Although digitalisation brings many benefits, it has a major downside – increased organisational risk. Enabling users to access a corporate network from any location and device creates a significantly increased attack surface which those with malicious intent can target, and enables them to use a much greater range of threat vectors.
First and foremost this is a business risk. Each organisation needs to understand its risk appetite and define this in policy. This requires a full understanding of assets, threats and vulnerabilities.
From an IT perspective, addressing the risks means taking a fresh look at network architecture. The traditional castle and moat or hub and spoke architecture is no longer appropriate, as less and less network traffic originates from data centres. Instead, in a digital world, networks need to be designed from the inside out, based on a consideration of data flows and security stacks.
Security has to be built into infrastructure, business applications and solutions from the moment that they are conceived, not just considered post development. IT teams then need to challenge existing trust levels and move towards a point of zero trust – a granular implementation in security boundaries, termed micro segmentation, which restricts unrequired and unwanted lateral movement of traffic between systems and in user access.
Zero trust requires a full understanding of access management and the aligning of rights, privileges and behavioral patterns that are built into policies. It means implementing least privilege and default deny policies for each user and each system, with clear processes so that rights can be reviewed and, if approved, elevated. In effect, users are becoming the new security edge, and identity management is becoming the new perimeter management.
Effective identity management also means providing secure access from mobile and other devices, especially if staff are allowed to use personal devices. This requires multi factor authentication, plus mobile device management (MDM), Mobile Application Management (MAM) and Mobile Identity Management (MIM) where data security is important.
In order to manage user access effectively, the IT team need the ability to monitor and log both access and failed access attempts, so they can wrap security around how their users actually work. I’ll talk more about how to do this in my next blog.
In the meantime, if you have any questions please don’t hesitate to contact us for a no-obligation chat.
It’s also worth remembering that most security breaches come from failures in basic security defences, not from complex attacks. Organisations should begin by implementing basic security correctly, and setting data access based on roles and attribute based policies, before moving onto more complex analytics. A good place to start is the Government’s Cyber Essentials scheme .