Enforcing Security Policies Beyond Office Walls :Controlling Risk Wherever Your Employees Are
Enforcing Security Policies Beyond Office Walls Controlling Risk Wherever Your Employees Are
FAST-GROWING USE of mobile technology is forcing IT security experts to rethink how they keep equipment, employees, and data safe outside the office. Policies and tools that work within the corporate firewall or campus are often unable to keep laptop-toting employees from getting into trouble when they connect to uncontrolled networks at home or while traveling. “If you’re a road warrior, once you leave the four walls of your corporate office or don’t otherwise have access to the virtual private network, you can go wherever you want and do pretty much anything,” says Lawrence Orans, research director at Gartner. “This presents its own set of risks to the company.” Those Pesky Policy Knowledge Gaps Those risks are unfortunately magnified by inadequate employee training. Jonathan Rutherford, head of corporate and public sector marketing for Vodafone UK (online.vodafone.co.uk), says the growing frequency of high-profile data loss underscores the issue’s seriousness. “We believe this is a significant and growing issue,” he says. “Nearly a quarter of all businesses—23%—have experienced security issues because employees have used mobile devices or laptops outside of work in contravention of company IT policies.” Rutherford says that although most employees are not intentionally putting the enterprise at risk, the end result is the same. More than 88% of respondents to Vodafone’s research said they had incomplete knowledge of IT policy. Rutherford says a lack of tools and systems to support organizational security policy is also a root cause. Eric Maiwald, VP and research director for security and risk management strategies at Burton Group, says failure to heed these lessons can cost the organization on a number of levels. Leaks of identifiable personal information can result in regulatory breaches and fines, as well as damage to corporate reputation and brand. Loss of control over proprietary information, such as patent applications and blueprints, can severely compromise future competitiveness, even if an employee simply emailed the files home and worked on an unsecure peer-to-peer network. No Single Solution Gordon Rapkin, CEO of Protegrity (www.protegrity.com), says enterprises need to take the blinders off when it comes to securing assets on both sides of the firewall. “A lot of companies are looking for the silver bullet, asking vendors to sell them technology that makes it all better,” says Rapkin, whose company specializes in enterprise-wide data security management. “They forget that security is built on three major components—people, process, and technology—and they have to think about the problem in a holistic way.” Maiwald says a number of evolving technologies are making it easier to secure sensitive data outside the firewall. “Terminal servers allow remote employees to work directly on their desktop without necessarily copying anything to their local machine,” he says. “Enterprise data management technologies allow greater control over the data itself.” Policies also have a role, he adds. “If an organization is willing to allow personal machines to be used, perhaps one of the requirements for accessing sensitive data is you put down a suite of control, including antivirus and DLP [data leak prevention], before you can gain access.” The future holds even more promise, says Maiwald. For example, a virtual machine delivered via VPN creates a secure sandbox that leaves no trace after the session is closed. Gartner’s Orans says organizations wrestling with remote or mobile employee security can choose between two high-level infrastructure choices: cloud-based solutions or those leveraging DMZs (demilitarized zones). A growing number of vendors offer increasingly mature cloud-based services that extend beyond basic URL filtering to antimalware protection. DMZ-based solutions redirect remote traffic to a corporate demilitarized zone that allows consistent application of behavior-based policies no matter where the user is. “The one drawback [with DMZ-based solutions] is there can be latency issues if you always have to go back to the DMZ,” says Orans. “In the cloud, provided your cloud provider has a big enough global footprint, you can minimize latency issues.” Culture Is Key Rapkin says enterprises in all sectors must invest in building a culture of security that helps employees understand the relative risks of specific behavior. He says between 70 and 80% of all security breaches are unintentional; if employees understand the risks, they’ll adapt their behavior accordingly. “Most employees are not trying to harm the company. They’re trying to help. They’re taking work home and doing it at night or over the weekend,” he says. “They often don’t realize when they’re placing the company at risk. “But companies aren’t spending sufficiently on training them. They have big procedure manuals covered in dust sitting on a shelf, but they don’t have a practical approach to employee education.”
by Carmi Levy
Many Solutions, One Strategy Jonathan Rutherford, head of corporate and public sector marketing for Vodafone UK (online.vodafone.co.uk), recommends a multitiered approach to minimizing exposure when employees are off campus: Authenticate the end user. Use two-factor authentication to ensure users are who they say they are. Secure the device. Use full disk encryption to keep data safe when laptops are lost or stolen. Secure the information. Use technologies such as DLP (data leak prevention) to prevent unauthorized downloading to USB drives, burning to CD, or printing. Control application use. Allow users to download and use only approved apps. Monitor and maintain security applications. Keep firewall, antivirus, and antimalware software up-to-date through regular signature and patch installations. Secure the access network. Allow roaming employees to access corporate infrastructure only through trusted and approved access networks and technologies.
