7 Essential Real-World Security Questions to Ask Today (Pt. 1 of 2)
Every company needs to be secure. And there are lots of security technologies that help address this goal.
In the real world, however, security has a context. And that context is a business or organization that’s pursuing goals other than state-of-the-art cybersecurity perfection. So if you’re a cybersecurity leader, you have to do more than minimize exposure to avoidable risk. You’re also under pressure to:
- Maximize “bang for the buck”
- Empower people to be most productive
- Respond quickly to change
- Prove that you’re doing a good job
Given these multiple pressures, it’s essential to prioritize decisions and actions that actually move the needle on all your real-world security imperatives sooner — rather than later.
The following seven questions are designed to help you quickly pinpoint ways you can do this. By answering these questions honestly and accurately, you can optimally allocate your limited time and budget to better protect your organization while also fulfilling the other four objectives above.
Whitelisting is more than just a list of trusted websites, apps or users. Whitelisting should be dynamic and enable you to enforce security access controls based on individual identities and contextual attributes such as time of day or location. If done correctly, it can help secure your data and protect your organization from threats.
Question 1: Do we have a central repository of well-defined whitelisting policies?
Dynamic whitelisting is a core best practice for enterprise security and one of the best ways to enforce access policies. It entails restricting user access and code execution by default to only that which is specifically permitted and known to be safe. Whitelisting should also take into consideration both identity and context attributes such as time of day, location or device. This model is essential for protecting your organization from all kinds of threats — including malicious hosts, hijacked user IDs, insider threats, and the like.
Unfortunately, most enterprises take a decidedly fragmented and manual approach to defining their whitelisting policies. Different application, database, and content owners maintain their various user permissions in different access lists. In some cases, permissions are granted on a completely ad hoc basis. Policies for other security policies (prohibition of USB drives, geo-fencing, etc.) are also maintained in different places by different individuals. The lack of automation and decentralized access management prevents IT from factoring in identity or context attributes – and makes it impossible for them to accurately and reliably enforce policies.
A primary security requirement for your organization is therefore a unified repository of clearly defined whitelisting policies. These policies can be owned and controlled by different individuals with appropriate authority across your organization. But you definitely need a single, reliable, and up-to-date place for maintaining your whitelisting policies across all resources, parameters, and user groups.
Question 2: Does our implementation and enforcement of our access policies still depend on manual configuration and/or homegrown scripts?
Policies alone do not a secure enterprise make. You also need a way to implement and enforce those policies in an automated way.
Chances are, however, that your organization still depends on a wide range of disparate mechanisms to give users whitelist-appropriate access to digital resources. These likely include application- and database-specific admin tools and homegrown provisioning scripts.
There are lots of problems inherent in depending on these fragmented access provisioning mechanisms. From a security perspective, they are simply too unreliable — because 1) they are subject to human error and 2) they are not intrinsically linked to the underlying policies they have been created to enforce.
From a business operations perspective, manual and/or scripted mechanisms are also extremely impractical. They slow the digital onboarding of new employees and delay employees’ potentially urgent new digital employee access requirements when their work responsibilities change. They consume IT staff time that could be better spent on less routine tasks. Worst of all, it’s often impossible for scripts to be modified or updated by anyone other than the person who originally wrote it. That makes the business — and security ops — way too dependent on a single individual.
If your organization still depends on “script heroes” to ensure the right people get access to the right resources at the right time, you’re in trouble. You need a much more unified, manageable, and automated mechanism for executing your access policies, onboarding employees, and fulfilling your organization’s increasingly stringent audit reporting requirements.
Question 3: When someone leaves our company, are all of their digital privileges immediately, automatically, and entirely revoked?
One of the single most important policy imperatives is the complete revocation of an employee’s or contractor’s digital privileges immediately upon termination. This is important both for security — since lingering privileges can allow a disgruntled ex-employee or former contractor to steal and/or destroy all kinds of valuable data — and for compliance, which typically requires auditable proof that no unauthorized individuals (ex-employees being a prime example) have been allowed access to PII or other sensitive data.
Most organizations don’t have a simple, automated, and reliable means of fully and immediately eliminating all an individual’s access privileges across every application, database, SharePoint instance, communications service, etc. Some of those privileges can remain in place days, weeks, or even months after an employee is terminated — leaving them exposed to risks that their breach detection and prevention tools can’t stop.
This is why in addition to having a unified system for managing access privileges across the enterprise, you also need to appropriately integrate that system with whatever other systems can generate a valid termination event — including your core identity management systems, HR applications, and contractor databases. Only such integration can give you full confidence in the timely and complete revocation of digital privileges.
Question 4: Can we reliably prevent users from accessing the wrong files from the wrong places at the wrong times?
Most organizations can only apply a limited and relatively crude set of parameters to their access controls: User A can be granted read-only privileges for dataset X, User B can be granted administrative rights to application Y, etc.
In the real world, though, your access policy parameters and controls must be much richer and more context-aware. Common examples of this include:
- Geo-fencing. It often makes sense to constrain a user’s access privileges based on location. A doctor, for example, may be allowed wireless access to certain clinical systems data while on-premise at a healthcare facility, but not while off-site.
- Wi-Fi security. There may be times when you want to make your data access rules (including read/write vs. readonly privileges) contingent upon whether a user’s Wi-Fi connection is public/non-secure or private/secure.
- File hashing. File hashes provide an exceptionally reliable means of ensuring that users only download, open, and work with legitimate content — thereby protecting your organization from a wide range of threats, including ransomware and spearphishing attacks.
To implement these kinds of rich security controls, you’ll need an access management system that can automatically respond in real time to session context and execute hash-based identification. Without those controls, your defense against various types of identity and content spoofing will be severely limited.
For questions five through seven, check out 7 Essential Real-World Security Questions to Ask Today (Pt. 2 of 2)