While I peruse my morning inbox, I enjoy listening to music on my iPod. It just so happens this morning’s first random selection served as the inspiration for today’s blog: Let ‘Em In by Paul McCartney & Wings.
“Someones knockin at the door
Somebody’s ringin’ the bell
Do me a favor,
Open the door and let em in!”
There is nothing more damaging to the overall enterprise operation and business reputation than permissive access policies. Considering the all the entry points from applications to social media to email to cracks in the network perimeter, it is incumbent upon any company of any size to take security more seriously than a cost center or after-thought.
It starts with understanding who needs access to what assets in your company and then monitoring the usage—kind of like putting a burly bouncer at the door. This is the staple of access management. Just applying a technology solution is not good enough. There must be process, policy enforcement, continuous monitoring and integration/unification with all other security initiatives. Already deployed single sign on? Great. But have you ensured that customer service can’t sign into ADP payroll? Do you allow junior members access to C-level bonus plans? Point being, not every employee, partner or customer is equal. Access to data, various applications or resources must depend upon responsibility within the organization and need to productively succeed at their specific tasks.
But access management doesn’t stop Ringo from sales from exporting parts of your database to an email marketing service…right? Not as such. Again it depends on the permission levels as well as monitoring content awareness. For what purpose? How is the data treated in this virtualized environment? Is it sensitive data? Is this third party vendor liable for data leakage? Not every company will come up with the same answer. It is a matter of risk versus reward.
So if you want to prevent the “Let ‘Em In” syndrome, access management, as a best practice, comprises three “commandments”
Law #1: Thou Shall Manage Entitlements–It starts with user-specific privilege policies of who gets to see what (and how—see BYOD). When that’s decided, it transitions to the technology solution to enforce the data-driven strategy that is consistent across all applications. This is key for companies bound by compliance regulations like HIPPA, PCI and Sarbanes Oxley, but is the security foundation for any organization.
Law #2 Thou Shall Choose Federation–Which legacy, licensed or cloud solutions are authorized to use by your organization. This is the framework of trust that allows interoperable collaboration between departments, directories and enterprises.
Law #3 Thou Shall Protect Data-Wherever data is kept, be it in the cloud or underground bunker, make certain its exposure is limited to only those with the clearance to access it. Make sure it is properly encrypted and tagged so that anyone who sees, uses, changes, modifies, copies, or adds to it is recorded and reported. This requires some level of inspecting inbound and outbound content.
Access management as a go-forward initiative is considerably more complex simply because the threats from a variety of sources are more complex. It is only a segment of an overall security initiative which should include IPS (intrusion protection), IDM (identity management and credentialing) and forensic analysis (log management). Because you control who can and can’t have access, doesn’t mean that outside influences cannot take advantage of other vulnerabilities across the network perimeter. Passwords are crackable, users get careless, third parties (partners, vendors, customers) don’t necessarily share your security concerns, threats evolve, and hackers get creative.
I realize for many companies with limited budgets and staffing, this is asking for resources they don’t necessarily have or may be outside their sphere of excellence. But the threats aren’t going away because the funding isn’t there. I see so many companies forced to choose between access management OR IPS (SIEM). It can be overwhelming. Thing of it is, because of the advances of cloud based security, it doesn’t have to be that way.
Cloud-based access management can be unified with cloud-based SIEM, cloud-based IDM and cloud-based log management without adding headcount or dipping into precious CapEx budgets. This gives companies who can’t afford to hire a dedicated security analyst to deploy an enterprise-strength security initiative that leverages the capabilities of all the tools. This provides the additional context, layers, compliance coverage and asset protection for any sized company. And it’s not limited to cloud computing applications.
As attractive as the cloud security price points are, it is the additional correlated layers that drive the true return on investment in terms of better visibility which begets better and faster decisions which begets stronger protection. Gartner agrees that the optimization of a holistic security platform is the key; one that monitors and controls access, creates application awareness, provides situational context and content awareness while maintaining the flexibility to scale and evolve based on business needs.
Now, again to quote Sir Paul….”So wont you listen to what the man said,” or maybe the Stones, “Hey You Get Off of My Cloud” is more apropos!
Now playing: Castle Walls (Styx), Next up: Heavy Cloud, No Rain (Sting) followed by Who Are You? (The Who)
Tags: Access Management, best practice, BYOD, CIO, Cloud, cloud computing, cloud security, CloudAccess, compliance, hacker, Identity Management, IDM, intrusion detection, IT security, Log Management, Security, security-as-a-service, SIEM, single sign on, SSO