There is a fundamental tenet in business: “If the rate of change outside an organisation is greater than the rate of change inside an organisation, the organisation is in trouble.” Unfortunately the threat landscape has changed so significantly in recent times that even companies, particularly financial Institutions that have spent millions on Information Security (Regional spend: 6 GCC states: 300 million dollars in 2008) need to rethink all the pillars of security: process, people, technology. You cannot protect yourself from an external threat environment that is constantly changing with an internal security architecture and controls that is static. It is a pity, but it is the reality: We need to act and act decisively to raise the level of protection on our critical information assets. Going forward into 2009, we need to move our almost exclusive focus on the perimeter (Remember we implemented gateway anti-virus/anti-spam; content filtering; firewalls; IDS/IPS, Web application gateways and even Network Behaviour Analysis technology in the last 10 years) to a data-centric view of security. Now that is a paradigm shift in thinking but the best way forward, without worrying about the millions we deposited at the perimeter. Remember the mirror: It is oblivious of our past; it is passing judgement on our present.
There are two critical areas that Gulf businesses both large and SMEs should consider seriously going forward:
1.Identity and Access Management
2.Data Leak Prevention
Identity and Access Management
Online fraud and identity theft techniques have evolved in sophistication since the first phishing attack in 2004. From phishing to pharming in 2005, to Man In The Middle (MITM) attack in 2006, to Man In The Browser (MITB) attack in 2007 and Man In The PC (MIPC) attack in 2008; these attacks necessitate a relook at even the two-factor token implementations in the region. These sophisticated attacks modify the transaction in the browser after the user authentication has taken place. Evidently therefore apart from strong user authentication we need to consider “transaction authentication” as well. The journey continues – we cannot be “rest assured.”
Access control management and reporting is the next major need once strong user authentication is completed. Access should be limited, authorised and disabled as needed and access reports need to be documented for reporting purposes. In certain large corporate organisations it takes as long as three weeks to get a new employee provisioned on all the applications he needs to access to fulfil his responsibilities. There is a huge productivity loss which can be addressed by automating the user provisioning function. Gulf businesses on budgets can look at point solutions (cost effective, easy to implement) to address user provisioning challenges or evaluate a comprehensive identity and access management suite (expensive, time consuming to implement). Enterprise Single Sign-On is yet another challenge faced by Gulf organisations. Particularly banks, which have a large number of users accessing multiple application. Appliances based Single Sign-On solutions is the best bet in the regional environment where skills sets on identity management and directory services is a rarity.
Data Leak Prevention (DLP)
The goal of DLP is to protect content (information) throughout its lifecycle. This includes:
Protecting Data at Rest: Content discovery is the first step. Using a DLP tool we can scan servers and determine where critical data (say, Credit Card Numbers) are stored. If the server isn’t authorised for that kind of data, the file can be removed, or encrypted, or a warning sent to the file owner.
Protecting Data in Motion: This involves sniffing of traffic, typically at the Gateway to identify confidential content being sent out and then applying the Policy (blocking or otherwise) specified in a Policy Database. Emails, Instant messaging, Web traffic all come under the purview of this inspection.
Protecting Data in Use: These are achieved with end-point solutions that monitor data as the user interacts with it. For example, they can identify when you attempt to transfer sensitive document to the USB drive and block it. Data in Use tools can also detect copy and paste or use of sensitive data in unapproved applications.
Once Gulf businesses implement strong multi-factor user authentication, transaction authentication, user Provisioning, Single Sign-On (or a comprehensive identity and access suite) and a data leak prevention solution, it would significantly enhance the security posture of the organisation. We can then go back and ask, mirror, mirror on the wall: HOW SAFE ARE WE?
That’s looking into end 2009 and I do not want to hazard a guess – Security in a changing world is dangerous terrain – even educated guesses can bomb.