• Follow us


Why user identity is becoming the new security perimeter

Digitalisation has many advantages, from increasing productivity to improving accessibility. However, every technology has its downside, and with digitalisation this comes in the form of increased organisational risk. So while we all benefit from being able to access networks from any location via a greater range of endpoint devices, and from using collaboration software, implementing agile working etc., by doing so we potentially increase the number of data egress points from our organisation’s network. All of this results in a significantly increased attack surface which those with malicious intent can target, and it enables them to utilise a much higher range of threat vectors.

First and foremost this is a business risk, not simply an IT risk. Every organisation needs to understand its position on risk and define this in policy – which requires a full understanding of assets, threats and vulnerabilities. The organisation needs to invest in the right level of resistive strength to balance against the increasing threats and threat vectors, taking into account the cost to the business if a threat succeeds. This requires board level commitment and appropriate commercial cover.

Designing networks from the inside out

From an IT perspective, addressing the risks arising from digitalisation means taking a fresh look at network architecture. The perimeter security architecture of enterprise networks has traditionally been designed from outside in, using a ‘castle and moat’ or a ‘hub and spoke’ approach. This needs to be re-examined, along with the relevance of MPLS connectivity, firewalls and VPNs, as it is no longer enough, with respect to value, to secure traffic emanating from data centres.

Today’s networks should be designed from the inside out, based on a consideration of data flows and security stacks. And it is not just infrastructure that is important. Compliance frameworks and policies may no longer be relevant or can inhibit agility, and so will have to constantly reviewed and rewritten – particularly as we move to a world of software defined networks, where policy and compliance are the main considerations in access to resources.

In a digital world, security has to be built into infrastructure, business applications and solutions from the moment that they are conceived, not just considered post development. We then need to challenge existing trust levels and move towards a point of zero trust – a granular implementation in security boundaries, termed micro segmentation, which restricts unrequired and unwanted lateral movement of traffic between systems and in user access.

Implementing zero trust – or restricted trust – begins with a full understanding of access management and the aligning of rights, privileges and behavioural patterns that are built into policies. It means implementing least privilege and default deny policies for each user and each system, with clear processes to elevate rights on approval. This should be accompanied by the ability to monitor and log access and failed access. We also need to incorporate data protection into system design. The mapping of personal data needs to be considered carefully, in the light of GDPR, and zero trust can be built into systems to such a way as to restrict or prevent any data loss.

Users are the new security perimeter

In a zero trust network, access management is aligned to user management and for effective security, organisations need to know who is accessing what data, when, where and why, so that they can wrap security around how their users actually work. For example, if someone is logging into the network at 10pm, is this normal behaviour? What applications and data are they accessing, and should this set alarm bells ringing?

In effect, users are becoming the new security edge, and identity management is becoming the new perimeter management.

To apply user management effectively, organisations first need to fully understand access behaviour across system users (the Who, What, When, Where and Why). There are many analysis tools available within existing applications. For example, Microsoft provides a number of analysis tools within the Office 365 suite, depending on which licenses an organisation has purchased, including advanced threat analytics and advanced threat protection. These systems analyse the environment and who is doing what, where and when. They are self-learning and will work towards a point when they will only alert you when they detect abnormalities in access and traffic flow. However, organisations still need the resources to map their environment and the behaviour of their users so that they can tune these tools to create a picture of normal working at the organisation.

User management should be accompanied by robust cyber security training and awareness and acceptable use policies linked to HR policies. There should be ongoing training to ensure that all new cyber threat vectors are understood by users and mitigated effectively.

Finally, it is vital to securely manage access to company resources from mobile and other devices, especially where staff are permitted to use personal devices (i.e. BYOD, BYOT and the IoT). Multi factor authentication should be implemented, along with mobile device management (MDM), Mobile Application Management (MAM) and Mobile Identity Management (MIM) where data security is important.

Handling threats means logging everything

Logging user behaviour as outlined above will help organisations to understand what is ‘normal’ in their network and for their users. This information can also be used for compliance analytics, which involves gathering and storing relevant data and mining it for patterns, discrepancies, and behavioural abnormalities. Compliance analytics helps companies proactively identify issues and provide appropriate remediation actions.

All of the above may sound like a huge amount of work. However, it is worth remembering that most security breaches come from failures in basic security defences and not from complex attacks. In order to minimise the risks, organisations should begin by implementing basic security correctly, and setting data access based on roles and attribute based policies, before moving onto more complex analytics.

Neville Armstrong, Service Strategist, Fordway SolutionsImage Credit: Geralt / Pixabay

Read More

Leave A Comment

More News

Latest ITProPortal news

Foxconn president resigns to run for office 2019-06-21 08:00:29He wants to focus on his presidential campaign.

Google confirms it's leaving the tablet business 2019-06-21 07:58:09It's throwing everything it has into the laptop business.

US city votes to pay ransomware demand 2019-06-21 07:30:31Riviera Beach can't catch a break.

iPaaS: The true digital transformation enabler 2019-06-21 07:00:33At the heart of any digital transformation project is the same principle – getting access to data and managing that data effectively.

5G can help start ups compete better 2019-06-21 06:30:585G could give birth to a whole new wave of start-up businesses, who would leverage the technology to compete better against well-established players i

Leaked passwords are only the tip of the 2019-06-21 06:30:45The true cause of the problem isn’t what one company does or doesn’t do with their security, but the underlying premise that personally id

The rise of voice commerce 2019-06-21 06:00:46This is a burgeoning trend that could be a huge market in the very near future.

