Partner Article
Business security ? beyond the firewall
Richard Anstey, chief technology officer EMEA at IntraLinks, looks at how flexible working is impacting security considerations for businesses.
Today’s disruptive technology is changing both how we do business and how businesses themselves are structured. Enhanced connectivity and cloud computing, together with trends like BYOD and flexible working practises, are blurring the line between internal and external business processes and calling established security strategies into question.
With the evolution of working practices, the protective barrier around physical networks provided by firewalls looks increasingly anachronistic as a primary defence mechanism. Whether businesses sanction it or not, employees are collaborating freely and increasingly conducting their work outside the perceived “protection” of the firewall, leaving corporate data more vulnerable than ever before.
Business security should no longer be dependant on re-enforcing perimeters, but rather on protecting the data while enabling secure and free flowing collaboration. To accomplish this, CIOs need to evaluate security strategies based on their flexibility rather than their rigidity, enabling secure and effective business communications regardless of access point. This disintegration of established protective parameters and the evolution of an open
architecture is termed de-perimeterisation1.
It’s a question of when, not if
De-perimeterisation is not a trend to look out for in the future, it is a reality here and now. Constant connectivity, the uptake of cloud services, and trends such as BYOD have stimulated the breakdown of organisational perimeters. Now, with the arrival of 4G, even the relative security of corporate WiFi networks is likely to be eschewed by employees seeking greater bandwidth they can find on public, rather than corporate, networks – even while sitting at their desks. By not acting now, CIOs are rendering businesses vulnerable to security breaches if they continue to assume protection is being provided by their increasingly sidelined firewall.
When given the choice, employees will naturally find their own most efficient ways of working. In complex global organisations, the internal networks can be highly convoluted, and often include multiple layers of firewalls between network segments across the same organisation. Cross Business Unit collaboration can often be more efficient outside the firewall via a secure external service than by traversing multiple segments of corporate
networks.
There can be no doubt that usage of cloud services is on the rise. A study 2 of 250 UK IT decision-makers in private and public sector organisations, conducted by Vanson Bourne, found 61% of companies are using a cloud-based service, compared with just 48% in 2011. This dramatic rise, together with a tech-savvy workforce that is increasingly opting to use employee-owned devices for work purposes, has inevitably paved the way for, and
enabled, flexible working practises. The advent of 4G is yet another vital part of the equation, making mobile connectivity equivalent, if not faster than, traditional corporate networks.
According to government figures, within two years 98% of the UK will be covered by 4G. This new “super” cellular network offers optimum speeds and will be the preferred web connection, even over company WiFi networks. This level of connectivity marks a significant shift in the balance as, much like BYOD, employees will now be able to select a quicker, easier connection while companies unavoidably relinquish security and control, leaving unsecured data open to attack.
As systems become more interconnected, they offer ripe pickings for the technologically advanced attacker. Now, more than ever, business users are operating across and around organisational perimeters, and the resultant blurring of barriers has widened the opportunity for attack. According to a survey3 by Price Waterhouse Cooper, 93% of UK large businesses suffered a digital security breach over the past year, proving that no one is exempt from this threat.
The evolution of threats which capitalise on the vulnerabilities of a connected business is creating a whole new range of “attack vectors”. Advanced Persistent Threats (APT) continually target businesses using various discovery techniques to access sensitive information. APT can take multiple forms, some of the most dangerous of which include using employees themselves as network entry points.
Social networks like LinkedIn arm attackers with the knowledge to approach targets by both identifying employees with top level data access and highlighting personal areas of interest that could be used as bait during a targeted attack. Once the target and their specific interests are known, all it takes is the creation of a plausible email which, once opened by the target, will unleash malware into the network or cede control to the attacker. Such attacks are extremely difficult to defend against. If employees use email, businesses are vulnerable and the firewall perimeter, in its current guise, cannot reliably protect them from this type of threat.
A new way to do business
With all of these complex and competing factors, it’s clear why CIOs are losing sleep. Received wisdom suggests implementing a “perimeterised” architecture designed to mirror the physical walls of the building, where operating inside a firewall is considered safe whilst outside is dangerous. However, thanks to technological advancements in communication, businesses are now able to interact with an ever-increasing number of partners and employees are rarely constrained by location or perimeters.
The reality today’s organisations face is that hard perimeters impede communication with partners and often reduce business productivity by hindering employee collaboration. Consequently, they are frequently bypassed and ignored, risking the security of the data and the business as a whole.
By embracing a de-perimeterised model, businesses are recognising the evolving IT landscape and can capitalise on the flexible collaboration that it enables. Security needs to be revisited, as trying to maintain one universal line of network defence is a losing battle. Businesses must develop a multi-faceted approach which offers effective protection against, and recognition of, Advanced Persistent Threats. The focus should be on securing the data itself rather than the networks.
A de-perimeterised security structure shifts the reliance on an outer boundary to a blend of powerful encryption, secure protocols and effective authentication.
Such an approach addresses the changing security needs raised by BYOD, cloud services and an increasingly mobile workforce. Employees can securely access the information they require from the device and location of their choice. Collaboration with partners and colleagues can then occur in the cloud in a managed and secure way, enhancing business processes and productivity.
However, once an organisation makes the shift towards focusing on securing the bits and bytes of their data as opposed to the physical infrastructure of the network, a number of other questions begin to arise. More effort shifts to managing the data centres themselves and establishing sophisticated mechanisms for encrypting all data at rest as well as in transit. But while it’s obvious that an internal IT function is best placed to secure the physical aspects of a company’s network, it is less obvious that it is best placed to secure data.
The over-reliance on network perimeter security and the corresponding trust associated with connections originating from within the perimeter lead to complacency inside many organisations whose core business is not data security. This, in part, has led an increasing number of security specialists to suggest that SaaS services are in many cases more secure than on-premise data centres due to the greater resources (expertise, personnel and capital) they are able to bring to bear.
SaaS services like IntraLinks offer a way of using and sharing data securely – enabling businesses to immediately embrace de-perimeterisation without compromising security or business efficiency – leaving corporate IT to focus on helping the business while trusted security experts focus on securing the data.
Conclusion
There can be no doubt that this is a time of significant change for business. Progressive businesses and CIOs are recognising that traditional tried and tested models do not suit the new connected shape of business today. Technologies like 4G are acting as a catalyst for the requirement of a new security approach to meet the evolving needs of the workforce whilst enhancing business productivity securely.
This was posted in Bdaily's Members' News section by IntraLinks .
Enjoy the read? Get Bdaily delivered.
Sign up to receive our popular morning National email for free.
Our Partners
Why B Corp must be more than window-dressing
Why collaboration is key to a stronger economy
Crisis comms lessons from the Astronomer Scandal
The real cost of tendering for construction SMEs
A welcome step forward – but let’s keep pushing
Industrial strategy 'can drive business forward'
Industrial strategy 'can be game-changer we need'
Driving skills forward with near £100,000 boost
What pension rule changes could mean for you
North East can't be an afterthought in AI future
Understanding the impact of the Procurement Act
Is the UK losing ground in life sciences investment?