In a conventional security thinking, IT Security at most of the enterprises follow old ‘Industrial Security Model’ where its considered that assets are held within a perimeter and users must enter the perimeter physically or logically (LAN/VPN) to access the assets and the perimeter is guarded by a gatehouse / guard. In other words, this model is called perimeterised computer network where data and applications is attached to the network and is protected by firewalls with access lists, IPS/IDS, endpoint protection etc. This model works good as far as the guard is clear of people who are accessing your perimeter and all assets are kept inside the perimeter and changes to the perimeter, the gate house or the employees are rare.
Now think of below scenarios.
- An enterprise outsourcing its back-office work and using third party contractors for its work.
- An enterprise using one or many managed services providers (offshore, onshore, nearshore etc) for its IT, Call Centre, Back Office etc and the monthly employee attrition rate is high.
- An enterprise using cloud computing models like SaaS, IaaS and PaaS for its needs from different service providers.
- An enterprise where people are moving around the world with their own devices for work and want access to email, data, application and collaboration tools.
- An enterprise where email, data, application and collaboration tools are hosted within the enterprise, outside the enterprise, in public clouds, hybrid etc.
- An enterprise where millions of Internet of Things (IOT) devices are going to get connected.
Above scenarios brings de-perimeterisation where data and assets are everywhere, but brings business agility and provides users with mobility. How can you use ‘Industrial Security Model’ in this scenario and this is where the need of ‘Identity and Data Driven Security Strategy’ comes in to picture.
Identity and Data Driven Security strategy is based out of below three principles and supporting attributes which are inter linked. The details of security controls, that needs to achieve Identity and Data Driven Security strategy is not discussed detail in this article. This article is expected to give a strategic overview and thought process for CISO’s in defining next generation security strategy.
The Objective and Approach
The objective of Identity and Data Driven Security is to identify, define and use the three principles (Users, Devices and Applications or Data) for preventive, detective and reactive security controls. The security controls will be a combination of
The first step in Identity and Data Driven Security approach is to define attributes associated with the principles.
- User Details Eg: User Name, User Department or Function Details, User Work Location / Country, User Working Hours, HR Information
- User Status Eg: Normal User, User On Notice Period, User On Watch List
- User Type Eg: Business User, Privileged User (Administrator, Data Scientist, R&D Officer etc)
- Device Details Eg: Time, Location, Device Type, Browser Type, Personal or Corporate Device
- Applications or Data
- Critical Applications or Systems where system availability is extremely important (Critical Infrastructure Systems like Power Grids, Telecom Systems, Utilities Management systems etc)
- Sensitive Access (SA) Profiles (Salary, M&A Documents etc), Classified Data, Databases, Credit Card systems etc
Once the above principles and attributes are defined and documented enterprises can start defining policies and security controls based on potential use cases. This can be irrespective of where the user is accessing from and where the data or systems is hosted.
Some of the sample use cases can be
- Based on HR feed, automatically remove access to ‘Sensitive Profile’ for a user who is on notice period.
- Ensure that user who is on notice period accessing Critical Data is been monitored and any anomality is been identified and right action is been taken.
- Allow or deny access to highly sensitive data based on the location user is accessing, time of the day, device type etc.
- Step up authentication by using a 2nd Factor Authentication (2FA) based on the critical resource user is accessing or time of the day, device type etc.
- Implement 2nd Factor Authentication for all users who are accessing sensitive profiles.
- Ensure security controls are implemented dynamically based on Data Classification and location of data (Cloud, Mobile Device, On Premise etc)
Security was simpler in the past. When the world was contained, it was easy to ensure security by having firewalls, routers, encryption and anti-virus tools. In todays world, the challenge will be quite different. The next generation CISO will need to devise security strategy to safeguard the enterprise and enterprise data from users and devices changing frequently and accessing from different locations. The users demand is increasing and the business is expecting high agility. It’s a completely different proposition, made enormously difficult by the economics and constraints of numerous legacy systems and practices.
All data and information provided on this article is for informational purposes only. The author makes no representations as to accuracy, completeness, suitability, or validity of any information on this article and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.