In the first of a two-part blog series, The Seven Deadly Sins of User Access Controls, my colleague Jean Gordon Kocienda provided fresh insights into overly-permissive user access controls as a common underlying cause of data breaches. In this blog, I address the solutions to those “Seven Deadly Sins” with a modern twist on the antiquity typically known as the “Seven Wonders.”
Information Security professionals need to address user access control in the context of today’s complex threats, coupled with a fast changing IT landscape. Long gone are the days of only a few with a need to know and key corporate assets being housed behind the enterprise perimeter. We have shifted to an agile, data-centric environment with increasing user populations who may also be third-party suppliers or contractors needing fast access to assets that were previously off limits. And, it’s not just massive volumes of data that need protecting; it’s access to critical work streams and transactions too.
Read More »
Tags: access control, automation, mindfulness, security, training
2014 was a terrible year for corporate data breaches. If there is to be any silver lining, information security professionals must draw lessons from the carnage. A good place to start is to identify common denominators.
Several of the most damaging incidents started with phishing emails into office (or contractor) networks. Social engineering has gotten so sophisticated and targeted, we can hardly blame the employees (sometimes high-level executives) for clicking on legitimate-looking links. Once an attacker establishes his credentials as the compromised employee, he potentially can gain access to whatever that employee uses. One attacker got in through a corporate software development network that was not sufficiently segregated from other critical networks. In other cases, disgruntled employees with access to valuable customer data were involved.
Clearly, employee access controls are critical. If we can improve these systems, we will go a long way toward securing our networks. This is not as easy as it sounds, however. When information security teams restrict access or revoke privileges, they get pushback. They become obstructionists, bad cops, bureaucrats. To be fair, we really do run the risk of strangling teamwork, erecting stovepipes, and throttling collaboration. How do we construct robust user access controls without being the bad guys?
Read More »
Tags: access control, data breaches, phishing, security, social engineering
“It’s not secure enough… so we are not going to allow it to happen.”
Does this phrase seem all too familiar?
Today, IT and business leaders are faced with the challenge of securing any user from any location on any device with access to any information. At times, it can be a daunting road to travel on the path towards true enterprise mobility security. This is especially true as the combination of sophisticated threats and new mobile capabilities and applications are continuing to shape the role and evolution of security controls and policies.
As the mobile endpoint becomes the new perimeter, how can organizations evolve their mobility security policies to mitigate risk? Is protecting information at the data or device level the way to keep employees and assets secure when users conduct business on untrusted networks?
Recently, I had a chance to participate in a new Future of Mobility podcast with Dimension Data’s Stefaan Hinderyckx, to discuss the biggest challenges our customers are seeing as they deploy enterprise mobility security solutions.
Many CSOs that Stefaan speaks with are seeing the clear and present danger of opening their networks, devices and applications to a new mobile world. Yet, many are not shying away from the benefits that enterprise mobility offers. They say:
“Mobility is inevitable. It’s happening and we need to embrace it and deliver it for the business.”
With this in mind, how can IT and business leaders address key challenges and embrace a holistic approach to secure enterprise mobility?
Complexity: There Are No Boundaries Anymore
One of the biggest challenges our customers are seeing is the increase in complexity as they work to meet business needs through mobility, all while keeping users and assets secure.
Simply put, there are no boundaries anymore. There is no place you can put a firewall to make things secure on the inside and insecure on the outside.
A major reason for this complexity is the result of approaching security in a siloed manner. It can be complex to try to secure the device, data on the device, the user and the network in a disparate way!
IT and business leaders need to work together to make the whole environment secure. It is no longer enough to find point solutions to data-centric or device-centric controls, the only way to be confident in your approach is to build a holistic strategy.
Read More »
Tags: access control, Data Classification, Holistic Strategy, mobility, policies, security, Security Control
I remember growing up in the UK years ago during the UK’s ‘North Sea Oil Boom’. It was a time of great excitement and opportunity for the nation. A whole industry was developed to deal with offshore exploration to ‘bring the energy home’.
It was Aberdeen’s local ‘moon landing’ event – just five months after Neil Armstrong landed on the moon, the North Sea oil fields were discovered off the east coast of Scotland. Certainly parts of Scotland, Aberdeen especially, saw an uptick in employment from the gloomy ’60s, and the economy changed from rural farming, fishing and textiles to include a more industrial oil and gas setting. Employment, property prices and investment in the City boomed.
Ferguson is a great Scottish name, but the founder is a great example of how folks were attracted from outside Scotland (founder Bill Ferguson Jr. is an American) to help further the oil industry in Scotland. Today, Ferguson Group are a key part of the Aberdeen economy, as a leading suppliers of containers, accommodations, and workspace modules for the offshore energy industry (now worldwide).
I thought I’d share how Ferguson conquered a business challenge – namely protecting high-value equipment and, at the same time, use a standardized system and process worldwide whilst keeping up with industry security standards.
As Graham Cowperthwaite said in a recent article: “For years our headquarters in Scotland relied on an analog video security system”. Graham is director of operations at Ferguson Group, and went on to say “That system wasn’t meeting our needs in terms of image quality and remote accessibility.” He added: “For example, our board members are often traveling between bases, and want to have the ability to check back on facilities from any networked location, even from an iPad. We simply couldn’t do that with an analog system.”
So Ferguson switched from a an analog security system to an IP-based solution, from Cisco. And it wasn’t just cameras and door hardware. They also needed to consider the security and reliability of the network on which camera images and access history would be transmitted and stored.
“We looked at other physical security offerings on the market, but nothing came close to Cisco in terms of comprehensiveness,” says Graham Cowperthwaite. “Only Cisco could provide us with a total combination of Cisco IP video cameras, door readers, firewalls, and routers, all available globally with the highest levels of vendor support. We were already a Cisco house in terms of our network infrastructure, and the interoperability of these solutions fit in perfectly with our goals for standardization.”
Ferguson Group now relies on the Cisco® Video Surveillance Manager to monitor its entire facility in Aberdeenshire, including doors, buildings, and the many valuable assets in the company’s storage yard. Supervisors on the Ferguson network can access live, high-quality footage on a laptop or mobile device. They can even review recorded footage as necessary. This all runs on an integrated Cisco architecture (based on Cisco Desktop Virtualization with VMware (VXI), running on the Cisco Unified Computing System™ (UCS®), for the techies amongst you!).
The business results? Read More »
Tags: access control, Energy, ferguson group networking, ip video surveillance, oil and gas, physical security, rigs, security, UCS, vdi, vxi
Cisco IT is deploying Identity Services Engine (ISE) globally. ISE is a security policy management and control platform that automates and simplifies access control and security compliance for wired, wireless, and VPN connectivity. We’re running ISE 1.2 Patch 3 globally and evaluating Patch 5 for its guest networking enhancements. Over the next few months, I’d like to share some of our best practices and lessons learned as we continue our ISE deployment. Much of the background and deployment work before my blog can be found in this published article. Read More »
Tags: access control, Cisco IT, coc-security, Identity Services Engine, ISE, it security, security, security policy management