Your IT security infrastructure, rebooted for 2015

Cloud, mobile, social media and other factors are conspiring to force companies to reevaluate their security infrastructure, from firewalls to authentication.

Revving up security illustration by Stephen Sauer [single use]
Stephen Sauer

Consider the IT trends of recent years: the emergence of cloud computing and the "as-a-service" model, the growth of social media as a corporate marketing and collaboration tool, and the increase in the use of mobile technology — all of which have helped give rise to an increasingly distributed workforce.

With changes such as those taking place in an IT landscape where threats against diverse and dispersed systems and data are growing increasingly sophisticated, many organizations must consider overhauling — or at least enhancing — their information security strategies.

"Organizations should be continually evaluating their security infrastructure. Attackers are continually learning and changing tactics, and so must any security program if they wish to be successful," says Tyler Shields, a security and risk management analyst at Forrester Research.

"I think there has been an increased level of scrutiny of late in certain sectors, due to highly publicized breaches," Shields says. "Retail and financial services have been hit hard lately and are showing increased levels of vigilance in order to lessen additional difficulties."

Protect data, not systems

One of the more prominent trends in security today seems to be a move toward placing greater emphasis on protecting data than systems and applications. The high-profile security breaches at retailers such as Target and Home Depot have left companies more concerned about protecting customer data, and they're devoting more resources to the effort.

Wayfair, an online retailer that sells a range of home goods, has built a dedicated team to address the overall security environment and recently has targeted key initiatives and technologies — including mitigation, tokenization of sensitive data and multifactor authentication — to help expand and protect customer data.

"For the retail community, technologies and services targeted to safeguard customer data are in — and simple authentication is out," says Jack Wood, CIO at Wayfair. "In place of simple authentication, more online companies have various forms of two-factor authentication. Customers usually see this with security questions, or special images, after login."

Technologies such as firewalls are evolving to become more useful in today's environment, according to Wood. "Next-generation firewalls and two-factor authentication are invaluable tools in our arsenal," he says. "[They] are allowing us to measure the need for increased capacity and adjust ACLs [access control lists] on the fly with little to no impact on the business."

A big part of safeguarding data is educating users. "Security awareness and training has been a good change," Wood says. "It is amazing how much communication happens on the security mailing list. We are finding that employees are more willing to ask about suspicious email attachments or strange plug-ins."

By constantly evaluating industry data and its own site data, Wayfair "can provide a good risk assessment of potential threat vectors," Wood says. "Then we prioritize based on many factors, such as potential impact, cost and likelihood of attacks."

Be more proactive

Some organizations are aiming to be more proactive when it comes to detecting and thwarting security attacks.

"Our strategy is to shift from a lockdown mentality to rapid detection and response," says Michele Norin, CIO at the University of Arizona. "Our ability to be proactive about intrusions on our networks — and quickly identify, contain and eliminate threats — is one of the best things we can do."

Michele Norin, CIO, University of Arizona

Michele Norin

That approach aligns with the new security framework just published by the National Institute of Standards and Technology (NIST).

Norin says that being proactive means having a greater understanding about the activities taking place on the university's campus network and watching for behavioral anomalies. It also means evaluating the security infrastructure to find out where improvements can be made.

"We continually evaluate our security environment to assess vulnerabilities, risk areas, strengths and, ultimately, necessary improvements to be made," she says. "As a large research institution, we often characterize ourselves as a small city in that the complexities we deal with involve a community made up of students, faculty, staff, parents, alumni and the general public."

The university has traditionally taken a multipronged approach to protecting the information assets of such a diverse constituency through awareness campaigns, layers of protective technologies, password-refresh programs, software tools, policies and guidelines, as well as the adoption of industry best practices. But recently the university's IT team has been feeling a greater sense of urgency when it comes to security.

"The methods used by hackers today to attempt breaches on our systems have grown to a new level of sophistication and intensity, causing us to quicken our improvement efforts," Norin says.

The biggest change in the university's security program is an effort to expand the view into its network traffic, usage patterns and performance anomalies. "Collecting more data involves expanding the logging feature provided by most hardware and software tools," Norin says. "Having more data to work with is allowing us to detect and resolve issues much faster and in a much broader fashion. So, in many cases, we can tell if an individual's account is compromised before they do."

For example, by evaluating VPN usage patterns, managers can understand which network traffic is legitimate and which isn't.

While there is still a place for technologies such as firewalls and passwords, Norin says, "we need a fresh approach to how we authenticate and protect." For example, she explains, "we're beginning to roll out a new two-factor authentication program that adds an extra step to our existing [identity management] and password mechanism." She declined to identify the specific security technologies the university is using.

