Posted by Kevin on May 20, 2015.
Over the last few years, three things have conspired to change the nature of information security. The cloud has multiplied the number of potential vendors, and associated third party risk, by thousands; mobility has multiplied the possible locations of corporate data by thousands; and compliance has mandated a provable and acceptable level of security. It has become an impossible job. It is impossible to secure everything. It is impractical to even secure what you can as well as you can. And yet compliance says you must.
The only realistic avenue is to take a risk management approach: to understand what are the corporate crown jewels, where they are kept, how much it will cost the company if they were lost – and to concentrate on defending those.
Needless to say, once the crown jewels have been protected, there is less time and money to spend elsewhere.
The mobile problem
With less money to spend, it becomes attractive to allow BYOD rather than go to the cost of supplying staff with a corporate device. But that means that you have to control the access from dozens, probably hundreds and possibly thousands of individual devices over which you have little control.
The starting point has to be a mobile device management system (MDM); but that isn’t enough. The clue is in the name – it is a ‘management’ system, not primarily a security system. What MDMs are not good at is stopping zero-day malware. Once a mobile device has become infected it can attack the corporate network; but more specifically, it can steal any corporate data that resides on or passes through that device.
The cloud problem
The cloud has multiplied the number of vendors available to and used by companies. Many companies will now use hundreds of different vendors; the larger companies could easily use thousands. Each vendor needs to be vetted, and each vendor needs a separate contract (possibly a new contract every year). This is a logistical nightmare if not a logistical impossibility.
Risk management principles should be brought in to define different levels of risk associated with different vendor usage. If there is little or no risk, then you can spend little or no time on the relationship. But as the risk gets greater, so must the time and spend increase.
As the vendor increases in size, so also increases the likelihood that it has been through some form of third-party assurance or attestation, and can present its own security credentials. This is good and helpful, but should never be accepted blindly at face value. Attestation is only as good and thorough as the third party tester.
One issue sometimes overlooked is the vendors’ own suppliers. You can use your best efforts to ensure a secure relationship between you and the vendor; but is your vendor doing the same with its suppliers? How deep down this rabbit hole can or should you go? You should probably stop at your direct vendor, but include within any contract that he must confirm the security of his own suppliers – regularly.
The Compliance Issue
The only thing certain about compliance is that there is going to be more of it: more laws and more regulations. These regulations usually fall into one of two camps: one that tells you what you have to do, and one that tells you what you have to achieve. PCI is largely an example of the former while SOX is largely an example of the latter.
The problem with the former is that it can become a check-box approach to security. Since you must ‘legally’ achieve this minimum level of security, it becomes the maximum that is done. A risk approach to security is forgotten.
The problem with the latter is that guilt is based on discovery – and that could be a risk worth taking. Perhaps not in the US with SOX since the potential sanctions are severe, and discovery can be made by third-party auditors. It is different in the UK with the Data Protection Act. You are only guilty of breaking the DPA if you lose PII – and the most likely sanction from the Information Commissioner is a slap on the wrist with an enforced promise that you won’t do it again. Under these circumstances a strict application of risk management principles might conclude that it is more cost effective to accept the risk rather than pay for the security.
A possible solution
The difficulty is in how to marry these three separate problem areas with a single generic approach to security. We have said throughout that you have to rely on risk management principles. This is good, but not necessarily consistent. You can apply risk management to your mobile work force; but that won’t catch everything. You can apply risk management to your vendors (or both) but it still isn’t guaranteed to be complete.
In fact it is neither vendors nor users that are the problem – it is connections to your network. You don’t have to worry whether it is a user or a vendor – the issue is whether there is a connection. And if you concentrate on connections you find all the risks that you might otherwise miss: visitors, contractors, retired employees, old vendors and so on.
So if you switch your attention from specifically trying to control vendors and/or specifically trying to control BYOD to the more generic control over all connections you will achieve better security and, frankly, more certain compliance.
Insights is a unique commentary inspired by and drawn from the peer-to-peer conversations of some of the most senior CISOs and CIOs in the world. All are members of the gated Wisegate community where they meet virtually to discuss issues and problems in information security.Submitted in: Insights |