Tuesday, October 13, 2015

Security requires long haul planning




On Tuesday, October 6th, the European Court of Justice (ECJ), invalidated the U.S./EU Safe Harbor Framework. This framework, in place since 2000, gave blanket permission to data transfers from the European Union to the United States. The ruling means that national data protection authorities can now review such data transfers on an individual basis. It also complicates many aspects of data security for any enterprises doing business across the Atlantic Ocean.

This recent ruling highlights the value of having a strong security partner shepherding your enterprise through these types of perturbations. Luckily during Dell Peak Performance in Las Vegas, I had the opportunity to discuss the importance of such a partnership with Bill Evans, senior director of product marketing for Dell’s Identity and Access Management businesses.

Photo courtesy of Bill Evans
Kevin: Bill, thank you joining use today. What is your role at Dell?

Bill: Thank you for the invitation, Kevin. I work in the product marketing group within Dell Security. Specifically I support the Identity and Access Management product portfolio.

Kevin: Identity and Access Management is a very important aspect of cloud security. What has changed in the IDAM (identity and access management) marketplace over the past 12 months? The proliferation of devices seems to be the Achilles heel to having secure IT.

Bill: Historically, when it came to IT, everything was centralized. The mainframe, the client-server model and desktop computers were all contained within a company’s network perimeter. That perimeter is now gone and organizations are now trying to deal with an IT world that has no boundaries. A recent analyst report actually stated that identity is now the new perimeter. Protecting the network from intrusion, malware and other threats is still as important as ever. Additionally though, companies need to work harder to control access to data and applications. The focus is not only on outside hackers trying to get in but on the malicious insider as well.

Kevin: With identity and access management as the new boundary for now and into the foreseeable future, how do your customers step up to this formidable challenge?

Bill: Above all, leaders and managers need to be intelligent about the investments they make in this area. This also means avoiding reflexive “knee-jerk” reactions. The first step of the process is conducting an inventory of their current infrastructure. It’s actually impossible to protect every piece of data and frankly, they don’t need to waste money and effort trying to do so. Companies do, however, need to categorize and strongly protect data that is important. Things like personally identifiable information (PII) or healthcare records need to be isolated and surrounded with strong access controls. We call this process prioritizing the need which means developing plans that protect the most sensitive data by using the strongest operationally practical protections. Organizations are then in a position to assess available tools for implementing the needed protections. Dell’s portfolio not only provides solutions for today’s problems, but it also delivers a platform that can address future needs and challenges. Security is not a one-time project so we partner with our customers over the long haul. Making intelligent business decisions across all available technologies is key.

Kevin: You’ve outlined an approach that includes infrastructure deployment decisions in combination with a sort of data triage process. I’ve also been impressed with the breadth and depth of Dell’s security portfolio. With that said, what issues are top of mind for you and the Dell security team. Which of these issues are you planning to address over the next twelve months?

Bill: That’s really a great question. The thing we’re looking at very closely right now is the impact that security has on user productivity. To be honest, on a scale from one to 10, a security and risk professional wants to turn the security dial up to 11. They want to secure everything with multiple credentials that all have very long passwords. Users don’t tend to like that approach, so if you go down that implementation path, people will generally avoid the issue by going around what they perceive as a “security hurdle”. This isn’t good for anybody, including the company.

So what we’re doing is applying some new technology that we refer to as the Dell Security Analytics Engine. Though the use of Dell’s uniquely broad security portfolio, the security analytics engine can enable context-aware security. This capability collects data in real-time from multiple security assets deployed across an enterprise. We can pull information from the Dell laptop as a managed or unmanaged device. We also extract data from the Sonicwall firewall on who is accessing what type of data from where. Data from Dell Secureworks also compares the scenario with blacklists and known threat signatures. All this information is then combined to deliver a context derived risk score to the Dell One Identity Cloud Access Manager. The access manager can then make a real-time decision on that connection.

Let me give you an example. If I log in on a Monday morning at 8:30 a.m. from the office with correct credentials, it’s a pretty safe bet that I am who I claim to be. On the other hand, this week I’m in Las Vegas at Peak Performance and will probably log in from my hotel room tonight at 9:00 p.m. The security analytic engine would flag that as being an unusual occurrence and Cloud Access Manager would interpret the higher risk score as a cue for stepping up authentication requirements. This, for instance, may mean using a one-time authentication token. If my credentials were subsequently used to login at on a Sunday at 2 a.m. from North Korea, the system would read that as a probable attack and block the transaction. The challenge is in finding that right balance between tight security and user productivity. Nine times out of 10, username and password is good enough. That tenth time, however, a little extra precaution is warranted. Users are generally willing to accept a security related inconvenience every once in a while so they won’t try to circumvent the controls. So in effect, the security team can adjust the security dials in real time.
Kevin: This seems to be a more balanced approach to security. At Dell Peak Performance we heard that enterprises have suffered over $600B in cybersecurity losses this year against just a $200B investment to protect against these losses. That doesn’t sound like a balance at all. What should senior decision makers and IT professionals learn from this statistic?

Bill: This really indicates how tough security decisions can be. While enterprises today are spending more money on security, they are also feeling worse about their security posture. Knee-jerk reactions contribute to this dichotomy. Executives, with the best of intentions but focused on addressing singular security issues, serially purchase disparate security products. These types of actions eventually lead to a patchwork of siloed security solutions. Between each of these perfectly effective solutions, however, you will find security gaps through which threats can invalidate a security strategy. As discussed earlier, we strongly recommend targeting a long-term goal with the understanding that the company cannot solve every security problem in one day. Success in this game requires partnering with a vendor that can not only address today’s issues, but also work with you to leverage a coordinated investments over time.

Kevin: With respect to identity and access management, are any specific industry verticals better positioned for this type of balanced approach? Are there any industry specific insights that you can share with us?
Bill: There is an interesting dynamic in play when it comes to user behavior and industry related expectations. While no one industry is easier or harder when it comes to data protection, they all have specific requirements related to their industry’s business model. While the requirements within industries like banking and finance are certainly different than those in healthcare, they all deal with the challenge of balancing security with the desired consumer community experience. In private, management will demand two-factor authentication throughout their respective user communities, but why hasn’t this proven control been broadly implemented? Multifactor authentication isn’t being widely used in the consumer space because of its intrusive impact on the consumer experience. A prospective customer’s decision to bank with Company A or Company B may ultimately be driven by how easy it is to get account information through a smartphone application. Daily decisions of this type forces a constant balancing between security and business needs. As consumers, we decide with our buying actions whether to accept the cost of improved security. Eventually, those same consumers will need to stand-up and state through their buying actions a willingness to pay for more robust security. We advise organizations to act smart by optionally offering enhanced security, now, because over time, all organizations will be moving in that direction.

Kevin: Do you have any final recommendations for the CEO dealing with this dilemma?

Bill: I would counsel all CEOs to start with research. You need to understand your infrastructure, thoroughly understand your threats and attack surfaces and plan for the long term. This will pay high dividends when selecting a security partner that can serve your needs as they morph and change over the long haul.

Kevin: Thank you, Bill, for your words of wisdom.

Bill: You’re welcome Kevin.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

 



Cloud Musings
( Thank you. If you enjoyed this article, get free updates by email or RSS - © Copyright Kevin L. Jackson 2015)



No comments: