Companies should stop trying to do it themselves and get help with those three fixes which will go a long way to protecting them now and in our uncertain future.
John Farebrother, UK Country Manager at Stormshield
Image Credit: Hywards / Shutterstock