Diamonds and Paper Clips
Author(s): Linda Welch, Posted on December 3rd, 2015
There are many drivers in the IT environment that contribute to making things difficult in the security space. You may remember when Apple released the first iPhone during the 2007 holiday season. It promptly led to employees bringing their iPhones to work and wanting IT to hook them up to their corporate Microsoft Exchange system. When this wouldn’t work, that didn’t stop the enterprising and technically minded individuals. They realized they could take their corporate Microsoft Exchange account and forward their mail to their Gmail account where their iPhone could feed off of it. Of course this violates numerous corporate policies for transferring data. It took many releases later from both Apple and Microsoft to bring that New Year’s wish to a reality. Unfortunately, the battle between corporate IT and the consumer devices still continues today.
“New devices and services are everywhere and employees want to use them. The Consumerization of IT is causing our organization perimeters to crumble,” says Dave Frymier, vice president and chief information security officer at Unisys.
The rise of the Advanced Persistent Threat (APT) is heralded by the very sophisticated malware that you can’t tell is there. It sets up shop and starts looking laterally and vertically to find data of interest including your active directory, domain controllers, accounts payable data and other key corporate systems. Our adversaries attacking us are many including organized crime, hacktivists like Anonymous, China and other nation states.
“Most IT infrastructures were not developed with security in mind. Security was a second thought and is now bolted onto the side protecting everything the same way. This traditional approach doesn’t work against today’s advanced adversaries and continues to grow more expensive to support,” adds Frymier.
What does work? Encryption, when properly implemented with a modern cryptography algorithm and properly protected keys. Instead of protecting your extended perimeter that has holes, redraw the security perimeter around only your key assets and data. For example, your Human Resources database system would be classified as one of your diamonds that you need to secure while your daily tactical emails would be your paper clips that aren’t critical to your business. “A FIPS-199 risk analysis, a standard found on the Internet, can provide a guide to identify your diamonds and paper clips in your organization. This will help you build a compartmentalized security model based on need to know by identifying where your assets are and who is supposed to have access to them,” notes Frymier. Once you have done that, you can create a compartmentalized enterprise architecture classifying your assets as low, medium and high business impact if they are compromised. The high business impact items are your diamonds that you protect inside your compartmentalized perimeters denying access to anyone unauthorized.
“Fortunately, there is an emerging class of products now available that provide software defined communities of interest with strong encryption, endpoint protection and trusted encryption key management,” emphasizes Frymier. Unisys has developed a solution called Stealth™, a software-defined security portfolio delivering a consistent security methodology across the range of environments global enterprises need to secure – data center, cloud and mobile.
The Consumerization of IT is here to stay and we need to adapt to it. Today’s modern encryption methods that are properly implemented can keep your diamonds safe. Take the steps necessary now to identify and protect sensitive data to keep your enterprise safe from threats.
Dave Frymier recently presented at Harrisburg University Security Center of Excellence discussing the underlying causes of cybersecurity problems and strategies to mitigate them. Watch the livestream recording http://livestream.com/accounts/13547584/HUSecurity/videos/104791744