Finding the balance between the needs of the business and its regulatory requirements is an ongoing challenge.
Balancing the business need for network and application access with security and regulatory requirements continues to be one of the key challenges for information security professionals.
In fact, it is becoming a bigger challenge than ever before as computing environments become ever more distributed as enterprises become more mobile and connected with partners, suppliers and customers.
Increasing business demands for access and growing regulatory compliance around breaches are pulling in opposite directions, and the information security professional is typically caught in the middle.
Access to an organisation's network is usually granted to everyone associated with an organisation while limiting access to applications is well understood and accepted. Limiting access is typically achieved through identity and access management (IAM) and role-based access control, which many organisations have implemented for many years. But this model breaks down when social media, cloud services and consumer devices all start to impinge on the network, says Adrian Davis, principal research analyst at the Information Security Forum (ISF).
"These three trends typically drive greater access to information, increased bandwidth requirements and often bypass traditional access management and role-based access control," he says. Following the data is an important principle in tackling the problem, says Davis, as it provides a tool to understand the flow of critical or sensitive information in the organisation.
Spotting the trends
The easiest way to balance the business need for network and application access with security and regulatory requirements is to first recognise the underlying trends:
In the new era of hybrid IT, where IT teams operate an internal market model that sees them serve as both the service provider and the broker, one has to rethink how to balance the business needs with regulatory requirements.
In the age of BYOD (bring your own device), it is not the wall of the datacentre but the unsecured mobile devices that become the vulnerable end-point of businesses.
With shrinking datacentres that are either being outsourced to external facility operators or completely evaporated into the cloud, the new perimeter to secure in terms of end-point security now extends to remote control smartphones and tablets, devices and platforms where regulations are still in their infancy.
Access to the network and its applications in terms of authentication, authorization and auditability are a tipping point because heavy-handed regulations tend to make access cumbersome, whereas lighter regulations fail to protect the privileged resources.
Source: Dipto Chakravarty, executive vice-president of engineering and products, ThreatTrack Security
This understanding is crucial to understanding how to protect the data and includes understanding limitations on where and how the data can be transmitted, stored and processed. "Such limitations must now include consumer devices, cloud services and locations," says Davis. While IAM no longer provides a fix for the problem on its own, he believes it still has a role to play in managing access to applications and cloud services. In addition, information security professionals need to log and review access to information and applications. "This will provide evidence for the regulator and that the approaches chosen are working," says Davis.
Importance of the classification system
As a fourth key strategy in solving the access-security conundrum, he says information security professionals should think through the information classification scheme in use and make certain that it also tells people how to handle the information. "For example, does it tell people whether or not the data may be copied to a personal tablet or posted on collaborative or social media site," says Davis.
Another winning strategy is implementing a security architecture that is based on threat modelling and advanced penetration testing and that is set up in consultation with the business, says Vladimir Jirasek, director of research for the UK chapter Cloud Security Alliance (CSA) and managing director of Jirasek Consulting Services.
"All three of these components need to be part of the risk management decisions driving the level of controls protecting access to information, but as every organisation is unique, the mix of controls is going to be different for each one of them," he says. To deliver this new concept, Jirasek says a refreshed, business-focused security approach is needed that will challenge existing security checklists to their core and implement true risk-based business security governance.
Drivers behind authentication trend
Above all, information security professionals need to be realistic and pragmatic in their approach, says Ionut Ionescu of the (ISC)2 Europe Advisory Board. "When judging access needs and when examining what regulations you must comply with, start from what is the minimum required; work with the business to develop a view of where you are and would like to get to and then develop a process for reaching that goal," he says.
When it comes to regulatory compliance, Ionescu says organisations should avoid a "big bang" approach. "Rather work with an understanding of the maturity of your support organisation and define a phased approach that is realistic, achievable and minimises disruption," he says.
Read more about identity and access management
- AWS IAM tools essential to secure cloud services
- Identity and access management (IAM) in the cloud: Challenges galore
- New SaaS identity access management tools emerge, outdo legacy IAM
- Strategic vision should head up IAM goals for 2012
- IAM solution implementation: Challenges & resolution
- Cloud IAM catching on in the enterprise
- Gartner IAM summit: Identity and access management in flux but progressing
Information security professionals are often told that they need to do a better job of understanding the business, which often means understanding how to avoid disruptive change. "This means we need to do a better job of understanding our company; its strengths, culture, even its quirky habits," says Jirasek. "Herein lies the context that helps us understand the balance that needs to be set for any element of our security programme and defences." Part of the challenge in balancing access with security is that many new technologies have companies changing the way they do things.
"While the drivers won't be security and compliance; both will be a core element of success," says Jirasek. "Our job is to ensure everyone involved understands this and embraces the security as well as the business enablers. This is where the context counts.
"The process of defining the right target balance must involve both the business stakeholders and their user community," he says.
Jirasek does not think information security professionals should be driven by user concerns, but believes they should work with them to develop a mutual understanding of the objectives and the value of what needs to be done to get there.
"Avoid diktats. Sell compliance internally to users and make it easy for them to comply and understand the value of doing so," Ionescu says.
Jirasek recommends asking for business support: "Aim for a programme lasting two to three years and set yourself modest compliance goals at first and then increasingly harder ones."
Setting realistic targets
In this process, Jirasek says it is important to allow plenty time for testing and to celebrate successes, while being honest about failures. "Remember that this is not about the technology change: it is about changing the way people work. People need time to adjust," he says.
Jirasek recommends focusing on developing confidence by looking for small benefits designed to help people embrace the new processes and increase productivity right away. "Not only does this allow the company to move forward in a sustainable way, but it also increases the ability to develop that mutually understood context as you go," he says.
Identity and access management is crucial, then, but not purely technological. "Businesses need to focus on very strong user awareness campaigns, coupled with strong policies," says Alastair MacWillson, chairman of the Institute of Information Security Professionals (IISP).
Piers Wilson, board member at the IISP, adds: "It all comes down to being able to make intelligent decisions around business risk, access and information sensitivity; against the overriding compliance or governance requirements."
This means having a clear view about what access people need and making sure those with a more privileged role are appropriately vetted, monitored, trained and overseen, he says. "Making sure administrators have an appropriate level of skill and can do the job, but are also trustworthy and reliable gives a good message to risk owners and auditors," says Wilson
Coupling this with sufficient technical controls to ensure that user and system activity is traceable and auditable, he says, deters the malicious user or administrator from activity that is prohibited or not in the organisation's interest.