New security approach needed as corporations evolve
By Don Liew, Asia Pacific Security Director, AT-T
New technologies are changing the way multinationals in Asia Pacific do business, and opening the door to a wider range of cyberthreats. Corporate leaders need to now adopt a new approach by accepting the inevitability of attack and taking early action to increase security and build network resilience.
Your corporate data is highly valuable and, most likely, entirely digital. Cloud computing adoption is accelerating on a global scale, led by Software-as-a-Service (SaaS) applications that give employees anywhere-anytime access to an expanding array of essential business tools. This is complemented – and complicated – by the widespread growth of corporate bring-your-own-device (BYOD) programs and the rapid consumerization of mobile and tablet platforms. Blurring the line between devices and tools for business and personal use, these developments create multiple points of access to your critical business applications and services.
But just as corporate technologies are expanding, so too are those available to cybercriminals. Today's online threats are pervasive and evolving. AT-T has seen a 62% increase in distributed denial of service (DDoS) attacks across its global network over the past two years, along with a 458% increase in Internet of Things (IoT) vulnerability scans, where an adversary probes IoT devices for a weakness in network defenses.
These escalating threats, and the increasing deployment of malware, ransomware and targeted attacks against corporate sites, now pose tremendous security challenges to businesses in every industry. What's more, the pressure of regulatory security compliance is also rising as new and stricter standards are introduced to protect consumers and help mitigate economic and political risk.
Even though media reports of highly visible breaches have made it impossible to ignore these threats and challenges in recent months, many companies remain unprepared to tackle them.
A first step to rectifying this is to accept that a traditional perimeter approach to security, relying on passwords to safeguard access to business-critical infrastructure and services, is no longer enough in risk mitigation. The threats facing every organization today are now so sophisticated and prevalent that you must expect to be attacked. To minimize business impact, it is therefore necessary to prepare for this eventuality and be ready to detect and respond to breaches when they occur.
Here are three security aspects to consider:
Authenticate and authorize users and applications.
Two-factor authentication (2FA) can be installed to create an extra barrier between potential attackers and your data. It requires the user to provide two means of verifiable identification: typically a physical token, such as a smartcard or a one-off device-specific code, and their memorized username and password. This helps protect the business in case of weak user passwords, lost passwords, stolen devices and even brute force attacks. It helps to improve both business confidence and accountability. Corporations should only provide access to important information to those who need it to minimize risks. Fewer people having access to your most important information helps reduce the risk. With the availability of token authentication as a service in the cloud, it is now easier for businesses to implement 2FA. This model is replacing traditional on-premise 2FA solutions, offering rapid implementation at a much lower total cost of ownership, with high availability and scalability.
Protect critical web applications
Websites and mission-critical web applications are prime targets for attack because they are readily accessible and offer an easy entry point to valuable data. Traditional network- and host-based security systems will not stop today's hackers. We can combat this vulnerability with application-layer security measures that help protect web applications as well as the underlying servers and databases that support them, without affecting application performance or uptime. A web application firewall service, deployed at your premises or in any hosting environment, can provide a high degree of protection without interrupting legitimate traffic. It should be based on an extensive analysis of your web application traffic and include tightly tailored policies and constant updates to keep pace with evolving threats. One advantage of a web application firewall service is that it allows "virtual patching". This is useful when a known security vulnerability threatens web applications, but shutting them down to patch them would significantly impact the business. This capability is becoming an increasingly important security tool. It was used to great effect to combat Heartbleed, a severe security bug discovered in April 2014. Operations teams around the world used such web application firewalls to provide interim protection for their servers and minimize business exposure while they implemented a suitable Heartbleed security patch. When it comes to DDoS attacks, which seek to overwhelm your servers and bring your business to a halt, a separate anti-DDoS solution is required. The most effective solution will identify a DDoS attack at the underlying network and re-route traffic to a network scrubbing facility where malicious DDoS packets can be dropped before legitimate traffic is sent on to your server. This requires highly sophisticated predictive and early warning capabilities on the core provider's backbone network.
Boost your cloud security
Public cloud computing is now standard practice for many companies moving business functions into the cloud to access cost-effective and scalable computing power. However, this model forces you to rely on third-party providers for data security, even as the explosion of mobility and BYOD further increases the risk. It is thus vital to verify that all links to cloud storage, including email and web applications, connect over secure and managed networks. Good cloud security practices include multiple layers of security across applications, devices, networks and platforms. It is also worth considering a solution that uses a virtual private network to take your cloud traffic off the public Internet and isolate it to reduce exposure to security risks.
Finally, keep security on your boardroom agenda. Cybersecurity is all too often perceived as an IT issue and kept in a silo. This creates a gap between the C-suite and the security team that needs to be bridged if your business is to make effective security decisions and execute them decisively. Clear leadership and closer communications will help allow your key leaders to understand the threats and mobilize resources to make security the responsibility of every executive, employee and board member.
By Don Liew, Asia Pacific Security Director, AT-T