For questions one through four, check out 7 Essential Real-World Security Questions to Ask Today (Pt. 1 of 2)
Question 5: Do we have a consistent process for adding new applications (including cloud/SaaS) to our whitelist as demanded by the business — and applying the appropriate policies to them?
Your business isn’t static. In fact, most companies are adding new cloud/SaaS services at a faster pace than ever. Many of these new services are being activated directly by lines of business, without much involvement from IT. At one time, this was referred to as “shadow IT.” But it’s not just a shadow anymore. It’s central to how organizations leverage software and analytic innovation in the cloud.
If you can’t quickly secure these new applications and services, several unacceptable outcomes can result. People may be unable to use new resources in a timely manner because they’re blocked by your whitelisting system. Or new resources may get whitelisted too hastily — without being properly secured by policies such as geo-fencing and Wi-Fi restrictions. Worse yet, people may just come up with work-arounds to avoid your security mechanisms altogether. None of these outcomes are acceptable.
To avoid these outcomes, you need a fast, reliable, and consistent process for adding new cloud resources (as well as new conventionally developed applications) to your whitelisting repository/automation engine. Without such a process, your security won’t be able to keep up with your business — which means you’ll either compromise the former or impede the latter
Question 6: Have we met the needs of the business for consumerization/self-service and LOB delegation?
The Millennial workforce is increasingly expecting IT to provide consumerized self-service similar to what they experience in their personal use of technology. These self-service capabilities include browsing available digital services in an AppStore-like interface, activating any of those services for which they are authorized, performing automatic password resets, etc.
Self-service is a win-win for IT and the business. The business wins because self-service take delay out of everyday requests for digital services. IT wins because it frees staff with limited time from a variety of routine tasks. Self-service can also include the delegation of certain administrative tasks to line-of-business managers — such as the authorizing access privileges or adding software licenses.
The best way to provide self-service and delegation to the business is by extending your security whitelist automation engine to non-IT users with the appropriate policy-based controls. This approach allows you to ensure that no one outside of your cybersecurity team can violate your policies — even as you empower them to quickly perform routine tasks without IT’s intervention.
Question 7: Are we ready to handle an audit — really?
You can perfectly restrict every user to the exact set of safe digital resources to which they’re entitled. You instantly add every new cloud-based service your business ever wants into your super-streamlined and logically precise policy automation engine. You can even give your users all the self-service features they ever wanted and more.
None of it really matters if you can’t credibly prove any of it to an auditor.
That’s why you need a unified, rules-based access whitelisting automation engine that’s fully self-documenting. Scripts won’t do that for you. Neither will an amalgamation of disparate platform- and application-specific access controls. Only a centralized permissions control “brain” can both secure your environment and enable you to quickly and easily provide auditors will credible evidence that you’ve exercised full diligence in ensuring that no one gets access to the wrong thing at the wrong time under the wrong conditions.
Your answers to the above questions may not always be a simple “yes” or “no.” Some of them will be “kinda” or “not totally.” That’s to be expected. Security is challenging. So are IT automation and audit preparedness.
But whatever the current state of your security operations, you can promptly and confidently move closer to your ideal target state with a more automated approach to policy-based access control. By leveraging a single, robust access provisioning mechanism across all your digital resources — from your most complex core business applications to your most recently adopted cloud service — you can make your organization vastly more secure, while also enhancing productivity and reducing your own team’s daily workload.