FAST-GROWING USE of mobile technology is forcing IT security experts to rethink how they keep equipment, employees, and data safe outside the office. Policies and tools that work within the corporate firewall or campus are often unable to keep laptop-toting employees from getting into trouble when they connect to uncontrolled networks at home or while traveling. “If you’re a road warrior, once you leave the four walls of your corporate office or don’t otherwise have access to the virtual private network, you can go wherever you want and do pretty much anything,” says Lawrence Orans, research director at Gartner. “This presents its own set of risks to the company.” Those Pesky Policy Knowledge Gaps Those risks are unfortunately magnified by inadequate employee training. Jonathan Rutherford, head of corporate and public sector marketing for Vodafone UK (online.vodafone.co.uk), says the growing frequency of high-profile data loss underscores the issue’s seriousness. “We believe this is a significant and growing issue,” he says. “Nearly a quarter of all businesses—23%—have experienced security issues because employees have used mobile devices or laptops outside of work in contravention of company IT policies.” Rutherford says that although most employees are not intentionally putting the enterprise at risk, the end result is the same. More than 88% of respondents to Vodafone’s research said they had incomplete knowledge of IT policy. Rutherford says a lack of tools and systems to support organizational security policy is also a root cause. Eric Maiwald, VP and research director for security and risk management strategies at Burton Group, says failure to heed these lessons can cost the organization on a number of levels. Leaks of identifiable personal information can result in regulatory breaches and fines, as well as damage to corporate reputation and brand. Loss of control over proprietary information, such as patent applications and blueprints, can severely compromise future competitiveness, even if an employee simply emailed the files home and worked on an unsecure peer-to-peer network. No Single Solution Gordon Rapkin, CEO of Protegrity (www.protegrity.com), says enterprises need to take the blinders off when it comes to securing assets on both sides of the firewall. “A lot of companies are looking for the silver bullet, asking vendors to sell them technology that makes it all better,” says Rapkin, whose company specializes in enterprise-wide data security management. “They forget that security is built on three major components—people, process, and technology—and they have to think about the problem in a holistic way.” Maiwald says a number of evolving technologies are making it easier to secure sensitive data outside the firewall. “Terminal servers allow remote employees to work directly on their desktop without necessarily copying anything to their local machine,” he says. “Enterprise data management technologies allow greater control over the data itself.” Policies also have a role, he adds. “If an organization is willing to allow personal machines to be used, perhaps one of the requirements for accessing sensitive data is you put down a suite of control, including antivirus and DLP [data leak prevention], before you can gain access.” The future holds even more promise, says Maiwald. For example, a virtual machine delivered via VPN creates a secure sandbox that leaves no trace after the session is closed. Gartner’s Orans says organizations wrestling with remote or mobile employee security can choose between two high-level infrastructure choices: cloud-based solutions or those leveraging DMZs (demilitarized zones). A growing number of vendors offer increasingly mature cloud-based services that extend beyond basic URL filtering to antimalware protection. DMZ-based solutions redirect remote traffic to a corporate demilitarized zone that allows consistent application of behavior-based policies no matter where the user is. “The one drawback [with DMZ-based solutions] is there can be latency issues if you always have to go back to the DMZ,” says Orans. “In the cloud, provided your cloud provider has a big enough global footprint, you can minimize latency issues.” Culture Is Key Rapkin says enterprises in all sectors must invest in building a culture of security that helps employees understand the relative risks of specific behavior. He says between 70 and 80% of all security breaches are unintentional; if employees understand the risks, they’ll adapt their behavior accordingly. “Most employees are not trying to harm the company. They’re trying to help. They’re taking work home and doing it at night or over the weekend,” he says. “They often don’t realize when they’re placing the company at risk. “But companies aren’t spending sufficiently on training them. They have big procedure manuals covered in dust sitting on a shelf, but they don’t have a practical approach to employee education.”
by Carmi Levy
Many Solutions, One Strategy Jonathan Rutherford, head of corporate and public sector marketing for Vodafone UK (online.vodafone.co.uk), recommends a multitiered approach to minimizing exposure when employees are off campus: Authenticate the end user. Use two-factor authentication to ensure users are who they say they are. Secure the device. Use full disk encryption to keep data safe when laptops are lost or stolen. Secure the information. Use technologies such as DLP (data leak prevention) to prevent unauthorized downloading to USB drives, burning to CD, or printing. Control application use. Allow users to download and use only approved apps. Monitor and maintain security applications. Keep firewall, antivirus, and antimalware software up-to-date through regular signature and patch installations. Secure the access network. Allow roaming employees to access corporate infrastructure only through trusted and approved access networks and technologies.
Comments