Companies have faced unprecedented security challenges and risks to the integrity of their networks since cloud computing, the Bring Your Own Device (BYOD) concept and mobile technology forged a permanent place in business IT strategies. How, then, might those risks and challenges be met head on? Jocelyn Krystlik offers some thought-provoking views on the matter.
Today’s security managers and network administrators fear the cyber security dangers outside and the dangers lurking within pretty much in equal measure, knowing full well that they’re no longer able to rely upon the existence of a solid and reliable IP ‘perimeter fence’ to defend the business.
Admittedly, ongoing improvements in connectivity have brought about many benefits, allowing employees to work remotely on a much bigger scale, with increased collaboration and often lower capital expenditures. Whether from a home office or on the move, employees want to be able to access vital data from the corporate network, but the challenge is that the environments they inhabit are not always safe.
Mobile devices in particular introduce potential breaches, because in the urgency to access an important document or update a calendar, the employee will almost always choose convenience over security. Access to the Internet or Wi-Fi means that, as soon as a given phone is connected to the corporate network, it creates a two-way bridge from the safety of the internal zone to the outside world. This is precisely why businesses need to consider the cloud very carefully if they’re to manage the inevitable loss of security control which could expose their digital assets.
This is all-too-easy to do. While on the one hand organisations encourage their staff to use company mobiles or even their own smart phones and tablets as part of a Bring Your Own Device (BYOD) policy, primarily because it’s cost-efficient and easy, on the other hand the security team has to pick up the pieces and solve breaches to the network as and when malware attacks occur. This isn’t only a problem faced by large organisations, either. As BYOD has become more acceptable among SMEs, so it has created even more challenges because this size of enterprise simply doesn’t have the resources needed to manage breaches to the IP network on a large scale.
Start with data
Any discussion around security, the cloud, BYOD and mobility must beging with the topic of data. Companies need to adopt a data-centric approach because of the difficulties in protecting devices that are being used by individual employees. One of the main challenges lies in the inability to keep files encrypted as they move into and away from the cloud or are otherwise e-mailed to customers, colleagues and business partners via cloud-based services.
Device-based encryption and data loss prevention technologies do keep files protected to a certain extent when they remain on the premises or on devices, but once the files are uploaded to the cloud, sent via e-mail or shared on the cloud platform, the encryption is often removed. As a result, digital assets can become dangerously exposed.
On premises, sensitive data is the priority of the company, but for cloud providers, the priority will always be delivering access to their cloud platforms 24/7 rather than preventing access to data. This is why it’s important to encrypt data end-to-end. It’s the only way that companies will be able to fully protect their data from security breaches.
While it’s vital that businesses afford employees and end users alike the freedom to collaborate and share files with each other as well as trusted contractors, service providers and partners, they have to strike a balance with protecting their key digital assets.
Battle to remain secure
Encryption is a great – if fallible – weapon to use in the battle to remain secure. Documents can be encrypted via certified trust solutions which provide each file with a unique encryption key, thereby limiting data leaks in the event of a compromise. The encryption key is controlled by the user or the organisation, removing responsibility from the cloud provider.
Device-based encryption allows embedded drives or removable drives to be encrypted, enabling data to be protected. This is great if the device is lost or stolen, but problems arise if a user is logged into the device and the data is unencrypted (allowing it to be used in other Apps running on the device). To overcome the encryption gaps, data can be classified by data loss prevention, but it does present issues relating to which data files need to be encrypted and when it comes to configuring the decryption policies and rules.
There’s also a more personal approach which can be used by employees and end users to apply encryption among their own trusted circle of collaborators with whom they may share password access keys to view the files. Combining this approach with centralised controls and rules creates a powerful security defence system that may be used to secure data ranging from video surveillance images through to employee records on laptops, desktops, tablets and smart phones.
Even though it’s applied by employees, the IT Department is in control, defining, managing, enforcing, tracking, auditing and reporting on data protection policies for the company.
Implementation of end-to-end encryption does go a long way towards minimising the dangers that the data itself can find on the path from the repository to the mobile device or at rest in the cloud or a third party environment.
However, companies shouldn’t fool themselves into believing that encryption can solve all of the challenges. Like many other solutions, it works for specific cyber security issues, in particular to protect data that’s being moved on and off the cloud via different devices, but it will not stop an attacking virus from deleting the entire contents of a hard drive and it doesn’t halt ransomware. Also, it doesn’t provide protection against unauthorised access to – and the misuse of – corporate internal networks. Encryption cannot protect or obscure metadata, which in some circumstances is as revealing and valuable as corporate data.
If properly implemented and managed with a methodology and solution for the creation, storage, control and distribution of encryption keys, then encryption is probably the single biggest improvement that companies can make to their security, and particularly so when they’re using the cloud, BYOD and mobiles.
When the IP perimeter was diminished, we also said goodbye to trust. The only real solution to this issue is strong authentication. This isn’t the same as two-factor authentication or multi-factor authentication, but instead it’s the underlying basis of both – the method of verifying the identity of a user or device that’s intrinsically stringent enough to ensure the security of the system it protects by withstanding any attacks it’s likely to encounter and, by its very nature, creating an element of trust in the device or system used.
Both two-factor authentication and multi-factor authentication are strong authentications, but then so are several multi-challenge/response approaches using single-factor (although it must be said that these rely on multiple points of validation of the knowledge factor).
As we’re now operating in a more open and collaborative working environment, it would be to our advantage to shift from the old ‘reside inside’ mindset and instead establish point-to-point trust between machines, end users and applications. Following a policy of segmentation and separation, whether it’s the physical separation of networks into data plus security plus external, or segmenting networks in application-based geographies or functions, all provide a fundamental basis for the implementation of strong authentication. In fact, it’s the next big step for consideration.
Asking for help
Security and network managers already have big challenges to oversee. Keeping their arms around the risks that cloud computing, BYOD policies and mobility present is becoming more difficult, not less. The responsibility of network administration in complex and dangerous environments has increased exponentially.
The most committed IT security manager is unlikely to be able to manage it all, even in smaller-sized companies, so if it’s at all affordable, it’s always good practice to pull together a pool of experts with segmented responsibilities or the services of reputable security companies. Outsourcing means they can provide Security Operations Centre services and a broad range of skills. They will be as invested and involved in protecting the data of their client as the company itself, and particularly so since any issues that do arise will render them culpable.
Ultimately, iit’s vital to implement encryption and to ensure that at least primary systems are protected with strong authentication.
Jocelyn Krystlik is Product Marketing Manager at Stormshield