Eric Cole of the SANS Institute says threats to our networks have changed but the way we approach security hasn't changed. As a result, companies have spent heavily on security technologies but they are still getting compromised. He suggests some new approaches.
I recently had the chance to talk to Eric Cole, an industry-recognized expert who performs leading-edge security consulting and works in research and development to advance the state of the art in information systems security. We talked about emerging security threats and new ways to address them.
Organizations spend a ton of money on security products but are frustrated because they are still getting compromised. The reason, Cole says, is that the types of threats we face have changed but our approaches to security haven't. He says it's time to look at problems differently and come up with solutions that actually work -- solutions that include prevention as well as early detection.
Here are four common problems and new approaches that Cole suggests might improve your security posture.
* Sources of evil: Let's start with what Cole calls the "sources of evil": Web browsers and email attachments. They are common vectors for allowing harmful malware into the corporate network. Cole says most companies address the problem by scanning and/or blocking email attachments and by whitelisting/blacklisting websites. These tactics are marginally effective and they are a hindrance to worker productivity.
A better way to address the problem, says Cole, is to run your Web browser and your email client in separate virtual machines on the local client. It's a twist on traditional virtualization that is more commonly used at the server level. By virtualizing the desktop environment, it's possible to operate the browser and email client in contained areas where users can click away on websites and freely open email attachments. If there is an infection, it can be contained and the damage to the wider network is controlled.
* Trusted enclaves on the network: Many organizations put a lot of effort into perimeter security to prevent attackers from getting into the network. That's all well and good -- until someone does penetrate the perimeter. Most networks are fairly flat, meaning once an attacker is in, access to information is pretty straightforward.
Cole suggests segmenting the architecture into separate trusted enclaves. In this way, you don't just have your DMZ separated but you also have your high-risk clients on separate segments. Moving from traditional perimeter security to new boundary defenses allows you to limit the exposure if a system does get compromised.
* Bring legal to BYOD: There's no doubt that BYOD (bring your own device) is opening a Pandora's Box full of security issues, and Cole says you need to involve your legal department. Two things happen when someone brings their personal device to work and downloads company data to it, Cole says. One, ownership of the information gets transferred to the person by virtue of the fact that they own and control the device. Two, the company still has all the liability for the security of the data.
Cole recommends getting an attorney to help you set your BYOD policies and documentation, and to get people to sign off explicitly on data ownership and liability. The policy should state that the organization has the right to go into the device at any time -- even after a person has been terminated -- to delete or modify the data that's on the personal device.
In fact, Cole advocates automatically deleting corporate data on a personal device every couple of days. If the device is lost or stolen, only recent data downloaded in the last day or two will be compromised. Since most workers use their mobile devices for temporary access to the company network and they have a more robust device such as a desktop or laptop PC in the office, this policy of frequent data wipes shouldn't affect them deeply. More importantly, it reduces the level of risk of data exposure.
* Assess the risk of cloud computing: Some organizations are missing out on the benefits of cloud computing because information security people "just say no." But telling people they can't move their applications to the cloud because of security fears isn't a sound strategy. Cole recommends assessing the risk of applications and putting them into one of three buckets:
1. Applications that are cloud-ready.
2. Apps that might be cloud-ready if certain measures were put in place.
3. Applications that will never go to the cloud based on the risk factors.
If you do run applications on a public cloud, be sure to encrypt the data and manage the keys in such a way that no one but your own company can access them.
Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at LMusthaler@essential-iws.com.
About Essential Solutions Corp:
Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.