Unisys: Treat your environment like hostile territory
In the new world of mobility and BYOD, it pays to trust no-one.
We hear much about the threat of external malicious cyber attacks and data theft.
But today’s world of mobile devices and apps designed to make it easy to work anytime and anywhere, has generated an explosion in the number of endpoints accessing the corporate network.
Most employees use multiple devices to access the network from a variety of locations such as laptop, tablet and smartphone – some company owned, some BYOD. More devices mean more endpoints to manage and secure.
While password based authentication is one way to secure access to endpoints, they are a relatively primitive solution for securing mobile devices and applications.
A truly effective security approach requires a combination of strong policy and technology as well as the means to enforce both.
The reality is that the risk of a data breach via compromised passwords is higher in a mobile environment because mobile devices can be easily lost or stolen.
Multifactor authentication, where the employee is identified not only by ‘what they know’ (a PIN or password) but also by ‘who they are’ (a biometric such as a fingerprint or face scan) provides greater protection of sensitive assets. But it is not just the device.
BYO apps bring a security risk: sometimes easily downloadable apps can be vehicles for network breaches and data theft.
While organisations should take the appropriate steps to secure their perimeter, they should also treat the internal environment as hostile territory.
Take the insider threat seriously and don’t pretend it doesn’t exist. There are a plethora of tools that can be employed to detect potential security breaches by monitoring data access/usage by insiders.
For example, cyber security operation centres (CSOC) employ security information and event management (SIEM) analytics to capture and analyse data from various event logs and automatically alert IT security staff of potential security breaches.
The downside of this approach is that detection occurs after the fact. Also, the additional monitoring and processing required to close the gap between occurrence, detection and response may result in significant performance degradation in the very systems being protected.
Some of the newer endpoint protection technologies avoid this problem by focusing on preventing data breaches and adopting a zero trust security model.
For example, data encryption can be used to enforce need-toknow access control.
However traditional need-to-know security solutions often incur significant administrative overhead as changes are required to multiple system components (eg routers) whenever there is a need to add/delete personnel or create/ change roles.
If employees have access to sensitive data from mobile devices 'need-to-know' access control may need to be further augmented by attribute-based access control:
• Need-to-know-WHO:
If the data is particularly sensitive, verify the identity of the requestor through a second/stronger form of authentication such as a voice or face biometric. Mobile devices with integral microphones and cameras are ideal for this.
• Need-to-know-WHERE:
If an employee has the requisite need-to-know right to access a particular data resource, but the request comes from a laptop or mobile device in a café or other public area, it may present an unacceptable risk.
Mobile devices with built-in location services are able to support this type of capability.
• Need-to-know-WHEN:
If an employee is requesting access to data resources outside normal hours, there may be cause to question the request or enforce additional authentication.
While no technical solution can protect against all forms of insider threats, organisations can significantly reduce their insider threat risk profile by moving beyond perimeter defence and treating their internal environment as hostile territory.
This means employing advanced breach detection/response capabilities like CSOC and breach prevention technologies like Stealth for Mobile and attribute-based access control.
By John Kendall, security program director, Unisys Asia Pacific