Striking a balance between business need for network and application access with security and regulatory requirements is increasingly difficult: business wants ever more access while regulators and the threat of a breach or compromise pull the other way: less access and greater control.
Access to an organisation's network is usually granted to everyone associated with an organisation, while limiting access to applications is well understood and accepted.
Limiting access is typically achieved through identity and access management (IAM) and role-based access control, which many organisations have implemented for many years.
Where this model – unfettered network access, limited application access – starts to break down is when social media, cloud-based services and consumer devices all start to impinge on the network. These three trends typically drive greater access to information, increased bandwidth requirements and often bypass traditional access management and role-based access control.
Security can help in four ways.
Read more from Security Think Tank
First, follow the information. This concept – which the ISF applied to its recent Securing the Supply Chain project – provides a tool to understand the flow of critical or sensitive information in the organisation and to then understand how to protect it, including limitations on where and how the information can be transmitted, stored and processed. Such limitations must now include consumer devices, cloud services and locations.
Second, there is a place for identity and access management and the role-based access control approach to manage access to applications and cloud services.
Third, log and review access to information and applications: this will provide evidence for the regulator and that the approaches chosen are working.
Fourth, think through the information classification scheme in use and make certain that it also tells people how to handle the information – should it be copied to a personal tablet or posted on collaborative or social media?
Adrian Davis is principal research analyst at the Information Security Forum (ISF)
This was first published in June 2013