Cover all bases to protect what matters
By Mark Micallef May 20, 2014
- Traditional compliance-based or perimeter-oriented security can’t manage today’s threats
- Organisations need a strategy simple enough for both the IT team and business personnel
TODAY’S technology landscape is in a constant state of flux. While developments in IT are offering businesses increased efficiency with smarter solutions, businesses are also increasingly being exposed to more sophisticated security threats.
Critical business information is stored and accessed across multiple channels and devices. This means more points of entry for security threats.
The speed, sophistication and implications of today’s security attacks are not something traditional compliance-based or perimeter-oriented security strategies can manage.
Organisations need a holistic security strategy that is intuitive, yet simple for both the IT team as well as business personnel to manage. Security strategies should be able to intelligently protect intellectual property, ensure data privacy and meet compliance mandates.
In a nutshell, security strategies need to keep up with the rapid pace of IT development and be one step ahead to pre-empt and be prepared for potential security risks.
Here are some key steps organisations can take to step up their information security game and make technology work for them.
1) Secure delivery of data from beginning to end
Understanding the many layers of security is pivotal to formulating a comprehensive and robust security strategy.
Starting from the control point (the network from the datacenter), there are three different layers of security: Application security; network and infrastructure security; and identity and access management.
2) Assured delivery of applications
Organisations exchange business critical data internally and externally on a daily basis. Executives, sales personnel, and administrative staff access both corporate and personal applications while at work over various devices.
It is a feat to keep track of each and every website employees access, thus opening the floodgates to security attacks.
Enforcing full-featured firewalls at the application layer will provide the IT team the visibility and control required to protect against the majority of Internet attacks that target app-layer vulnerabilities, and counteract a broader range of security threats.
In the app-layer, IT teams can also equip the organisation’s data centre with data loss protection by being prudent and actively guarding against unexpected leakage of sensitive data in application server responses.
Having a data check feature that provides administrator-configurable protection for sensitive business information is equally important.
With customised and defined rules, the application firewall can take appropriate action such as blocking responses, masking protected information or removing the protected information from the responses before sending it to the user.
3) Identity and access management to data/ apps with granular access control policies
To top it off, IT security teams need to also explore another dimension – the user layer.
Identity and access management encompasses three major pillars: Authentication capabilities for validating user identities; authorisation for verifying and enforcing which specific resources each user is allowed to access; and auditing capabilities to keep a detailed record of each user’s activities.
This is achieved mainly by supporting password changes and a wide variety of authentication mechanisms to help ensure no attacks on the user layers.
4) Tying up back-end data centre security
There is the network and infrastructure security to consider, too. Adopting a ‘secure by design’ approach, enabled by desktop virtualisation, allows all data to reside in a centralised data centre.
This equips the IT team with complete control to ensure secure delivery of mission-critical data with customised encryption capabilities within the network, routing all connections to back-end servers.
Configured policies applied to incoming and outgoing Secure Sockets Layer (SSL)-based traffic, protects critical applications from protocol and denial-of-service (DoS) attacks at both L4 and L7 layers.
In addition, it enables the logging and reporting of user activity in real time. This helps in monitoring and alerting any action that demonstrates a potential threat to data security or breach in compliance standards.
Ultimately, there are many advantages to deploying an all-in-one secure network. Server performance can be improved and security can be added to legacy apps, all while ensuring a consistent user experience with zero disruption.
5) All for a defence-in-depth strategy
All in all, enforcing a full-fledged security policy for everything Bring Your Own (BYO) is an essential element for organisations looking to pursue mobility. All gaps in security have to be kept in check.
Organisations should also keep in mind to train end-users, in this case, employees, and educate them on how to work safely from any location on any device.
Ultimately, this creates an informed, security-conscious work force – the company’s first line of defence against security threats.
All these elements combine to provide organisations with a comprehensive defence artillery with which to combat attacks.
Citrix is the cloud company that enables mobile workstyles, empowering people to work and collaborate from anywhere, securely accessing apps and data on any of the latest devices, as easily as they would in their own office. Mark Micallef is area vice president of Citrix Asean.
Beware ‘street BYOD,’ say Gartner analysts
Security is a process
Security no longer about ‘no,’ but ‘know’
More see IT security as strategic to their business: Frost survey
Security needs to focus beyond networking layer: Oracle
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.