"At the end of the day, IT must manage and govern who has access to mission-critical cloud resources no matter how they are accessed." Gilbert adds.
"IT needs better visibility to and control over the access privileges granted to workers, and its important to selectively apply controls and governance based on application risk and data criticality."
Terry Greer-King, UK managing director at Check Point, is also of the opinion that enterprise security strategies are lagging behind the changing information landscape. "In April this year we surveyed 790 IT professionals worldwide about mobility and mobile device usage," Greer-King explains. "[Some] 63 per cent of them said they do not even attempt to manage corporate information on employee-owned devices, and just 23 per cent use mobile management tools or a secure container on the device."
Such figures should worry the IT Security professional, although they probably won't come as much of a shock to be honest. The fact that 88 per cent of devices were used for corporate email, and 53 per cent had customer data stored on them or 72 per cent of UK respondents to the survey said they'd had mobile security incidents in the past year, are also worrying, but perhaps not unexpected statistics.
With more than half of those taking part in the UK revealing that the number of personal mobile devices connecting to corporate networks had increased by at least 5x during the last two years, things are likely to get worse before they better. There is no doubt that BYOD, mobile apps and cloud services have made it much harder to protect corporate information for businesses. But, as Greer-King says "strategies have fallen some way behind, with companies not protecting their data and assets."
So what's the reason for this? Amichai Shulman, CTO and co-founder at Imperva, says that the simple reality of the situation is because risk is a function of opportunity, having your data and devices available online for longer in more locations gives attackers greater opportunities. Enterprises must choose whether to adapt the security paradigm to this reality or live in denial. "I think that most organisations are still trying to apply 1980s security paradigms to an entirely different world," Shulman said.
"It starts with the focus most organisations have on infrastructure security rather than data security and it continues with the huge efforts invested in trying to manage each and every device that may access enterprise resources (which is ludicrous given that on top of insubordinate employees we also have partners and contractors accessing our resources) and the religious belief in proper access control lists and individual file access permissions."
The answer, according to Shulman, comes with putting controls close to the data itself. That equates to more control around data stores and data items, controls that accompany the data throughout its flow. "We also need to shift our paradigm from controlling access to controlling usage. Controlling usage means detecting abuse patterns where individuals are accessing more data than seems reasonable or data is allegedly accessed by an individual while its actually being accessed by an intruder," Shulman says.
Only by making this 'mind shift' does Shulman believe that the enterprise we will be able to rebalance the risk vs. protection equilibrium.
The use of 'mind-shift' isn't an overstatement either, if the experience of Dave Anderson, senior director at Voltage Security, is anything to go by. Anderson told IT Pro that when he recently sat in with a group of some 13 CISOs, representing both SMB and large enterprises across a broad sample of industries, the majority opinion when the subject of 'mobile security' came up was a reliance upon policies and user awareness campaigns in order top protect data.
Not far behind was the unerring belief that companies can offer effective security with traditional endpoint technologies which protect the containers that store data by trying to provide a big enough wall or silo that hackers cant breach. "The misguided assumption here is that data doesnt move, and the only threat against data is when it is stored in some database, in some cloud application, or on some mobile device," Anderson explains.
"But, actually, that data moves throughout an organisation and partner/customer eco-system, and security programs must adapt to be able to protect any type of sensitive data from the moment it is created, throughout its entire lifecycle, until it is consumed and deleted."
Reactive security - the detection and response after a breach has already occurred - along with addressing information protection at single points instead of throughout the entire lifecycle, are doomed to failure. A key dynamic to understand is that this culture of always-on, all-the-time is driven by the need to access data in order for the users to do their job, and for the business to perform.
"Security must step up and support this dynamic," Anderson concludes "as it's not going away any time soon."
