Creating a Modern Information Security Foundation
Every house should be built on a foundation that’s strong enough to withstand most risks. A proper foundation doesn’t just hold a house above ground level, it keeps it out threats like moisture and natural movement from the earth that could damage the structure. Similarly, a proper information security architecture provides a foundation to keep enterprise data safe from a broad range of internal and external risks.
But today, information fragmentation and dispersion is making the traditional security foundation of most organizations obsolete. The mass adoption of mobile and cloud services has spread enterprise data across an information fabric for which traditional security architectures and policies no longer apply.
How do you secure data when you may not even know where it is? Who is responsible for ensuring data is in the right hands? Is it possible to build a modern security foundation for the mobile and cloud world without restricting employee choice?
The security foundation is critical because, without it, organizations cannot quickly adopt the technology innovations their employees need. The innovation clock speed of an organization is dependent on having an agile and efficient modern security foundation. Below are three strategies to help.
A year ago, in January 2017, Ponemon Institute conducted a study of security professionals and found that the complexity of enterprise security architecture was itself making it harder to secure data. In other words, the security industry was its own worst enemy. Complexity was creating substantial risk and this complexity was most driven by employee use of cloud-based apps and mobile devices.
The solution to complexity is not more complexity. But the path to simplicity is not through restricting services. The user will always win and will always gravitate to the applications that most help productivity, regardless of IT’s security opinion. The path to simplicity is, instead, through rethinking the security architecture itself and establishing a simple approach that is consistent across the fragmented services and devices users want.
Fortunately, as we move outside the traditional perimeter, the standardization of two technologies helps simplify the path forward. The evolution of modern operating systems like Android, iOS, macOS, and Windows 10 allow a consistent security framework to be applied against the broad range of endpoints employees want. And identity standards like SAML allow a consistent identity framework to be applied against the broad range of cloud services employees want. A central cloud access and endpoint security platform and an identity framework become essential to modern enterprise security architecture. Only trusted individuals using trusted apps on trusted devices should have access to enterprise data.
The answer to complexity is central, standards-based policy, not service-by-service infrastructure. The former provides consistency and structure to the security foundation. The latter is not scalable.
Central policy becomes the first pillar of the modern security foundation.
Remember the Basics
Implementing security technologies without basic security hygiene can be disastrous. Wannacry was a good example of this. Organizations didn’t keep their Windows endpoints patched and, as a result, ransomware ransacked the business operations of many global companies.
Many organizations do not have the security fitness they need, not because of a lack of technology, but because of inadequate basics:
- Get your head down and your fundamentals in order before you look ahead – this means having specific security protocols implemented, enterprise-wide security education in place, and all your endpoints accounted for.
- Use General Data Protection Regulation (GDPR) as a catalyst to map your data flows – identify and map out which applications consume which data.
- Set clear ownership and accountability for the different elements of enterprise security. Pay special attention to the interactions and interfaces between groups – the “cracks in the sidewalk” of your security processes. Modern threats will mutate and seek out those cracks, especially as artificial intelligence increasingly becomes a weapon of the “bad guys.” Without basic security hygiene, advanced security methodologies will find themselves built on an unreliable foundation.
Security hygiene becomes the second pillar of the modern security foundation.
In a perfect world, everyone does their job. Everyone follows the rule book and knows exactly what to do to prevent data loss. However, this is not reality. Security is not always a priority for the individual employee, and many organizations do a poor job of educating employees in a way they will enjoy, absorb, and care about the outcomes. Many times, the more senior the employee, the harder it is to get their attention and change their behavior.
In the mobile and cloud world, end users take on more and more responsibility for choosing and deploying apps. This means that many of the tasks that used to be on IT’s shoulders, like app selection, configuration, and security, are now the responsibility of the user. But the user rarely has training on how to do these things well.
A good example is application configuration. Many security issues are the result of inappropriate application configuration or excessive application permissions. While some of these settings could be managed by IT, many of them are under the control of the user. So having application configuration as a key part of employee education helps both user productivity and data security.
An employee educational program that is positive and of value to the individual (“here is how you get productive with mobile apps”) will be more productive that one that is not (“here is what our security team doesn’t want you to do”).
Employee education becomes the third pillar of the modern security foundation.
The move to mobile and cloud both requires and provides an opportunity to rethink existing security architecture and processes. Regardless of your specific technology decisions, having simplicity, hygiene, and education as the core pillars will establish a strong modern security foundation.
About the author: Ojas Rege is Chief Strategy Officer at MobileIron. His perspective on enterprise mobility has been covered by Bloomberg, CIO Magazine, Financial Times, Forbes, and Reuters. He coined the term “Mobile First” on TechCrunch in 2007, one week after the launch of the first iPhone, to represent a new model of personal and business computing. He is co-inventor on eight mobility patents, including the enterprise app store and BYOD privacy. Ojas has been with MobileIron for nine years as the company has grown from an idea to a mobile security platform with over 15,000 enterprise customers. Ojas is a Fellow of the Ponemon Institute for information security policy and has written extensively on the implications of the evolving architectures of Android, iOS, and Windows on enterprise security. Prior to MobileIron, Ojas was responsible for the mobile product teams at Yahoo! and AvantGo and started his career in 1988 as product line manager at Oracle. Ojas has a BS/MS in Computer Engineering from M.I.T. and an MBA from Stanford University. He is also Board Chair for Pact, a non-profit in Oakland, California that provides adoption services for children of color and their parents. You can follow Ojas on Twitter at @orege.