I guess we all agree on certain challenges in the future: Our businesses as well as our IT will become more and more digital and therefore security will need to change. The pace of a compliance-based approach will simply be too slow to come up with reasonable solutions in a light of new, dynamic and innovative business needs. In parallel the threat landscape is changing rapidly. Today, security is just running behind in most cases.
When I am asked, where companies have to start to get back ahead of the curve, I typically refer to four areas:
-
Legacy: A lot of the infrastructure grew organically, which leads to inconsistent inventory (needed for data classification, incident response etc.), unclear processes on patch management, creative processes for identity and access management, no processes to engineer security into new development processes etc. Most infrastructures still have components from the beginning of IT somewhere. This leads to “stupid” breaches – in other words, to successful attacks exploding well-known and easy to fix vulnerabilities. The challenge with the clean-up is that it costs money without adding additional direct business value.
-
Identities: Get your identities right! Identity management is the absolute foundation of everything. It does absolutely not make sense to encrypt if you do not know who is accessing the encryption key. It does not make sense to invest in a firewall if the standard password is still used. Identity management from a process and technology perspective needs to be solved and addressed. New challenges in this space are just around the corner as the devices connected to your network will need managed identities as well.
-
Transformation: As mentioned above, security needs to transform into a value-add for the business. This change needs to be managed and deliberately driven. Security needs to become much simpler and needs to be seen as a value-add.
-
Intelligence: As we need to assume that our network is breached, we need way better intelligence and monitoring technology as well as clear processes for incident response. Most of what is on the market today is highly resource intensive with limited return on investment.
Identity is definitely one of the key elements of any future strategy. And let me tell you: It is getting more challenging. Organizations tend more and more to keep their core competencies in-house and outsource anything not being at the heart of their business or anything which does not separate them from their competition. This makes a lot of sense but creates some headaches for security people as sensitive information will have to be exchanged with third-parties, authentication has to work reliably and trustworthy across company borders.
Additionally in times of Internet of Things, where everything will get an entity, you need a sound environment to manage this.
In this context, I just read this really interesting article: Elevating identity and access management to the digital era
I agree with almost everything in this article –with one exception: I do not see identity in the center of future concepts but data. Data has to be persistently encrypted like in Microsoft’s Active Directory Rights Management Services and access shall be granted based on 4 (or 5) criteria:
- User: Who is the user and how did he/she authenticate? Like for internal data, username/pwd might be good enough, for strictly confidential biometry might be needed.
- Device: Is the device policy compliant? – Just a remark: I do not care in this concept, who owns the device.
- Location: From a geographical as well as network point of view.
- Application: Which application and which version thereof do you want your users to access their data with?
- (optional) Behavior: Do we see any behavior anomalies?
So, identity is one of the key parts of the concept and if you do not get your identity right, security will fail – but I would put data at the center as this is what we ultimately want to protect.