Workplace security: you can’t fight today’s threats with yesterday’s architecture
This is a guest blog post by Kurt Roemer, Chief Security Strategist at Citrix.
Only a third of enterprise organizations say they are highly effective at reducing the risk from unapproved apps and devices, according to a Citrix-sponsored report by the Ponemon Institute.
In a world that will contain 20.4 billion connected ‘things’ by 2020, this is clearly not sustainable. Third-party apps will enter your network at an increasing rate, and you have to be prepared.
Gartner says 42% of CEOs have already begun the process of digital transformation, reaping benefits such as increased productivity and employee empowerment.
But it’s clear many have yet to solve the corresponding security puzzles.
In this article I’m going to explore the key findings from the Citrix report and help shed some light on some of the most important workplace security challenges facing business leaders today.
The rise of ‘zero-trust’ networking
Many organizations are still working under the old enterprise security model, from a time when they owned every device and every network that powered their business.
But if a contractor or employee plugs their own device into that network without all those enterprise security controls being applied, it can compromise wider security. It’s a huge risk.
Some organizations have moved away from that old model, however, and into what’s called ‘zero-trust’ networking.
As the name suggests, zero-trust networking means every device and connection that wants to enter your network is assumed to be untrusted. Sufficient trust must be proven before particular resources can be accessed.
This approach means you don’t have to worry so much about unknown devices and connections coming into your organization. Where the old model meant every device within the four walls of your network had to be trusted by default, now you can reduce risk by creating this zero-trust environment.
And it doesn’t have to be as simple as saying a device is trusted or untrusted. Using endpoint analysis, you can actually determine which specific resources a device should be able to access based on its capabilities and unique situation.
Policy can dictate that sensitive data can only be accessed virtually, for example, meaning the user can view and interact with a snapshot of that information but never gain direct access to or download sensitive data.
The concept of ‘trust’ evolves from only allowing trusted corporate devices on the network to dynamically answer the access question: ‘what can this device be trusted to access in this situation?’
Switching to this way of dealing with devices and connections means you’ll be much better prepared when people do choose to use unapproved apps and devices.
Overcoming concerns about GDPR
The EU’s General Data Protection Regulation (GDPR) was the top concern for those surveyed in our report – 74% say they are concerned about the negative impact it will have on their future business.
It’s easy to see why people are worried. In the past, compliance did not necessarily equate to security. It was a baseline – a low bar. And often the financial penalties for noncompliance were lower than the cost of being compliant in the first place.
For many, it made perfect business sense not to bother.
With GDPR, however, the fines are substantially higher. 4% of global turnover is an incredible amount of money.
This isn’t optional anymore. We finally have data regulation with real teeth, and anyone doing business with EU citizens will need to comply.
So how can you overcome the fear of GDPR and ensure you’re best placed not to fall foul of it?
First, I’d advise anyone not familiar with the regulation to go out and do your research. Involve anyone in your business who has a stake in risk reduction. Assess what data protection and privacy controls you already have and look for any gaps in relation to the new law.
Most importantly, however, define exactly what a breach would look like.
View a breach of privacy not only in terms of the technical impact on the business but also the potential damage to customers relations and the size of the resulting fine. When seen through this lens, stakeholders should see clearly where investments are required to protect privacy.
For some companies, it will be easier to move non-GDPR-friendly services into a brand new security framework, possibly even cloud-based, rather than going through the complex process of patching existing legacy systems.
In light of that, GDPR actually provides a positive opportunity to re-evaluate your security infrastructure and rebuild it in a way fit for 2018 and beyond.
Keeping millennials happy (and secure)
I’m sure millennials are tired of being blamed for the ills of the world by now, but respondents in our research believe they are the riskiest age group when it comes to sensitive and confidential data in the workplace.
- 55% said 18-34-year-olds pose the greatest threat
- 25% said 35-50-year-olds (Generation X)
- 20% said 51-69-year-olds (Baby Boomers)
The top reason given was simple: millennials are the most likely to use unapproved apps and devices in the workplace.
Of course this is a worry for companies, particularly when you take into account the expansion of millennials in the workforce.
But you have to understand the difference in approach between each generation. Younger workers expect to having tons of resources at their fingertips, accessing them whenever and wherever they need to.
They see the internet as an opportunity to communicate better and ultimately save time, but in doing so they may not be considering all the risks in sharing information.
Case in point: I’ve seen programmers posting questions online about specific sections of code they’re struggling with. But without realizing it they’ve actually exposed sensitive source code to people outside their organization.
To them they’re simply taking the initiative to get the job done quickly, but to their employer they’re giving away sensitive business logic that’s embedded within that code – effectively handing out intellectual property for free.
But you shouldn’t look at this report and direct your frustration at millennials for engaging in compromising collaboration. Instead, consider why they feel the need to do it and how you can make it less tempting.
Ultimately your IT experience should be as good as – if not better than – the one your employees have as consumers.
If it isn’t, you need to work out how to reconfigure things until people of all generations can be as productive as they need to be – without the need to resort to unapproved IT.
Those are the main concerns and challenges highlighted by the report – hopefully I’ve given you some food for thought in terms of how to overcome them.
But it’s important to ensure any changes you make to your security infrastructure aren’t simply solving the problems of today. That new infrastructure needs to have the ability to adapt to an as-yet-unknown future.
As I mentioned above, this is a massive opportunity to rethink the way you approach cybersecurity and build a better, stronger and more sustainable foundation for your business.
Read the full report for lots more insight on the state of enterprise cybersecurity
As Chief Security Strategist for Citrix, Kurt Roemer leads security, compliance, risk and privacy strategies for Citrix products. As a member of the Citrix CTO and Strategy Office, Roemer drives ideation, innovation and technical direction for products and solutions that advance business productivity while ensuring information governance.
An information services veteran with more than 30 years’ experience, his credentials include the Certified Information Systems Security Professional (CISSP) designation. He also served as Commissioner for the US public-sector CLOUD2 initiative and led efforts to develop the PCI Security Standards Council Virtualization Guidance Information Supplement while serving on the Board of Advisors.