How to Secure Corporate Data in Post-Perimeter World
Four simple steps can help organizations secure business data outside the firewall.
The days of users in cubicles logging into applications run on local servers are long gone. Workers have gone mobile as apps have moved to the cloud and, as a result, company data has flowed into off-site servers, hosted servers, cloud application backends and mobile apps.
The process has been a boon for business, but it comes with a catch: When business data is everywhere, there's no way to enforce a secure perimeter around it. And that has morphed the mighty firewall – once the backbone of the corporate security strategy -- into something of a chain link fence.
That doesn't mean your critical information can’t be protected; it just means a new approach is required -- an approach focused on identity management.
Rather than relying on traditional security methods that only protect apps and data on a specific network, leveraging identity as the source of policy means that IT security can follow users across networks, applications and devices. And with user identity at the core of security policy, IT can minimize the risk of compromised credentials and better track user access to corporate data.
Moving away from old perimeter-based security solutions and toward identity-based security means IT needs to rethink how they protect company data.
Here's how to get started:
Control User Access to Everything
Each new business app, service and management tool requires a new user directory for access management, and each new directory means another identity silo outside IT control. That provides a new target for attackers and sticks employees with even more unique credentials to remember.
It’s essential that IT use a single, reliable source of identity -- like Active Directory, LDAP or cloud -- to federate identity across all internal and external resources from there.
Single sign-on standards like SAML ensure that identity federation extends across all the apps and devices users need and that corporate directory information isn't exposed to attacks or replicated across multiple sources. This eliminates the need for re-used, weak or unmanaged passwords across cloud apps and removes the risk of another identity silo. As an added bonus, users get single sign-on.
Wrap Critical Apps in Multi-factor Authentication
Most cloud and on-premises apps require only a username and password for access. While that may be enough security for your less critical information, more stringent authentication is required for apps that store information like customer or company financial data. The extra layer of protection can be provided by multi-factor authentication, which may involve secure SMS, phone call, email or mobile device authenticators.
As with all technology solutions, it's best to find a balance between stringent security and user adoptability. Using a mobile device as a second factor of authentication is often a good balance.
Secure Devices Used to Access Business Data
According to Consumer Reports, over three million American smartphones were stolen in 2013. And an IDC/Lookout Mobile Security survey found that 44 percent of the thefts occurred after the owners had left them in a public setting, 14 percent were stolen in a home or car burglary and 11 percent were taken right off the individual.
In the wrong hands, unsecured devices can provide thieves with easy access to your company's critical information. At a minimum, IT must ensure that any managed devices that can access the company network has a passcode in place, and that each device can be located, locked or wiped if it's lost or stolen.
There are a number of solutions on the market today that will achieve this, but the most effective will allow for granular control that includes single sign-on for mobile apps and certificate-based policies for secure access to email, Wi-Fi and the corporate VPN. The best solutions integrate device location and security posture into app access policy so IT has total control of apps regardless of where, when or how they're accessed.
Make Provisioning and De-provisioning a Priority
With dozens or even hundreds of apps to manage, adding and removing users on an app-by-app basis can be so cumbersome and time consuming that the process often doesn't get the priority status it deserves.
Automating the provisioning process can save time and money by providing users with immediate access to the applications and devices they need, which can increase productivity. But it's departing users that often fall through the cracks -- when access must be revoked and corporate accounts deactivated.
It's easier when it's automated and user account provisioning is tied to app provisioning so that removing the account also removes access to all apps. But automated or not, IT must remain diligent in immediately revoking all access for terminated employees. At a minimum, make sure a specific individual is in charge of tracking all user access to apps and removing that access upon the departure of the employee. Otherwise you may find ex-employees with access to Salesforce.com -- two years after their departure.
The good news is that the steps above can all be addressed with the right solution. Today's identity-as-a-service (IDaaS) solutions leverage identity wherever policy is required, including on-premises, in the cloud, on mobile devices, Macs and more. But all are not equal; these solutions are still relatively new, and different vendors have specific strengths and focus areas that require careful evaluation.
Chris Webber is a director of Marketing at Centrify Corporation. He is a security wonk, a cloud evangelist, a product guy and a recovering IT professional. Having spent time at both Silicon Valley startups and global powerhouses, Chris developed his particular slant on cloud and mobile security at companies like Zscaler, Blue Coat Systems, Good Technology and Pertino.
September 18, 2015
IBM is now entering the shadow IT detection game with a new service for the Cloud Access Security Broker marketplace.