How to cope with security’s lost perimeter
Pavan Singh, Covata
As the Internet of Things becomes a reality and revolutions such as smart cities, digital manufacturing and connected vehicles are proliferating, the number of data points that could potentially be attacked by hackers are also rising at a staggering pace, writes Pavan Singh, the vice president and business head of the data security platform at Covata. Indeed, Gartner predicts that by 2020 there will be 9.7 billion connected devices, all of which represent a possible entry point for an attacker.
For business leaders, the adoption of IoT is necessary to drive differentiation and keep up with the pace of innovation. The receipt of real-time information and feedback has become critical for businesses looking to rapidly address market demands and continue to meet the changing needs of their customers. This level of agility requires an enterprise to transform into a connected enterprise – where the enterprise extends beyond the four walls of the building and engages in real-time data sharing with vendors, suppliers, partners and customers.
And with this change, the current security paradigms have to re-evaluated. Enterprises are slowly beginning to realise that with so many entry points it’s impossible to try and keep hackers out. They must assume that data within the organisation – inside the corporate perimeter – is at risk and needs to be protected from within. A prime example of which is the UK rail network, which reportedly suffered four significant cyber attacks within a 12-month period.
The business world has also become much more mobile in recent years, largely due to the use of smartphones and tablets, as well as cloud applications enabling employees to access corporate files from anywhere in the world, as if they were sitting at their desk. Even if a company were to attempt to create a perimeter defence for protection, where would the line be drawn?
Organisations have to accept that data, personal information and intellectual property will travel without their knowledge or control. Increasingly, this will be to places they cannot trust, which renders network-based security futile in the organisation’s attempt to protect its data. What’s more, data can seep from an organisation’s network in many different ways. It’s true that attackers can find their way into the corporate network and purposefully siphon off valuable information, but it’s also true that human error plays a large roll in information ending up in the wrong hands – it could be as simple as a misspelt email address, for example.
Instead of attempting to build a secure environment, protected by perimeter security, organisations need to secure the data itself. While encryption – in some form and to some extent – is common in most organisations, there is still huge potential in utilising more robust encryption more broadly. It’s important to have tight control of identity management, policy, and key management, to secure an organisation’s information comprehensively.
Data needs to be encrypted and decrypted on the device at its source, to prevent it travelling over the Internet in plain sight. Once the data reaches the recipient, the person or machine – in the case of the Internet of Things – requesting the decryption key needs to be authenticated and checked against the policy service. If the user can prove their identity but is travelling in a country where the data could be stolen or summoned by a third party due to local laws, for example, access should not be permitted due to a policy that prevents keys from being issued into that country or geo-location.
The ability to control exactly who has gained access to data and where they are from ensures there is a complete audit trail. For the most top-secret of data, policies should restrict documents from being downloaded and visible offline, as this is potentially untraceable.
It is only by having this level of control and visibility over individual pieces of corporate data, that security can be guaranteed. It’s also important for processes to remain agile, however, and while most of the encryption, key management and policy controls can be implemented behind the scenes, it’s also important that an enterprise understands where and when it is appropriate to use stringent encryption. Not all documents needs to be watermarked when they’re taken offline, for example, but an organisation does need the capability to institute this when it is required.
IoT multiplies the number of doors available for hackers to try to access. As this number grows, so will the chances of gaining entry and, as that becomes more successful, attackers are also likely to grow in number, making it increasingly hard for enterprises with a network-based perimeter security approach to protect the data within. It’s critical that security teams don’t get caught in this vicious cycle and, instead, change their approach. Keeping data and information secure is the aim and the fact of the matter is that in the world of data security, it’s inevitable that corporate walls are penetrable.