Digital security means managing user identity

While digitalisation has many benefits, it significantly raises an organisation’s security risk by increasing the number of data exit points. Neville Armstrong, Service Strategist at Fordway, explains why user identity has become the new security perimeter

We all benefit from increased digitalisation. Individuals can access enterprise networks from any location via a greater range of endpoint devices, while flexible working, collaboration software and agile working enable businesses to be more productive.

However, every change has a downside, and for digitalisation this is increased security risk. Data is no longer held securely within an organisation’s network; instead, there are an increasing number of entry and exit points. These increase the attack surface which hackers and those with malicious intent can target. To secure critical data from cyber threats, you need to design enterprise security around your users, not your organisation’s perimeter.

Assess the business risk

First and foremost this increased security threat arising from digitalisation is a business issue. Every organisation has its own appetite for risk, which depends on three factors: its ethical stance and culture; the legal and potentially moral frameworks it operates in; and its security requirements, which will depend to some extent on the sector in which it operates.

Each organisation needs to invest in the right level resistance against the increasing threats and threat vectors, taking into account the cost to the business if a threat succeeds. This requires board-level commitment and appropriate commercial cover. Being averse to risk can be extremely expensive, as overbearing restrictions mean a slow response to changing situations. However, getting it wrong can be even more costly, as too few restrictions can put an organisation’s future in jeopardy.

Design your network around data flows

From an IT perspective, addressing the risks means taking a fresh look at network architecture. Perimeter security has traditionally been designed to protect traffic originating from data centres, using a ‘castle and moat’ or ‘hub and spoke’ approach. However, digital networks need to be designed from the inside out, based on a consideration of data flows and security stacks.

Security has to be built into infrastructure, business applications and solutions from the moment that they are conceived, not just considered post-development.

Compliance frameworks and policies will also have to be regularly reviewed and rewritten to protect agility, particularly as we move to a world of software-defined networks, where access to resources is managed through policy and compliance. We need to challenge existing trust levels and move towards a point of zero-trust – in other words, granular security boundaries, also called micro-segmentation, which restrict unrequired and unwanted lateral movement of traffic between systems and in user access.

Build your security perimeter around user identity

In a zero-trust network, security is based on user identity. Organisations need to know who is accessing what data, when, where from and why so that they can wrap security around how individual users actually work. For example, if someone is logging into the network at 10 pm, is this normal behaviour? What applications and data are they accessing, and should this set alarm bells ringing?

Tackling this means implementing least privilege and default-deny policies for each user and each system, with clear processes for the approval of elevated rights. It should be accompanied by the ability to monitor and log access and failed access attempts. In effect, users become the new security edge, and identity management is the new perimeter management system.

Data protection should also be incorporated into the design. The mapping of personal data needs to be considered carefully in light of GDPR. Zero-trust can be built into systems to such a way as to restrict or prevent any data loss.

Use automation tools to understand user behaviour

To apply user management effectively, organisations first need to fully understand user access behaviour (Who, What, When, Where and Why). This requires them to map their environment and the behaviour of their users to create a picture of what is ‘normal’ working in their network.

With the map created, they can analyse their environment to see who is doing what, where and when. Analysis tools such as advanced threat analytics and advanced threat protection may be available within applications which an organization already has, such as Office 365. These tools are self-learning and, once tuned to match typical user behaviour, will work towards a point when they only raise an alert when they detect abnormalities in access and traffic flow.

This information about user behaviour can also be used for compliance analytics, which involves gathering and storing relevant data and mining it for patterns, discrepancies and behavioural abnormalities. Compliance analytics help companies proactively identify issues and provide appropriate remediation actions.

It is also vital to securely manage access to company resources from mobile and other devices, especially where staff are allowed to use personal devices, using multi factor authentication. Where data security is important, mobile device management (MDM), Mobile Application Management (MAM) and Mobile Identity Management (MIM) should also be implemented.

Train users in secure behaviour

The greatest security threat comes from user behaviour. Alongside user management, organisations need to implement robust cyber security training, with awareness and acceptable use policies linked to HR policies. There should be ongoing training to ensure that all new cyber threat vectors are understood by users and mitigated effectively.

Finally, it is worth remembering that most security breaches come from failures in basic security defences, not from complex attacks. To minimise the risks, organisations should begin by implementing basic security correctly and setting data access based on roles and attribute-based policies, before moving onto more complex analytics.