• Follow us

Internet

Why user identity is becoming the new security perimeter

Digitalisation has many advantages, from increasing productivity to improving accessibility. However, every technology has its downside, and with digitalisation this comes in the form of increased organisational risk. So while we all benefit from being able to access networks from any location via a greater range of endpoint devices, and from using collaboration software, implementing agile working etc., by doing so we potentially increase the number of data egress points from our organisation’s network. All of this results in a significantly increased attack surface which those with malicious intent can target, and it enables them to utilise a much higher range of threat vectors.

First and foremost this is a business risk, not simply an IT risk. Every organisation needs to understand its position on risk and define this in policy – which requires a full understanding of assets, threats and vulnerabilities. The organisation needs to invest in the right level of resistive strength to balance against the increasing threats and threat vectors, taking into account the cost to the business if a threat succeeds. This requires board level commitment and appropriate commercial cover.

Designing networks from the inside out

From an IT perspective, addressing the risks arising from digitalisation means taking a fresh look at network architecture. The perimeter security architecture of enterprise networks has traditionally been designed from outside in, using a ‘castle and moat’ or a ‘hub and spoke’ approach. This needs to be re-examined, along with the relevance of MPLS connectivity, firewalls and VPNs, as it is no longer enough, with respect to value, to secure traffic emanating from data centres.

Today’s networks should be designed from the inside out, based on a consideration of data flows and security stacks. And it is not just infrastructure that is important. Compliance frameworks and policies may no longer be relevant or can inhibit agility, and so will have to constantly reviewed and rewritten – particularly as we move to a world of software defined networks, where policy and compliance are the main considerations in access to resources.

In a digital world, security has to be built into infrastructure, business applications and solutions from the moment that they are conceived, not just considered post development. We then need to challenge existing trust levels and move towards a point of zero trust – a granular implementation in security boundaries, termed micro segmentation, which restricts unrequired and unwanted lateral movement of traffic between systems and in user access.

Implementing zero trust – or restricted trust – begins with a full understanding of access management and the aligning of rights, privileges and behavioural patterns that are built into policies. It means implementing least privilege and default deny policies for each user and each system, with clear processes to elevate rights on approval. This should be accompanied by the ability to monitor and log access and failed access. We also need to incorporate data protection into system design. The mapping of personal data needs to be considered carefully, in the light of GDPR, and zero trust can be built into systems to such a way as to restrict or prevent any data loss.

Users are the new security perimeter

In a zero trust network, access management is aligned to user management and for effective security, organisations need to know who is accessing what data, when, where and why, so that they can wrap security around how their users actually work. For example, if someone is logging into the network at 10pm, is this normal behaviour? What applications and data are they accessing, and should this set alarm bells ringing?

In effect, users are becoming the new security edge, and identity management is becoming the new perimeter management.

To apply user management effectively, organisations first need to fully understand access behaviour across system users (the Who, What, When, Where and Why). There are many analysis tools available within existing applications. For example, Microsoft provides a number of analysis tools within the Office 365 suite, depending on which licenses an organisation has purchased, including advanced threat analytics and advanced threat protection. These systems analyse the environment and who is doing what, where and when. They are self-learning and will work towards a point when they will only alert you when they detect abnormalities in access and traffic flow. However, organisations still need the resources to map their environment and the behaviour of their users so that they can tune these tools to create a picture of normal working at the organisation.

User management should be accompanied by robust cyber security training and awareness and acceptable use policies linked to HR policies. There should be ongoing training to ensure that all new cyber threat vectors are understood by users and mitigated effectively.

Finally, it is vital to securely manage access to company resources from mobile and other devices, especially where staff are permitted to use personal devices (i.e. BYOD, BYOT and the IoT). Multi factor authentication should be implemented, along with mobile device management (MDM), Mobile Application Management (MAM) and Mobile Identity Management (MIM) where data security is important.

Handling threats means logging everything

Logging user behaviour as outlined above will help organisations to understand what is ‘normal’ in their network and for their users. This information can also be used for compliance analytics, which involves gathering and storing relevant data and mining it for patterns, discrepancies, and behavioural abnormalities. Compliance analytics helps companies proactively identify issues and provide appropriate remediation actions.

All of the above may sound like a huge amount of work. However, it is worth remembering that most security breaches come from failures in basic security defences and not from complex attacks. In order to minimise the risks, organisations should begin by implementing basic security correctly, and setting data access based on roles and attribute based policies, before moving onto more complex analytics.

