How to rethink security to beat tomorrow's threats
The new model of security looks something like this: instead of owning and controlling every element of the infrastructure, end-to-end (applications, data, network, storage and servers), we'll let employees use their own devices to access data and apps, even over public networks. We'll use cloud services and SaaS solutions hosted and managed by third parties, so our own secure data centre becomes just one node of an ever-expanding hybrid environment. And we'll do it all even as the threats to our data grow more serious than ever because we know our policies can adapt based on behaviors and because we're now asking the right questions to keep data secure.
It's no wonder security professionals are losing sleep in finance, healthcare and other regulated industries-as well as just about every other company trying to safeguard its data. But the cold truth is, there's no going back to the days of monolithic IT, locked-down networks and deskbound employees, and there's no point in clinging to security models designed for that time - they just don't work. With mobility now a core business requirement, and the consumerisation of IT changing the way people think about the technologies they use, we need to rethink security to fit a new set of requirements like containerisation and data access from anywhere, on any device.
Broadly speaking, IT faces two intertwined challenges:
- Meet employees' demands based on legitimate business needs, for the flexibility and mobility to work on any device, in any location, over any network, with the full spectrum of on-premise, cloud and mobile apps and services at their disposal.
- Address the critical vulnerability of private information (i.e. PII, PHI, PCI), trade secrets, Intellectual Property and other valuable data across key areas including access control, application exploits, and physical and social engineering, and ensure protection at rest, in transit and in use both on servers and devices.
The importance of this mission can't be overstated. Digitalisation is vastly expanding the volume of data within the typical enterprise, in tandem with unprecedented growth in data breaches, data loss and theft and cybercrime. Mobility aside, even the strongest perimeter security can't ensure protection against human error and malicious insiders.
One virtue of the old security model was its simplicity: once you logged in with valid credentials, you could access and extract all the data you wanted. Of course, this simplicity came at the price of data breaches and high-profile attacks.
The new model needs to be equally simple, applicable to every information access request and transactional decision, while protecting data the right way for the way we work now. The key is to take a contextual approach to access.
You can think of it in terms of five Ws:
- Who is trying to access data?
- What data are they trying to access?
- When is this happening?
- Where is the user?
- Why do they need this access?
The answers to these five questions would be all a security professional needs to understand in order to decide whether to allow data access. In fact, IT could even automate the process based on an employee's profile and past history. New security models that take each of the five W's into consideration are adaptive and can learn from a user's behavior and raise a flag if someone is logging in with credentials from an unfamiliar device or location. It's not just about who you are; verifying your identity through your ID and password is beside the point if the data access you're requesting isn't appropriate for a given setting or purpose. All five factors come into play in the decision.
As data and people become more mobile, the final elements of this new security model help protect the organisation from risk in any scenario: encryption and auditability. Wherever it resides and travels, data must be encrypted both at rest and in transit so that even a breakdown in policies or processes won't leave it vulnerable. For both in-house analysis and regulatory compliance, it's essential to verify and log each transaction so that data access is fully auditable.
Simple yet comprehensive, this contextual data access model has the additional virtue of being based on relevant, substantive factors, rather than the more narrow and arbitrary criteria used in the past. Combining mobility and flexibility with granular control, contextual access allows people to make greater use of data in more contexts to drive productivity and value without exposing the organisation to risk. Instead of sleepless nights, it's the stuff IT dreams are made of.