The traditional security perimeter is quickly fading away as data moves to mobile devices, cloud services, and other locations that exist outside the corporate network. Complicating the challenges that this presents is the growing trend of non-IT stakeholders making technology decisions and sourcing solutions on their own. The combination of these factors means that a modern security strategy needs to be agile, layered, and responsive to users.
Visibility into today’s enterprise data
Visibility is a cornerstone of any security strategy. You can’t secure information if you don’t understand where it lives, who has access to it, and how it’s being transmitted. In the past, visibility was very simple because data lived on servers within a secured data center or on PCs that were managed by IT. Data traveled across a corporate network managed by IT, and IT could see easily and manage information going to and from the Internet.
Today visibility is much more complex. Some data still lives on premise and on managed PCs, but increasingly data lives in the cloud, which may or may not mean an IT managed cloud, as well as across a range of apps and devices that may also be managed or unmanaged.
Although IT still has some direct visibility into the data moving across a corporate network and managed devices, that visibility isn’t complete. Unmanaged devices, particularly ones that don’t connect to the corporate network but do connect to cloud services, are opaque to IT.
Agility is now a key approach to security
Agility is a phrase that is most often associated with software development, but the agile model of frequent iteration to expand and fine tune solutions of processes can be applied to almost any IT discipline (as well as virtually any business process).
Agility is fast becoming a core requirement for security. The threat landscape changes quickly as do the devices, apps, and cloud services employed by individuals as well as specific teams and entire business units. Modern operating systems and apps receive frequent updates that are sometimes delivered to users beyond IT’s control and the features of cloud services are added and refined using an agile methodology. This means that a modern security model needs to not only be flexible, but to be able to adapt at a moment’s notice. The model must be able to easily and quickly accommodate changes to any of the components through which users access, share, or transmit information.
Layered and context-aware security is also critical
In addition to being agile, a successful modern security strategy needs to be layered. Security needs to be applied at the traditional network level along with the device, app, service levels as well as to the data itself. Security must also be contextually aware. Rather than just knowing that a user is connecting remotely, it’s important to understand what device or app they are using, the state of that device, and whether the connection is at an unusual time or from an unusual location.
Security now requires partnering with users
As I noted earlier, IT has limited visibility into unmanaged devices and virtually none of the users of those devices rely on their own broadband connection rather than a corporate network. This scenario is the worst example of shadow IT and presents a severe security issue because there it can be difficult to impossible to know if it is even happening. Without knowing if data is being stored or shared in such a manner, there is little way to ensure that data is secure.
The only real way to deal with the situation is by engaging the user community in a very real way. It needs to be an ongoing dialog that educates users about security risks, including risks that affect their personal devices and information. It also needs to assure users that their personal information will be kept private if IT manages their devices.
Most importantly, this needs to be a two-way conversation in which IT listens to the needs and concerns of users and managers when it comes to solutions that they feel they need to use in order to get their job done effectively. As I noted in a recent post, this is one of the major reasons that IT needs to remain engaged in all technology decisions, including those made by non-IT stakeholders.
This is a new style of communication for IT and security professionals that are used to simply provide basic one-way communications about security threats, enterprise solutions, upgrades, and policies. While that type of message remains important, the tone for additional communication needs to be distinct from them and needs to be both more personal and more open to response. It needs to build a trusting relationship. Like every other area of IT, security needs to adapt to the realities of a Mobile First world. Also like other disciplines, this requires a shift in mindset and culture. That shift is key to ensuring an effective and successful security strategy.