Neville Armstrong, Service Strategist, Fordway SolutionsImage Credit: Geralt / Pixabay

Read More



Leave A Comment

More News

TechRadar: Internet news

Heads up, Mac gamers: big-time PC game port 2019-06-18 13:49:56Aspyr is ending sales of 32-bit titles as Apple discontinues 32-bit app support in the upcoming macOS Catatlina.

Cyberpunk 2077: release date, trailer and news 2019-06-18 13:26:57If you thought CD Projekt Red’s upcoming FPS RPG looked incredible before E3 2019, just wait until you see Keanu Reeves.

Animal Crossing on Nintendo Switch: release date, news 2019-06-18 13:06:19Animal Crossing: New Horizons isn't coming this year, but it's shaping up to be a totally unique experience.

These Huawei P30 Pro deals are now incredibly 2019-06-18 12:58:24One of the world's best phones at a great price - get a Huawei P30 Pro deal now and save some money, if you dare.

Australia vs Jamaica live stream: how to watch 2019-06-18 12:41:47Can the Matildas book their place in the Women's World Cup round of 16 with a win against the Reggae Girlz? Don't miss a kick with our Australia vs

Facebook WordPress plug-ins found to have zero-day flaw 2019-06-18 12:27:36Security researchers from Plugin Vulnerabilities have openly disclosed two zero-day flaws in Facebook's WordPress plugins, putting thousands of users

Expensive spectrum puts European 5G at risk 2019-06-18 11:58:13Recent spectrum auctions raise fears over rising costs

Best tablet 2019: the top tablets you can 2019-06-18 11:54:24The best tablets come from Apple, Google, and Microsoft, but not all are created equal. Here's what we like so far in 2019.

Amazon Prime Day deals 2019: everything you need 2019-06-18 11:52:04Amazon Prime Day is fast approaching, so we've put together a guide on how to find the best deals and everything else you need to know for the July s

EE now lets you watch BBC iPlayer and 2019-06-18 11:36:35EE users can now get some of the biggest data gobbling video players without data allowance with their mobile phone deal.

The 10 best cheap fitness trackers: the top 2019-06-18 11:21:31Wearable fitness trackers are smarter and cheaper then ever before, you don't have to spend as much to get fit.

The best free stock video sites 2019 2019-06-18 11:19:20Find high quality free stock video clips to use in all your projects – whether they're personal or commercial.

Latest ITProPortal news

What is ransomware? Everything you need to know 2019-06-18 09:59:40Ransomware: What’s new 18/06 - NEWS - GandCrab ransomware is no more - Victims can now decrypt files, and it seems as new versions won't be com

Samsung tells users to check their smart TV 2019-06-18 08:00:04Security experts are baffled.

GandCrab ransomware is no more 2019-06-18 07:30:10Victims can now decrypt files, and it seems as new versions won't be coming.

Workers are ready to ditch passwords 2019-06-18 07:00:53Needing to remember multiple passwords makes many anxious.

ITIL 4 has finally arrived. Is it enough 2019-06-18 07:00:02Rather than attempting to rewrite the ITSM playbook, the latest iteration of ITIL has instead been packaged as more an expansion on the previous gener

UK data regulator says its own site doesn't 2019-06-18 06:30:55ICO is in the process of urgently updating its website.

Artificial intelligence: The game changer for businesses 2019-06-18 06:30:15Many people are unsure about the relevance of AI in terms of business encounters.

Does consolidation help or hinder the internet? 2019-06-18 06:00:19To understand how a consolidating Internet economy may shape the Internet’s future is to recognise that this trend goes beyond products and serv

US chipmakers are lobbying to reverse Huawei ban 2019-06-18 06:00:15Huawei is not the only one losing out after blacklisting.

Is having an app still a choice for 2019-06-18 05:30:53Having an app is a great choice for your SaaS startup, so we are going to discuss the potential benefits in our article.

Four key considerations on AI enabled IT service 2019-06-18 05:00:20CIOs need clarity about what AI is and is not when it comes to ITSM.

Data literacy – the foundations of business success 2019-06-18 04:30:03Innovation in data technology is helping businesses make better use of the ever-growing volumes of data they generate.