The new NIST framework "is the context for how we are reshaping our program," says Norin, noting that the NIST approach revolves around the idea that organizations should assume that they have already been breached and therefore need to focus on quick detection and mitigation.

Consider where and how to store data

Companies are also changing where they store critical business data because of security concerns.

For example, Hargrove Inc., a trade show and event services company in Lanham, Md., is moving sensitive data off of main and often-used servers and isolating it in lesser-used systems, so fewer users will have access to it.

Even though most employees wouldn't have access to that data in the first place, "it is better to remove it altogether from those servers," says Hargrove CIO Barr Snyderwine. "We are adding additional storage and redefining the access to the files we create for projects. We are taking a more granular approach to allowing access to the files as well as the data related to the projects."

Barr Snyderwine, CIO, Hargrove

Barr Snyderwine

Hargrove is working on a project to update the technology that creates its file system, to ensure that it provides the correct level of access to each type of employee. It's also exploring the use of data loss prevention software, which is designed to detect potential data breaches and prevent them from having an impact by monitoring and blocking sensitive data while it's in use, moving across a network or being accessed or stored in data storage systems.

Also under consideration for Hargrove's 2015 security program is the use of third-factor authentication and biometric systems such as fingerprint-scanning technologies.

"From my perspective, all of the old standbys [such as firewalls and passwords] are still in place, but they are not enough," Snyderwine says. "We need to add new technologies and critically review who has access to what."

The company isn't concerned only about where data should be stored and who should have access to it; it also evaluates whether certain types of information should be stored at all and, if so, how long it should be kept.

To further safeguard its data, Hargrove is hiring a security firm to review its security measures and responses to incidents. That decision was driven by "heightened attacks in general" and the potential threats to the company and its reputation, Snyderwine says.

"We will be using the security firm to evaluate our overall security measures, policies and procedures," he explains. "I have some specific things for them to look at, including access, detection systems and response procedures. We are looking to improve and formalize the policies around data access and penetration."

The mobile factor

Among the biggest challenges companies face today is securing increasingly mobile IT environments, both in terms of safeguarding devices themselves and securing the means by which they access corporate information and networks.

"Mobility is pushing access and data outside of the traditional security controls and networks," says Forrester's Shields. "[IT] must adapt to the new paradigm and determine new ways in which we can secure data when it is highly transient and located on personal devices and hostile networks."

At Wayfair, mobile technology "is one of our largest areas of concerns, as mobility represents a significant increase in attack entry points," Wood says. "It also introduces more operating systems, browsers and software to maintain. This will continue to be a concern as mobile becomes an increasingly more popular channel."

Wayfair's IT and security teams are leveraging big data to look for usage trends and customer patterns to refine the company's mobile security strategy. "As we see larger adoption of a particular platform, we can shift efforts, speeding up risk assessments and proactively managing vulnerabilities," Wood says. "Analytics and big data will let us know the most popular devices of our customers."

For example, if Android users represent the fastest-growing segment of customers, Wayfair will shift more engineering resources into features for Android devices.

"One of the challenges with mobile," says Norin, "is reminding people to treat their handheld devices just like they treat their computers — by using passwords, keeping software up to date, using ‘find me' tools if available and watching for phishing scams."

She says the University of Arizona's mobile environment is quite diverse, given that most of the school's community is transient in nature. "Students come to campus with a variety of devices and usually three different devices per individual," Norin says. "Faculty and staff sometimes use departmentally issued mobile devices, or they can use their own."

Given the expansive growth in the use of mobile devices, and the inherent complexity of mobile technology in general, the university is re-evaluating its policies to determine what needs to change, Norin says.

Mobility is a concern for Hargrove as well. "We have to be mobile due to our business, and we need to make sure we understand the use case and release of data to the mobile device," Snyderwine says.

To strengthen mobile security, the company relies on usage policies and Microsoft Exchange Server to manage mobile usage of its data and of applications such as email.

Hargrove will be evaluating other products to further enhance the security of data on mobile devices. Snyderwine says that he hopes to adopt technologies that give IT the ability to encrypt data and wipe only company data from users' devices. The company also is looking to evaluate mobile device management software this year.

Increased mobility is just one of the many security challenges facing organizations today. As with other aspects of IT, the only constant with security is change — and those organizations that keep up with the changes will have the greatest likelihood of success in protecting their valuable data assets.

This story, "Your IT security infrastructure, rebooted for 2015" was originally published by Computerworld.

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)