Giving security more context
It’s that time of year again. As we head towards Christmas our minds drift towards what we’re going to be buying for our loved ones. This time of year is traditionally a big one for sales of gadgets: mobile phones, PCs, laptops and, more recently, tablets. The creeping influence of American shopping culture on the UK and Europe - such as Black Friday and Cyber Monday - make gift buying a cheaper and easier experience.
It may be a fun time of year for many of us, but IT departments are probably dreading it. Most of the shiny new gadgets - iPads, iPhones, Samsung devices, Nexus devices and countless more - will make their way into the enterprise, and that will result in increased security risk.
Workers will want and expect the same level of access to their data they get on their work PC or mobile device. It’s a tough battle for IT to find that balance between enabling workers to do their jobs and protecting all that vital and sensitive data.
BYOD, of course, is not a new phenomenon. It’s something IT departments have been dealing with for years... but it is resulting in a fundamental change to the way organisations are approaching security. Or ‘should approach security’ may be a better way of putting it, because we are still seeing a lot of businesses that haven’t got to grips with it yet.
These changes being driven by BYOD are reflective of the wider industry, and are not necessarily a bad thing. The traditional approach to security simply isn’t working anymore. Companies are still being hacked and sensitive data, credentials and money are still being stolen.
The perimeter has shifted; no longer is it all about the data centre. The perimeter is now the device, wherever that may be. But devices are not worth protecting. The value is in the data, it’s in the applications on that device. Protect those and suddenly an organisation’s security feels much stronger. Focus security on protecting the data that is flying across your network, from data centre to device.
One way of coping with the influx of employee-owned devices is to containerise the device into personal and business identities. When in business mode the worker can only access what the business lets them, such as emails or IT-approved apps. When in personal mode, the user can do whatever they want without fear of crossover with the business identity. But obviously this doesn't work for all requirements
Here’s another tip: Treat every device as if is infected, as if it’s a threat. Starting from that viewpoint will ensure a business focuses its protection on the right target, protecting what’s important, the data and the application. Transparently check the device, provide access to apps based on the context of the session, not the user and the device. Then create dynamic policies that can grant access, check for compromised sessions and dynamically adapt to the threats in real time.
This means moving security away from protecting physical devices and end-points and adopting a more context-based approach. Who, which, where, and what are all key questions to consider when looking at security. Who is attempting to connect to the network? Which device are they using? Where are they trying to connect from? What are they trying to access? Next Generation is not enough, we need to consider what next-next generation security looks like.
Doing this instead of a blanket approach to security means a business will be much more agile and able to respond to specific and emerging security threats. This helps workers get their work done without compromising sensitive information, keeping everyone happy.