Mahendra Chopra
I have been reading about disruptive technology for quite some time and always wondered why is everyone calling it disruptive? It is just another chapter added to the IT evolution story, isn’t it! How is it impacting the enterprises?
I would like to share one such experience where established corporate practices have been challenged and it is none other than the network boundary, - the first layer of defense for the corporate IT infrastructure.
Now this defense is evaporating and corporate data is flowing in-and-out of it! Corporate data which was locked behind firewall and accessible over the Intranet with company provided laptop/desktop is gradually flowing through the Internet to non-corporate owned devices (BYOD)!
Enterprise IT resources which were accessible only to the company intranet are now accessed through the cloud deployed SaaS applications!
The Network administrator who was closing every possible hole in the network is now drilling a new hole to support the disruptive transformation.
These scenarios are a good indication of the evaporating company network boundaries! Given this situation, companies are puzzled with one common question - How to mitigate the security challenge emerged from disappearing network boundary? Multiple steps are recommended to mitigate the risk emerged from disappearing network boundary.
The immediate task is to apply the rules of an ancient kingdom and beef up the second layer of security, i.e. Access Gateway. The access gateway which was considering all the network authorized users to be good, needed additional intelligence before permission is granted. This additional intelligence had to go beyond regular user ID and password. Moving away from the Boolean response (Yes or No) to moderated access. An access granted to do a set of task based on trust presented by this user. In other words, the gateway require to evaluate the context of a user and determine the level of access to be granted for this request. The user context could be a combination of parameters including device used to access the data, network used to access the data, user country, etc.
However, in situations where gateway collected trust does not meet the minimum trust requirement to access this resource and employee still has immediate business need to access corporate IT resource. The immediate business need should be swiftly dealt by access gateway solution using policy based access with step-up authentication. Access gateway should challenge user to present additional credential such as temporary PIN issued to user, biometric, soft/hard token, etc. to meet the alternate trust required for accessing this resource.
While recommended gateway solution would mitigate the major risk from fading network defense, question remained open for the protection of the corporate data in user’s device or cloud deployed SaaS application. This challenge can be easily addressed by deploying strong encryption solutions and/or device management agents on client side. The device management agent would help removing data upon device loss or user’s departure from company.
Additionally, it is advised to integrate the threat intelligence solution with access gateway to proactively identify threats.
Security has always been perceived as a blocker but today it’s actually acting as an enabler for Disruptive Technology.
The author is Senior Security Architect at CIO Lab Innovations, IBM