The evolution of enterprise technology mandates that we rethink our approach to IT security. The security environment we live in today is simply not suited to the traditional concept of the “perimeter,” the boundary between your enterprise and the rest of the world.
The term’s military origin itself is revealing. Like IT security managers, soldiers have typically relied on “defense in depth.” An army might put barbed wire at the perimeter of a troop position, with a minefield surrounding the inner position. Anyone who made it through the barbed wire would have to avoid injury to make it to the main target. The enterprise has been secured in this way as well. Physical servers are like the main position, the target. Firewalls and intrusion detections provided a secure perimeter, like the barbed wire.
Things are not that simple any more. For one thing, your perimeter has moved, if you even have one. In all likelihood, a growing portion of your IT assets are migrating outside of data centers that you own. Your enterprise will probably be using compute and storage resources in the cloud or in hybrid configurations. With the rise of mobile devices, application programming interfaces (APIs) and the Internet of Things (IoT), some of the data you need to protect won’t even be yours. Certainly, it won’t be under your direct control. The sheer volume of data you need to protect is also exploding. And, you may even be called upon to help secure data and compute assets that have nothing to do with your department at all. According to Gartner, 50% of IT spending will be outside of traditional IT department control.
The days of the IT version of GI Joe standing guard at the barbed wire fence are long gone. The threats we face are either already right inside our organizations or located in places we can’t see or directly control. What is the solution? Security needs to change its fundamental mode of risk mitigation. We need to go from erecting walls to managing risk, from being technology-centric to being people centric. We need to move away from driving IT and focus instead on driving business outcomes. These are all attainable goals, though perhaps easier said than done. What’s the best way to get there?
It is simply impossible to make all IT assets equally secure at all times. As a result, managing risk involves being selective about where we apply our security resources based on the business impact of a security incident. There are a number of ways to do this, but one of the most effective practices is to use the Federal Information Security Management Act of 2002 (FISMA) standards, as depicted in the Figure. In this approach, a company’s data assets are categorized by the level of impact associated with their being compromised. It separates the impact of a potential breach along the traditional InfoSec lines of confidentiality/data integrity/availability.
FISMA Standards – Security Categorization of Information – Adapted from NIST framework: http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
In the example provided, a breach in the confidentiality of company owned videos and photos is a low impact event. Conversely, a breach of employee salary data would have high business impact. A risk management approach to security would recommend a more aggressive security investment on the high-impact category. For many cases, the priority will be obvious, but it is essential to go through underlying process to reveal where your biggest risks are lurking. Risk management and impact analysis forces the security team to evaluate each asset they are trying to protect and think through the business issues that would arise if it were to be compromised or made unavailable. In our experience, this process invariably leads to some surprises – assets that few had considered important that actually turn out to be quite critical.
You can map your newly-identified high-impact risks against your evolving, perimeter-less enterprise. Where are the assets? Who controls them? You may realize that you have a high-impact risk that’s outside of your direct control. For example, your corporate data might be stored on consumer mobile devices. There are ways to manage threats against this data, even if it’s on devices you don’t own, but you have to be aware of the risk in order to do something about it.
It helps to think like an attacker. If you were trying to hack your way into your enterprise and cause the maximum business damage, where would you attack? As you think through your attack plan as an “outsider,” you might see the need to do things differently: perhaps segment your networks, applications and data by priority and risk. You might see opportunities to be more rigorous with countermeasures such as patching and access control in previously under-secured areas of your enterprise. And, you’ll likely see areas that need security that you didn’t even consider part of your job before.
Our ethos in all of this is to plan for resiliency. Unfortunately, there will be incidents. The world is just too dangerous today to be naïve and assume otherwise. The question is, how will your enterprise respond? What level of resiliency will you need to make good on the operational requirements of the business? For instance, how many seconds can your e-commerce engine afford to be offline before it starts to damage your brand?
Resiliency and continuity is at the heart of CenturyLink’s approach to IT security. We define resiliency as the power to withstand, respond to and adapt to shocks and stress caused by security threats. We work with our clients to build security solutions that are resilient. We enable our clients to recover and emerge stronger from adversity or a difficult situation.
We invite you to a dialogue about how we can help you move from erecting walls to managing risk, from guarding a perimeter to building resiliency. To get in touch with a CenturyLink security specialist, contact us!