With the current threat landscape so complex, sophisticated and pervasive, all organizations need to pay strict attention to information protection to ensure that sensitive data is safeguarded, assets are protected and personal privacy is ensured. For many, that requires rethinking how security practices should be adapted.
Outdated Information Protection
Many enterprises have traditionally taken a fortress-like approach to security, looking to defend their perimeters and bolt down the hatches when an incident occurs. Typically, they have spent more on network security than on protecting the endpoints that connect to and interact with those networks. They are also known for being tight-lipped, keeping information regarding security incidents and approaches for defending against them to themselves, possibly in the belief that they will do a better job if other organizations don’t know what’s going on.
The perimeter approach is no longer sufficient. As the Jericho Forum, the work of which has now been morphed into the OpenGroup, has long espoused, networks have become deperimeterized. The group introduced the concept of the porous firewall, caused by more and more devices punching holes through seemingly sufficient controls. Endpoints are the new perimeter.
A recent Security Intelligence article looked at university security from a university CISO’s point of view. David Sherry, CISO at Brown University, raised a number of interesting points regarding information protection in the higher-education sector. He pointed to the decentralized nature of universities, the fact that bring-your-own-device (BYOD) has long been a factor to consider and the culture of information sharing among universities. Could enterprises learn from these bastions of academia to make themselves more secure?
The Extended Enterprise
Universities are highly decentralized. According to Neal Tilley, an IT education specialist with Alcatel-Lucent Enterprise, universities are characterized by “a complex mix of users, private and public areas, secure and open networks, and … a vast amount of personal and intellectual property information bouncing around them.” Sherry likened university security to protecting a small city, with vast numbers of disparate users and a variety of ancillary services offered, all of which require information protection.
Enterprises have recently seen their empires expand, as well. As PwC noted, today’s service economy is increasing the extent to which businesses rely on each other, including the use of specialized service providers for non-core competencies, such as data hosting and business process services, and the increased use of cloud services.
The PwC report showed that the business process outsourcing market in the U.S. alone will be 23.3 percent larger in 2017 than it was in 2012. This increases the number of third parties with access to corporate information. Businesses are also routinely extending access to corporate resources to suppliers, business partners and even customers. The economic downturn has played its part, as well, because organizations look to do more with fewer in-house resources to cut costs.
All of these factors expand the amount of and the reach of information that needs to be protected from unauthorized access. Yet data from Trustwave referenced during a presentation at RSA 2014 shows that 76 percent of breaches resulted from third parties. Enterprises should consider the stance taken by universities, ensuring that network traffic and information zones are effectively segmented.
Sherry noted that Brown University is effectively taking on the role of an Internet service provider (ISP) for some of the services that it offers, such as providing Web access in its residential accommodations and requiring the use of virtual private networks (VPNs), strong authentication and entitlements to gain access to secure areas of the network. Many enterprises focus primarily on ensuring secure access for employees, whereas many of the dangers they face originate from their extended enterprise.
Embrace Change
The consumerization of IT appears to be an unstoppable force, bringing with it the challenges of BYOD, unsupported applications and data filtering. While BYOD programs are on the rise, many businesses have been reluctant to fully embrace the opportunities enabled by the consumerization of IT. Universities, however, are ahead of the curve and have been dealing with these emerging technology trends for some time.
Sherry stated that it is not unusual for a student to own 10 or even 15 devices — computers, tablets, phones and wearables such as fitness trackers are common. Students are also keen proponents of file sharing. By catering to these trends, universities have found that modern technology is invaluable as a teaching aid in helping students and teachers succeed. It also makes for happier individuals because students can use the devices that they are familiar with and most comfortable using.
Enterprises must embrace technological change and take advantage of the benefits that it offers. The consumerization of IT offers opportunities for users to be more productive and more satisfied with their work environment, contributing to the success of the organization. At universities, increasing user awareness and enforcing acceptable use policies will do much for information protection in the new technology age, along with implementing strict access controls to ensure that all information is adequately protected.
Whether organizations know it or not, their employees will access file sharing sites, raising the potential for sensitive data to be leaked out of the organization. Data loss protection and data exfiltration controls are a must, but organizations should also consider providing their employees with a centralized, enterprise-grade service that is an acceptable alternative. For controlling who is on the network, what devices they are using and what applications are employed, network access controls and enterprise mobility management technologies have a key part to play.
Share Information for Better Security
Few industries have a culture of information sharing, even though sharing information with peers regarding security incidents or threats can provide critical, actionable information about the nature of the threat and the tactics of adversaries. Security information shared within a particular industry can be particularly useful since similar organizations often face similar threats.
Higher education is one sector in which information sharing is particularly prized. According to EDUCAUSE, this collaboration helps reduce the number of breaches, leading to fewer records being stolen and less money spent on costly remediating operations. By sharing information, universities are able to determine the best practices for defeating attacks and improving their overall security posture.
Universities are prized as places to learn. In terms of security and information protection, there are many lessons that they can teach enterprises. Organizations should look to the best practices that academia provides in order to better take advantage of the opportunities that innovative new technologies provide in a safe and secure manner.
Senior Analyst, Bloor Research