Guest post by Matthew Pascucci, Information Security Writer and Practitioner.
This should come as no surprise, but the network perimeter is disappearing – or at least it’s getting very blurry. If this is a surprise there’s a chance you’ve been living in a cave or in a coma for the past couple years.
IT security needs to find ways to protect its data while employees are on the move. It’s estimated that about a third of employees have the need or the access to work remotely instead of within the confines of the “traditional office”. Long gone are the days of employees coming into the office to gain access to the data they need.
Today we have employees connecting to the network at customer sites, at home, in coffee shops, etc. Just like the quote from Jurassic Park “Life will find a way”, users will always find a way to get the data they want. Not only are employees connecting to the network from a variety of locations, but they’re doing so on a multitude of different devices like smart phones, tablets and laptops.
Using VPNs or HTTPS, these mobile devices are able to connect back to your data over a secure channel. These technologies allow you to have a sales meeting at a client site with access to all the data that is needed. They enable doctors while meeting with patients to access their complete medical records in hand. They enable the workforce to access and respond to e-mail at any second of the day. The jump in productivity, communication and collaboration is being made seamless to everyday life. The issue that arises now is how will you secure this crumbling perimeter?
Here are four things to consider:
- An area that has helped to dissolve the perimeter is the Internet itself – due to the vast ways that you can connect from it. Being able to lock down the connections and allow only permitted users over a secure channel is a big challenge. One area that allows this is using SSL VPNs over the internet, which enables users at a remote machine the ability to access permitted systems and applications in a secure manner. Being able to publish this data in a portal allows a user to access the majority of their data from a web browser. Information security also needs to beware of what data’s leaving the company via external internet storage sites like dropbox.com and yousendit.com or a cloud provider. Many users that don’t have access to these systems will publish files up to these sites so they can work remotely, opening a huge hole in your security and privacy programs. Disabling access to these sites and having proper policy and procedure in place can go a long way in protecting how, when and what data users are able to access remotely.
- By using Next-Generation Firewalls (NGFWs) you can create user policies that will help track user activity instead of keeping it just isolated to IP addresses or protocols. Knowing what your users are doing on a more granular level will help you protect your data.
- Segment the network so that there are differing levels of security/filtering with mobile/remote access as opposed to within the company walls. Creating a wireless network within your internal LAN to segment mobile users from having complete access to your corporate data is recommended.
- Be aware of what data is leaving the network and determine how to secure it. If users will be accessing data outside the office with a mobile device, that device should have the proper security features installed on it to allow it to be managed securely. An example of this is utilizing a mobile device management solution (MDM) to securely allow users to access data on their personal or corporate owned devices. The organization must understand that this is its data, not the users’ data, and IT is responsible for making it accessible and secure. Some questions for which you better have a good answer include: If a user loses a smartphone with the company files on it do you have the ability to wipe that phone? Did it have a passcode on it? Was it encrypted?
If you’re allowing data to leave your network remotely, you need the option to secure and manage it remotely. This includes the above on verifying that all mobile devices, laptops, phones, tablets, etc. should have precautions in place to prevent the risk of data exposure.
The perimeter will continue to dissolve as the workforce increases in mobility and as the need for remote access to data rises. With the users now driving the need on how, when and where data can be accessed, we need to be able to keep up with the business, but at the same time secure it.
As an information security professional, you need to be not only beware of how to secure the data as it leaves the perimeter, but to keep the data private once it’s “left the building”. Burying our heads in the sand or acting like its 1999 isn’t going to make us anymore secure and it will hurt the business in the long run. Reviewing the users’ access needs and the where and when they’ll be accessing the data will give you a good idea of the available options to strike that balance. Security can be an enabler to help the business succeed.