TechCrunch » Enterprise

VMware announces intent to buy Avi Networks, startup 2019-06-13 17:37:19VMware has been trying to reinvent itself from a company that helps you build and manage virtual machines in your data center to one that helps you ma

IBM, KPMG, Merck, Walmart team up for drug 2019-06-13 08:34:23IBM announced its latest blockchain initiative today. This one is in partnership with KPMG, Merk and Walmart to build a drug supply chain blockchain p

RealityEngines.AI raises $5.25M seed round to make ML 2019-06-12 12:17:56RealityEngines.AI, a research startup that wants to help enterprises make better use of AI, even when they only have incomplete data, today announced

Helium launches $51M-funded ‘LongFi’ IoT alternative to cellular 2019-06-12 12:01:20With 200X the range of Wi-Fi at 1/1000th of the cost of a cellular modem, Helium’s “LongFi” wireless network debuts today. Its trans

Apollo raises $22M for its GraphQL platform 2019-06-12 12:00:13Apollo, a San Francisco-based startup that provides a number of developer and operator tools and services around the GraphQL query language, today ann

WhatsApp is finally going after outside firms that 2019-06-11 15:56:30WhatsApp has so far relied on past dealings with bad players within its platform to ramp up its efforts to curtail spam and other automated behavior.

Dropbox relaunches as an enterprise collaboration workspace 2019-06-11 13:19:37Dropbox is evolving from a file-storage system to an enterprise software portal, where you can coordinate work with your team. Today the company launc

GitHub hires former Bitnami co-founder Erica Brescia as 2019-06-11 11:00:12It’s been just over a year since Microsoft bought GitHub for $7.5 billion, but the company has grown in that time, and today it announced that i

Alyce picks up $11.5 million Series A to 2019-06-11 08:44:02Alyce, an AI-powered platform that helps sales people, marketers and event planners give better corporate gifts, has today announced the close of an $

Crane, a new early-stage London VC focused on 2019-06-11 06:09:45Crane Venture Partners, a newish London-based early-stage VC targeting what it calls “intelligent” enterprise startups, is officially outi

AWS is now making Amazon Personalize available to 2019-06-10 23:50:40Amazon Personalize, first announced during AWS re:Invent last November, is now available to all Amazon Web Services customers. The API enables develop

Apple is making corporate ‘BYOD’ programs less invasive 2019-06-10 18:30:36When people bring their own devices to work or school, they don’t want IT administrators to manage the entire device. But until now, Apple only

Next INpact – Actualités

⚡ Le Figaro Live débarque sur Molotov, RMC 2019-06-06 08:06:05Plusieurs mois après l'annonce en grande pompe de l'arrivée de RMC Sport, les chaînes d'Altice disparaissent du service de TV r

⭐ Le récap' des bons plans du moment, 2019-06-05 07:37:18Cette semaine a été marquée par la WWDC d'Apple où il a notamment été question des nouveautés d

⭐ #LeBrief : nouvelle loi Renseignement, panne Google Cloud, 2019-06-03 03:43:17C'est l'heure de #LeBrief, notre bilan de l'actualité dans le domaine des nouvelles technologies. Il contient toutes les informati

ProtonMail : prise en main et ergonomie d'un 2019-05-31 06:19:38Afin de démystifier le domaine des emails chiffrés de bout en bout, nous nous sommes penchés sur le cas de ProtonMail. Moins de t

⭐ #LeBrief : Wikipédia « vandalisé », Echo Show 2019-05-31 04:30:54C'est l'heure de #LeBrief, notre bilan de l'actualité dans le domaine des nouvelles technologies. Il contient toutes les informati

⭐ Le récap' des bons plans du moment, 2019-05-29 07:37:53Le Computex bat son plein actuellement à Taiwan. Ce salon fortement dédié aux composants informatiques est l'occasion pour les f

⭐ #LeBrief : W3C passe la main sur 2019-05-29 04:32:51C'est l'heure de #LeBrief, notre bilan de l'actualité dans le domaine des nouvelles technologies. Il contient toutes les informati

France THD : InfraNum « est certain » d'arriver à 2019-05-23 10:51:42Selon le lobby représentant l'industrie des réseaux publics, l'objectif de 80 % de prises raccordables à la fibre optique

En France, Facebook a censuré 84 % des 2019-05-22 10:14:40Facebook a « retiré » 84 % des 12 263 publicités liées « à la politique et à

⭐ Le récap' des bons plans du moment, 2019-05-22 07:37:00Cette semaine, le déploiement de Windows 10 May 2019 Update a commencé (lire notre analyse). Nous avons également fait le point s

⭐ LeBrief : Firefox 67, 12 M€ pour le 2019-05-22 04:25:36C'est l'heure de #LeBrief, notre bilan de l'actualité dans le domaine des nouvelles technologies. Il contient toutes les informati

⭐ #LeBrief : Huawei esseulé, les explications de 2019-05-20 04:45:31C'est l'heure de #LeBrief, notre bilan de l'actualité dans le domaine des nouvelles technologies. Il contient toutes les informati


Disclaimer and Notice:WorldProNews.com is not responsible of these news or any information published on this website.