First it was the “consumerization of IT” around 2009, followed by cloud computing, SaaS, BYOD, and mobile computing. In aggregate, these trends are truly leading to an environment where IT is losing control. Devices, personal productivity software, business applications, and file servers have taken on a life of their own.
On balance this is a good thing – employees become more productive, capital costs decrease, new applications improve communications, etc. Of course these are great business benefits but they create one big Excedrin headache for CISOs. Diminished IT control leads to grey areas and blind spots. It’s hard to add strong security when you have little understanding of what’s going on.
In spite of security issues, the cloud, mobile, and SaaS horses have already left the barn. What should CISOs do? I’ve had this exact discussion multiple times over the past few weeks. My advice is simple: When you lose control in some areas, make sure to tighten control in others. To be more specific, CISOs need to bolster their knowledge and control around:
- User identities. Passwords are the “Weekend at Bernie’s” of security technology – they’ve been dead for years but we continue to drag them around the Internet party. As IT loses control we need better methods for Identity and Access Management (IAM) which likely means broader use of PKI, digital certificates, biometrics, and adaptive authentication. Geeky expensive stuff? Yes but also an area with a lot of activity. I like the NSTIC (National Strategy for Trusted Identities in Cyberspace) framework from NIST and identity services from McAfee, Ping, and Symantec hold promise. I also like the innovation coming from Nok Nok Labs and the FIDO (Fast Identity On-line) protocol which holds the promise of eliminating passwords entirely. Wouldn’t that be nice!
- Device identity. Source/destination IP addresses are no longer enough, you now need to know definitively what type of device wants to connect to another as well as the state and behavior of each device. In other words, I need to understand that an Android device wants access to e-mail but this particular device does not have an MDM agent on it, its camera and GPS are on, and it contains a lot of questionable applications. Oh and I need to know this immediately, not in 2 hours when I gather a bunch of disparate reports. This will require a bunch of things including digital certificates on devices (or an equivalent technology), MDM solutions from Good and MobileIron, and the return of strong NAC technologies from vendors like Bradford Networks and Forescout.
- Data discovery, identification, and classification. This is a particular area of weakness at most organizations who have no idea what sensitive information they have, where it resides, and who uses it. This alone should set off alarms with the Chief Risk Officer. Data discovery, classification, and governance is usually a manual slog but I’ve seen some promising technology from Dell and Guidance Software that could help automate this tedious but necessary work.
- Security analytics. We need better continuous monitoring, situational awareness, and incident detection. Yes, this means more data collection and analysis but we can’t depend upon hot shot security professionals sitting in front of flat screen monitors because there aren’t enough of these guys to go around. Instead we need analytics tools with better canned intelligence and automation. I’m seeing some promising new stuff here from Click Security, IBM, Lancope, Narus, Packetloop, RSA Security, and Solera Networks amongst others.
To be clear, we need better control over these things so we can include current activities in some type of risk scoring algorithm. Once we understand areas of risk, we can then adjust policies, controls, and what things we monitor. As part of these requirements, we need granular intelligent integrated technologies that let us control and monitor what’s going on at all times. This is the only way to achieve business benefits while managing increasing risk.