IT issues creating workplace "black hole" 2019-06-21 06:00:33Employees are losing hours fixing stuff around the office.

GDPR compliance: is your business at risk of 2019-06-21 05:30:57Since the introduction of GDPR last year, small businesses have faced increased pressure to develop and alter their existing policies in line with the

How continuous deployment can help you keep pace 2019-06-21 05:00:10With every company now a software company, here's how continuous deployment makes you stand out from the crowd.

Keeping up with digital transformation: Is your ERP 2019-06-21 04:30:46Digital transformation need not be a scary term, but the foundation of your ERP strategy.

Why the jewellery sector is in major need 2019-06-21 04:00:07How blockchain and modern technology has helped to change the way the sector is functioning.

TechRadar: Internet news

Heads up, Mac gamers: big-time PC game port 2019-06-18 13:49:56Aspyr is ending sales of 32-bit titles as Apple discontinues 32-bit app support in the upcoming macOS Catatlina.

Cyberpunk 2077: release date, trailer and news 2019-06-18 13:26:57If you thought CD Projekt Red’s upcoming FPS RPG looked incredible before E3 2019, just wait until you see Keanu Reeves.

Animal Crossing on Nintendo Switch: release date, news 2019-06-18 13:06:19Animal Crossing: New Horizons isn't coming this year, but it's shaping up to be a totally unique experience.

These Huawei P30 Pro deals are now incredibly 2019-06-18 12:58:24One of the world's best phones at a great price - get a Huawei P30 Pro deal now and save some money, if you dare.

Australia vs Jamaica live stream: how to watch 2019-06-18 12:41:47Can the Matildas book their place in the Women's World Cup round of 16 with a win against the Reggae Girlz? Don't miss a kick with our Australia vs

Facebook WordPress plug-ins found to have zero-day flaw 2019-06-18 12:27:36Security researchers from Plugin Vulnerabilities have openly disclosed two zero-day flaws in Facebook's WordPress plugins, putting thousands of users

Expensive spectrum puts European 5G at risk 2019-06-18 11:58:13Recent spectrum auctions raise fears over rising costs

Best tablet 2019: the top tablets you can 2019-06-18 11:54:24The best tablets come from Apple, Google, and Microsoft, but not all are created equal. Here's what we like so far in 2019.

Amazon Prime Day deals 2019: everything you need 2019-06-18 11:52:04Amazon Prime Day is fast approaching, so we've put together a guide on how to find the best deals and everything else you need to know for the July s

EE now lets you watch BBC iPlayer and 2019-06-18 11:36:35EE users can now get some of the biggest data gobbling video players without data allowance with their mobile phone deal.

The 10 best cheap fitness trackers: the top 2019-06-18 11:21:31Wearable fitness trackers are smarter and cheaper then ever before, you don't have to spend as much to get fit.

The best free stock video sites 2019 2019-06-18 11:19:20Find high quality free stock video clips to use in all your projects – whether they're personal or commercial.

TechCrunch » Enterprise

Three years after moving off AWS, Dropbox infrastructure 2019-06-21 11:35:29Conventional wisdom would suggest that you close your data centers and move to the cloud, not the other way around, but in 2016 Dropbox undertook the

Get your early-bird tickets to TC Sessions: Enterprise 2019-06-20 16:00:41In a world where the enterprise market hovers around $500 billion in annual sales, is it any wonder that hundreds of enterprise startups launch into t

Transitioning from engineering to product with Adobe’s Anjul 2019-06-20 13:05:14Many roles inside of startups and tech companies are clear: marketers market, salespeople sell, engineers engineer. Then there are the roles like &ldq

Daily Crunch: Slack makes its Wall Street debut 2019-06-20 12:42:22The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox ever

Machine learning for everyone startup Intersect Labs launches 2019-06-20 12:30:02Machine learning is the holy grail of data analysis, but unfortunately, that holy grail oftentimes requires a PhD in Computer Science just to get star

Slack opens at $38.50, a pop of 48% 2019-06-20 12:12:38Slack, the workplace messaging platform that has helped define a key category of enterprise IT, made its debut as a public company today with a pop. T

The boring genius of how Atrium kills legal 2019-06-20 12:12:32Law firms have little incentive to build or buy software that will save their lawyers time because they often bill clients by the hour. Tasks like tra

GirlGaze Network looks to connect brands with female 2019-06-20 08:32:10It started with a hashtag. Amanda de Cadenet, photographer, author and TV host, was spending time with her sister, a director and photographer in her

SaaS data protection provider Druva nabs $130M, now 2019-06-20 07:07:34As businesses continue to move more of their computing and data to the cloud, one of the startups that has made a name for itself as a provider of clo

Text IQ, a machine learning platform for parsing 2019-06-19 10:37:30Text IQ, a machine learning system that parses and understands sensitive corporate data, has raised $12.6 million in Series A funding led by FirstMark

Postman raises $50 million to grow its API 2019-06-19 07:00:18Postman, a five-year-old startup that is attempting to simplify development, tests and management of APIs through its platform, has raised $50 million

Blue Prism acquires UK’s Thoughtonomy for up to 2019-06-19 02:56:19Robotic process automation — which lets organizations shift repetitive back-office tasks to machines to complete — has been a hot area of

Disclaimer and Notice:WorldProNews.com is not responsible of these news or any information published on this website.