New Age Firewall - Identity and Data Driven Security

Introduction

 

In a conventional security thinking, IT Security at most of the enterprises follow old ‘Industrial Security Model’ where its considered that assets are held within a perimeter and users must enter the perimeter physically or logically (LAN/VPN) to access the assets and the perimeter is guarded by a gatehouse / guard. In other words, this model is called perimeterised computer network where data and applications is attached to the network and is protected by firewalls with access lists, IPS/IDS, endpoint protection etc. This model works good as far as the guard is clear of people who are accessing your perimeter and all assets are kept inside the perimeter and changes to the perimeter, the gate house or the employees are rare.

 

Now think of below scenarios.

  • An enterprise outsourcing its back-office work and using third party contractors for its work.

 

  • An enterprise using one or many managed services providers (offshore, onshore, nearshore etc) for its IT, Call Centre, Back Office etc and the monthly employee attrition rate is high.

 

  • An enterprise using cloud computing models like SaaS, IaaS and PaaS for its needs from different service providers.

 

  • An enterprise where people are moving around the world with their own devices for work and want access to email, data, application and collaboration tools.

 

  • An enterprise where email, data, application and collaboration tools are hosted within the enterprise, outside the enterprise, in public clouds, hybrid etc.

 

  • An enterprise where millions of Internet of Things (IOT) devices are going to get connected.

 

Above scenarios brings de-perimeterisation where data and assets are everywhere, but brings business agility and provides users with mobility. How can you use ‘Industrial Security Model’ in this scenario and this is where the need of ‘Identity and Data Driven Security Strategy’ comes in to picture.

 

Identity and Data Driven Security strategy is based out of below three principles and supporting attributes which are inter linked. The details of security controls, that needs to achieve Identity and Data Driven Security strategy is not discussed detail in this article. This article is expected to give a strategic overview and thought process for CISO’s in defining next generation security strategy.

  8028267068?profile=original

The Objective and Approach

 

The objective of Identity and Data Driven Security is to identify, define and use the three principles (Users, Devices and Applications or Data) for preventive, detective and reactive security controls. The security controls will be a combination of 

 

The first step in Identity and Data Driven Security approach is to define attributes associated with the principles.

 

Users


    • User Details Eg: User Name, User Department or Function Details, User Work Location / Country, User Working Hours, HR Information
    • User Status Eg: Normal User, User On Notice Period, User On Watch List
    • User Type Eg: Business User, Privileged User (Administrator, Data Scientist, R&D Officer etc)
  1. Devices

    • Device Details Eg: Time, Location, Device Type, Browser Type, Personal or Corporate Device
  2. Applications or Data

    • Critical Applications or Systems where system availability is extremely important (Critical Infrastructure Systems like Power Grids, Telecom Systems, Utilities Management systems etc)
    • Sensitive Access (SA) Profiles (Salary, M&A Documents etc), Classified Data, Databases, Credit Card systems etc

Once the above principles and attributes are defined and documented enterprises can start defining policies and security controls based on potential use cases. This can be irrespective of where the user is accessing from and where the data or systems is hosted.


Some of the sample use cases can be

  • Based on HR feed, automatically remove access to ‘Sensitive Profile’ for a user who is on notice period.

  • Ensure that user who is on notice period accessing Critical Data is been monitored and any anomality is been identified and right action is been taken.

  • Allow or deny access to highly sensitive data based on the location user is accessing, time of the day, device type etc.

  • Step up authentication by using a 2nd Factor Authentication (2FA) based on the critical resource user is accessing or time of the day, device type etc.

  • Implement 2nd Factor Authentication for all users who are accessing sensitive profiles.

  • Ensure security controls are implemented dynamically based on Data Classification and location of data (Cloud, Mobile Device, On Premise etc)

 

Conclusion

 

Security was simpler in the past. When the world was contained, it was easy to ensure security by having firewalls, routers, encryption and anti-virus tools. In todays world, the challenge will be quite different. The next generation CISO will need to devise security strategy to safeguard the enterprise and enterprise data from users and devices changing frequently and accessing from different locations. The users demand is increasing and the business is expecting high agility. It’s a completely different proposition, made enormously difficult by the economics and constraints of numerous legacy systems and practices.

 

Disclaimer

 

All data and information provided on this article is for informational purposes only. The author makes no representations as to accuracy, completeness, suitability, or validity of any information on this article and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.

Votes: 0
E-mail me when people leave their comments –

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!