The old wisdom on how to eat elephants describes the best solution as “one bite at a time,” and for problems that can be broken down into (no pun intended) easily digestible parts, that’s a perfectly good solution. The issue here is that some things just can’t be. Some challenges have to be addressed all at once, or not at all. Like security, for example.
Traditionally, we leaned on an approach that focused on controlling as much within the corporate network as possible. Indeed, the very idea of a porous perimeter is something that was forced on the collective industry, rather than a desired state. Keeping personal technology, practices, and services out of the corporate network, and enforcing the clear lines of separation, has been a strategy for many organizations for a long time, often driven by the desire to reduce any potential risk factors.
However, the evolution of the way we work, the erosion of the distinct barrier between home and office, and the fact that devices are increasingly of the Bring-Your-Own variety, means that it is increasingly difficult to categorize corporate and personal. For example, one of the main concerns with BYOD is the problem of managing the device and its interactions outside the workplace. An infected home laptop on Sunday evening turns into an infected work laptop on Monday morning.
The idea that there is some kind of meaningful network perimeter separating the safe harbor of our enterprise systems from the uncharted (and unfriendly) sea of hackers and malware is no longer relevant. Infrastructure, and how we use it, is changing so fast that there’s always a new avenue of attack opening up, providing a new interaction of systems and software that presents a vulnerability to be exploited. Additionally, the level of interconnectedness is simply too great, and as trends such as mobility establish a new norm, so the thinking has evolved to a more flexible, risk-based approach to information security.
As such, the terms of personal and corporate security are on their way to becoming obsolete, and security will be perceived as the overall strategy for protecting all valuable information. Critically, information security must accept that employees, customers, patients, partners, and other parties expect access to far more data, from far more places, than ever before. Therefore we must shift security strategy, leveraging the following guidelines as a blueprint:
1. Plan from the outset to implement controls that extend beyond the traditional reach of our security strategy.
This will include evaluating the risks of new platforms and devices, and providing support to keep them safe. Do employees wear fitness trackers? Do they have the right levels of security control on their personal devices? Are personal devices patched?
2. Take a more data-centric approach, especially helping data be “self-defending” through the use of encryption and tokenization.
How broadly can encryption be utilized and can key management technologies enable safe data sharing across many platforms? The groundwork here should focus on classifying what data is sensitive and then implementing controls that reflect the sensitivity of data.
3. Adopt an approach that looks for behavior that is risky, not just devices.
Utilizing behavior monitoring and analytics can help extend controls with greater intelligence than before, even as the traditional lines between home and work blur. Machine learning is a potential ally in this task – extending the ability of security professionals to sift through larger volumes of behavioral data across a much broader spectrum of platform, user, and activity.
4. Help employees secure everything, not just their company-issued devices, and gain a more advanced understanding of the specific role they play in maintaining security.
Demonstrate to employees the value to them personally of extending the security best practices they use at work to their home and personal activity. Look to reward good behavior in security in the same way that other good behavior is positively reinforced in the office.
5. Recognize that breaches will occur, probably more than ever, and be able to respond more quickly and with greater focus even if the attack comes from an unexpected location.
This is essential. The added complexity and scope of the new blended home/work landscape will mean that breaches will occur, and may even occur more often. Reliance in responding to breaches will become far more important than simply hoping they will never happen.
What we’ve seen over the past few years is that attackers are extremely adept at responding to improvements in information security by simply shifting their target to something else. As one set of vulnerabilities get closed, attackers shift to a new method of assault, usually with some significant degree of success. We’ve witnessed this is both the consumer and enterprise space, further emphasizing that anyone and anything can be a point of interest for an attacker.
As a result, extending security tools to include employee’s home systems, far greater security education, and assistance on selecting secure technologies will become the norm. While there is plenty of opportunity to close some pretty obvious gaps, forgoing the mindsets of consumer security and data security in favor of an overarching framework for security is a reality we’ll soon be facing.