Johnny Karam, Regional Vice President, Middle East and Africa (MEA), Citrix, discusses the changing landscape of enterprise IT and the new models of security.
Over the last few years, UAE government IT leaders have recognised that the demand for personal devices in the workplace can serve as the catalyst for workspaces of the future and has positioned the UAE as the leader of adopting mobile workspaces ahead of its regional counterparts. Companies and brands are looking at this change and realising that mobility is not going anywhere and is here to stay, thus paying attention to how it can be incorporated into their infrastructures.
This transformation of enterprise IT can seem like one of the biggest challenges for security professionals as there is a whole new skill set required today to protect data. It’s no longer about providing employees an all access pass to the network, it’s about cohesively managing networking, virtualisation and containerisation technologies to give employees the flexibility to work from anywhere and feel confident their work and personal data are secure and separate.
The new model of security looks something like this: Instead of owning and controlling every element of the infrastructure, end to end—applications, data, network, storage and servers—we’ll let employees use their own devices to access data and apps, even over public networks. We’ll use cloud services and SaaS solutions hosted and managed by third parties, so our own secure data centre becomes just one node of an ever-expanding hybrid environment. And we’ll do it all even as the threats to our data grow more serious than ever because we know our policies can adapt based on behaviours and because we’re now asking the right questions to keep data secure.
It’s no wonder security professionals are losing sleep in finance, healthcare and other regulated industries—as well as just about every other company trying to safeguard its data. But the cold truth is, there’s no going back to the days of monolithic IT, locked-down networks and deskbound employees, and there’s no point in clinging to security models designed for that time – they just don’t work. With mobility now a core business requirement, and the consumerisation of IT changing the way people think about the technologies they use, we need to rethink security to fit a new set of requirements like containerisation and data access from any where, on any device. Broadly speaking, IT faces two intertwined challenges:
- Meet employees’ demands—based on legitimate business needs—for the flexibility and mobility to work on any device, in any location, over any network, with the full spectrum of on-premise, cloud and mobile apps and services at their disposal.
- Address the critical vulnerability of private information (i.e. PII, PHI, PCI), trade secrets, Intellectual Property and other valuable data across key areas including access control, application exploits, and physical and social engineering, and ensure protection at rest, in transit and in use both on servers and devices.
The importance of this mission can’t be overstated. Digitalisation is vastly expanding the volume of data within the typical enterprise, in tandem with unprecedented growth in data breaches, data loss and theft and cybercrime. Mobility aside, even the strongest perimeter security can’t ensure protection against human error and malicious insiders.
One virtue of the old security model was its simplicity: once you logged in with valid credentials, you could access and extract all the data you wanted. Of course, this simplicity came at the price of data breaches and high-profile attacks.
The new model needs to be equally simple, applicable to every information access request and transactional decision, while protecting data the right way for the way we work now. The key is to take a contextual approach to access. You can think of it in terms of five W’s:
- Who is trying to access data?
- What data are they trying to access?
- When is this happening?
- Where is the user?
- Why do they need this access?
The answers to these five questions would be all a security professional needs to understand in order to decide whether to allow data access. In fact, IT could even automate the process based on an employee’s profile and past history. New security models that take each of the five W’s into consideration are adaptive and can learn from a user’s behaviour and raise a flag if someone is logging in with credentials from an unfamiliar device or location. It’s not just about who you are; verifying your identity through your ID and password is beside the point if the data access you’re requesting isn’t appropriate for a given setting or purpose. All five factors come into play in the decision.
For example, the “who” question should be handled differently based on the “what.” More sensitive data calls for a higher burden of authorisation, more frequent checks and more stringent policies. You wouldn’t want to burden low-level employees using public data with multi-factor authentication procedures and repeated logins throughout the working day, but more sensitive data might call for scanning an employee ID, providing biometric data or submitting to webcam facial recognition. Some transactions might be restricted to specific trusted machines and networks.
The “who” should also be checked for alignment with the “when” and “where.” Is this the first time an employee ever logged in at 3:30 a.m.? Is he/she trying to access sensitive data from another country? Does the data in question belong to an entirely different business unit or project? A diversion from the norm might not necessarily prohibit access, but it would raise a red flag requiring further explanation.
The system should also have insight into the “why,” with the predictive ability to understand from schedules and travel itineraries where individuals are likely to need access in the future, or how requirements will evolve based on changes to an employee’s role in the organisation. This can reduce the need for human intervention and avoid undue inconvenience for your dynamic and mobile workforce.
As data and people become more mobile, the final elements of this new security model help protect the organisation from risk in any scenario: encryption and auditability. Wherever it resides and travels, data must be encrypted both at rest and in transit so that even a breakdown in policies or processes won’t leave it vulnerable. For both in-house analysis and regulatory compliance, it’s essential to verify and log each transaction so that data access is fully auditable.
Simple yet comprehensive, this contextual data access model has the additional virtue of being based on relevant, substantive factors, rather than the more narrow and arbitrary criteria used in the past. Combining mobility and flexibility with granular control, contextual access allows people to make greater use of data in more contexts to drive productivity and value without exposing the organisation to risk. Instead of sleepless nights, it’s the stuff IT dreams are made of.