When it comes to setting New Year’s resolutions, most people are a little over-ambitious. We give up carbs, go running every morning, become a vegan or even give up drinking alcohol or stop smoking. Inevitability, a few weeks later, we find ourselves right back where we started.
As security professionals, responsible for keeping the bad guys out and reducing the risk of data breaches, we find ourselves right back where we started too — we fundamentally do not really improve our security posture, and then wonder why not. We set lofty goals and unrealistic expectations and above all, focus on the wrong things to do, and then wonder why.
Next year we will see more breaches, more companies moving to the cloud, more usage of mobile and more IT budget spent on security. You have heard all of this already, so let’s try to make an impact and improve our overall security posture at home and at work. 2016 was a challenging year — from a security perspective, there have been too many notable breaches, topped off with Yahoo.
Here are three New Year’s resolutions for 2017 — one focused on mindset, one on implementing something simple at home and at work and one that is a question you should ask the CISO every month in 2017 until you get a great answer.
1. Mindset — Rethink Security
We all need to think differentially in all aspects of life, but here it’s about thinking differentially about security – think about identity. Why?
[easy-tweet tweet=”Act now and make 2017 the Year for two–factor authentication!” hashtags=”Future, security, IaaS”]
The status-quo today is that:
Your apps are everywhere — in the data centre, as SaaS and mobile apps.
Infrastructure is everywhere too — in your data centre, virtual servers and in IaaS providers like AWS.
Users who access your data are everywhere too, in the office, on the road, as third parties and partners.
So, with this wide net of interconnected elements, where do you start? You need to start by thinking differently.
Imagine your internal network is as insecure as the internet. It’s like thinking your front door at home is open when you go to sleep. This mindset change is already happening at major companies.
I call this a “rethink of security” because it goes against the teaching of many security textbooks and the classic “hard outside, chewy inside” analogies we typically describe.
With this mindset change, the major takeaway is that you cannot trust your network anymore and if you take a paradigm shift and start thinking that your internal “previous secure” network is no longer secure, you’ll start to think differently, take charge of your security strategy and implement better defences. Those defences will be based upon securing your enterprise with Identity and Access Management – with technologies like two-factor authentication, single sign-on, lifecycle management, privilege account management and auditing.
2. Act now and make 2017 the Year for two–factor authentication
With 63% of data breaches caused by compromised credentials and breach analysis after breach analysis pointing to credentials, the argument to remove passwords is so strong now that soon employees will be asking why security at consumer facing sites like home banking, Amazon, Facebook and Gmail are better than what they have at the office. All of these organisations are pushing for two-factor authentication, and, as adoption increases in the customer world, CIOs will be left answering questions why it is not implemented in their own organisations.
The argument that technology is too complex or employees will push back are all based upon legacy thinking. Current generation solutions are simple, cloud-based and leverage a mobile device. The key to implementing two-factor authentication is to have 100% coverage over all employees and all access points — accessing apps, VPNs and servers. This was never the approach in organisations that did implement legacy two-factor authentication, but now all user access can be enforced with it.
3. What Aae you doing about privileged IT users?
The set of users accessing applications or technology that runs your applications includes:
Employees: This is typically where most breaches start.
Senior Management: These are a small set of employees in your business, but since they have access to more confidential information they are a target for hackers.
IT Employees: This is a small set of employees (larger in IT centric organisations, like financial service) but these employees have access to all your IT infrastructure, applications and servers — thus are the prime target for hackers.
Customers: These are a large number, but they typically have access to a small set of applications or maybe just the website
Partners: These can be large, but like customers they typically have access to a small set too.
From this set above, the most risk is the IT employees. We call them privileged IT users, since they have access to your servers in the data centre or in the cloud on which your applications and databases run on. Stealing their accounts is what the hackers are after, because typically once an account’s credentials are obtained, they are wide open with full access to run any command. If you have ever wondered how millions of accounts are stolen, it’s typically a hack that used a compromised privileged user account. So, your priority is to solve this problem.
If your company does not have a strategy to implement privileged identity management (PIM), ask “why?” This should be top of mind for all organisations.
So these are three security resolutions for 2017. Think differently, act now, and make 2017 the year of two-factor authentication and find out what your company is doing about privileged IT users.
Featured image credit to Lobster.media