One of the major changes over the last decade is how we work in the modern workplace. The traditional 9 to 5 in the office is rapidly becoming a thing of the past. One of the other major changes is the dramatic increase in cyber-attacks - people looking to access systems and data for profit.
With an increase in mobile working and the requirement for anywhere access, the need to manage this has never been greater. People are now the perimeter, and as such, we need to manage how we protect those users’ needs to evolve and meet these new challenges.
So, what are the challenges?
The first is the ‘role’. The role is a poorly defined term in most businesses where we still tend to focus on the individual, rather than the role that the individual enters. Let’s take a look at the concept of role;-
A role is more than just a description of duties, it should involve an understanding of what data, systems and services will be consumed. This is because our posture for the role is based on the sensitivity and risk those items pose. As an example, the security posture is going to be different for a finance director as opposed to a salesperson. This should affect the level of access, ideally based on connection method (e.g. I might trust a home office more than a coffee shop for example). Connection through a corporate mobile phone hotspot again may be treated differently as the entity should have control over the device.
How can we manage this issue?
When looking at a strategy to control this, we need to look at what the risk is and what is a reasonable cost to manage that risk, as well as what compliance issues play into this (GAMP, ISO27001, PCI DSS, Code of Connection etc) as they may help define your requirements – basically, all the items that effect business reputation or business as usual practices. The least privilege model is a good example of how compliance has helped shape modern practices.
What sort of technology can help with this?
Like most things in IT, there are a host of ways to address this issue. VPN may be enough, but rarely for all users. 2-factor authentication can help but does not address the application and data access in any granular way. Multi-factor authentication allows for inside or outside of the firewall, whitelisted IP addresses and application policies, these tend to be static rules and don’t address the data issue. Privilege and Access Management working alongside Identity and Access Management is also an effective way to automate posture, covering all the above issues whilst not creating a significant overhead for IT with regards to time and effort.
The news is still full of stories about companies who have been fined for compliance and regulatory issues, the fiscal penalties are punitive and the damage to reputation incalculable, yet we are still seeing this daily.
So the question becomes; do companies hope for the best and react when an event occurs, or take the proactive steps to define, monitor and control?
Define your perimeter.