Information security is about securely bringing together
the organisation's two most important assets - information and
people.
The increasing dependence of enterprises on technology has lead
to a parallel increase in the challenges of keeping enterprise
technology and data assets secure. Now, with the additional demand
for remote, mobile and flexible working capabilities, the security
issues have been magnified.
Today's corporate culture means that the days of securing the
enterprise solely by concentrating on the perimeter defences are
long gone. Links to supply chain partners have blurred corporate
boundaries; mobile working has opened the network to external
influences; and device proliferation has made perimeter security a
nightmare to support.
There is clearly a need to consider information security solutions
that have a broad and visible impact on corporate operations by
focusing on the architecture as a whole, not just the perimeter.
Digital security should tackle the whole business rather than
individual applications or departments.
The result is that businesses require - and can permit -
ever-increasing ease of access to corporate information for the
authorised user.
Many organisations are creating infrastructures that are secure by
design, rather than relying on bolt-on solutions such as firewalls
and anti-virus software. As an example, in a secure by design
infrastructure information would be managed centrally and access to
information delivered depending on the users' status at that point
in time.
To illustrate this, a user logging in on a corporate PC, from a
trusted network would get more access than if they were using their
PC from home. They would also get a different level of access if
they used a mobile device such as a Pocket PC or Blackberry.
When it comes down to it, information security is really about
securely bringing together the organisation's two most important
assets - information and people. In order for this to happen,
security policies must be based on the fact that users'
requirements will differ depending on their role and information
needs. Information security does not need to simply be an on/off
switch. The level of access permitted can be dictated by the users'
location, role, device and request.
Users are often accused of being the weakest link in an
organisation's defences. So, rather than leaving security in the
users' hands, (who really remain interested in getting their job
done well) the conflicting needs of the business for wider access,
and the IT department for wider security, can be met simultaneously
and reliably with a centralised responsive approach.
For once, technology is not being served by a binary yes/no
response. Instead, it is a question of sense and response. Being
able to identify who is requesting access to information and then
responding with the most appropriate level of authorisation can
only be a good thing for the CIO and the user alike. Just as
employees have varying levels of physical access to company files,
decided by managers or lock and key, so the same should apply in
the digital world.
Lewis Gee is area vice-president, UK/Ireland/South Africa, at
Citrix Systems
