Enterprise IT has undergone remarkable change. Organisations are increasingly operating in diverse ecosystems and value chains, often global and multifaceted.
New technologies and trends are being hailed as a source of productivity, but they are also driving a wedge between the security team and their dream of an impenetrable castle with secure drawbridge, girt by a moat to keep enemies at bay.
Suddenly there are secret new access points to the before impenetrable walls; the moat has fast dried up, and attacks aren’t a contained threat, but an inevitability.
Much like how a medieval castle would crumble against the ballistics and flight power of the modern world, no longer does the traditional IT security approach stack up against today’s threats.
“If you go back to the good old days, enterprises tended to focus more on their individual lines of business, and all of their information was contained within the enterprise as a general rule,” says Dr Steve Hodgkinson, research director IT, APAC from Ovum.
“Past security professionals had a relatively easy life because the organisation owned and controlled the technical environment,” he adds. “You could build a strong brick wall on the perimeter, lock the door and hide behind it.”
Now as perimeters are dissipating, data lies outside the enterprise, there's no end to the variety of malicious attacks, and BYO trends mean operating outside standard models. While this promises to deliver simpler business strategy, it remains a detriment to security.
The Heartbleed attack recently brought security front of mind, having demonstrated how it only takes one flaw in your software for data to be at risk.
“There were possibly different ways from an architectural point of view that Heartbleed could have been mitigated,” says Rodney Gedda, senior analyst with Telsyte. “All the browsers relied on open SSL, or SSL as a standard, but if they had two-factor identification or did client integrity checking, then it might not have actually been that much of a concern.”
Though attacks are considered imminent, it should no longer be the case that security teams are only called to action following an incident. In order to ensure security measures are thorough and ongoing, security folk must be aware of what’s happening at all times.
“In order to keep it simple in this very complex environment, we need to gain a very strong view of what security events are happening inside of your enterprise, including the multiple end points, and whether your data is in the cloud or not,” says Glen Gooding, director of IBM's Institute of Advanced Security.
“We want to be able to pick up everything security related, correlate it together, make some decisions and provide some alerting and monitoring to allow the already strapped security teams to actually act upon it.”
Gooding explains that you can ensure strong “security intelligence” by observing the environment from both a pre-exploit and post-exploit perspective in order to truly detect, prevent and respond.
By monitoring event logs and network traffic, security teams can understand when, how and why a breach took place. Combined with vulnerability scans to understand the targets, what’s patched and what’s protected means security teams have necessary insight to monitor network activity, and take action on any particular holes that may be prevalent within the enterprise.
“If you’ve got a consolidated framework in and around your security intelligence, then security can be used as that springboard to enable newer technology initiatives in the future,” says Gooding. “This could mean bringing on new application suites, enabling newer mobile base technologies to come on board far quicker, or being able to utilise the next greatest flavour of cloud offering.”
As security pros begin to adjust to the explosion of additional moving parts, enterprises are moving away from the traditional IT manager mantra of standardise, consolidate, rationalise.
“IT security had the ability to control proliferation, through the standard operating environment, with fewer moving parts,” says Dr Hodgkinson. “Once they’ve lost the control, then the game starts to turn from trying to hold back the tide to reduce proliferation to actually working out strategies to harness and embrace proliferation and drive innovation with it.”
Dr Hodgkinson says this can be deeply confronting for many enterprise IT manager and CSOs, because they’re expected to be on top of everything that’s introduced into the enterprise environment. To benefit the business fully, they need to develop the skills to drive innovation by learning how to harness and direct that innovation rather than trying to stop it.
Another new and frequently discussed point is that it’s no longer about if you get hacked, but when. More enterprise IT strategies are being remoulded to expand the focus on response and prevention rather than purely perimeter defence.
In the traditional IT environment, it was natural to make assumptions about on premise security, namely that no one can get in through the stocky perimeter, and thus individual database security wasn’t taken so seriously.
Dr Hodgkinson points to the cloud as an example of modern adjustment, as cloud services are engineered on the basis that the perimeter is inherently insecure.
“We assume people will hack into our system. Therefore, we engineer it on the basis that if they do get in, they can’t get access to the data or they can only access certain data,” he says.
The pace and persistent nature of targeting today is such that things happen very quickly and so a holistic approach is critical to security, including application and data level security, database security, right down to an individual field level and the encryption of sensitive data.
“If it’s in the nature of deflect and deploy – with an attack from a competitor in the market to gain IP, for example – they’re going to be persistent… you can’t really see what’s happening by looking through your own letterbox from behind your locked door,” says Dr Hodgkinson.
But of course none of this can be fully possible without the co-operation of end-users, as the transition to complex enterprise IT will mean a few bumps in the road. Cloud services are not immune to hacks, with the recent global breach of eBay accounts a perfect example.
“That’s an example of a cloud e-commerce service and you could have part of your business using that service. If that gets compromised you need to have a plan of action to deal with it, even if it’s something simple like changing passwords,” says Gedda.
“It’s a case of being diligent about what’s in the cloud or in the database and having contingency plans if there was a security incident.”