Post 1 – Cloud Security
As my organization, and many others, continue to utilize cloud services I’ve often wondered what tests are run in order to make sure the service meets the security standards set in place by the organization. Recently my organization switched our human resource system to the popular, Workday product. This gives many staff within my organization the ability to access the information they need to do their job from anywhere, but with this freedom comes security concerns. For example, the age-old concern, what if someone logs into this resource from the free wireless at their local coffee shop and someone else on the wireless is running a packet analyzer?
Being able to secure a free wireless hotspot is obviously outside the scope of cloud service providers, but they still have the responsibility to ensure secure use of their services. Gartner identifies three top cloud security challenges: protecting information in multitenant environments, virtualization and private cloud security, and SaaS visibility and control. Anyone who decides to use the cloud will need to dedicate attention and resources to these three areas.
While historically cloud provider security failure has not been an area of significant customer impact, assessing Cloud Security Provider (CSP) security has been a frustrating and time-consuming process. There remains lack of consistent CSP transparency, compliance ambiguity, immature and unscalable risk assessment processes. The burden falls on the organizations to defend their use of these services, which they have little control over as often cloud providers offer their services as ‘take it or leave it’.
However, with cloud markets being cutthroat in nature, CSP security shouldn’t be considered a major inhibitor to utilizing the cloud. Most cloud providers will do a better job securing their data centers than many enterprises do because a security breach could result in the loss of their business entirely. Many cloud providers have taken to automation to reduce their security vulnerabilities. This automation is difficult for enterprises to pull off because they would require the enterprise to have a fully software-defined programmatic infrastructure, which most simply don’t have. Having this realization, many enterprises have adopted IaaS into their organization.
With SaaS, Gartner reports areas of discrepancies between the providers and the users. There is a lack of agreement between corporates role for SaaS governance. This lack of control will inevitably lead to security and compliance failures. While Gartner sees more cloud users implementing policies and guidelines for SaaS assessments, they still suggest more planning for SaaS governance and that IT roles and teaming arrangements are made so that there is a single point of service for all thing SaaS. These teams should begin utilizing tools such as identity governance and administration (IGA) and CASBs. These third-party products provide a central and efficient way to manage policy, privileges, and activity of the SaaS applications and should be an important component for all security teams.
References:
Heiser, J. 2017. Cloud Security Primer for 2017. Gartner.
Post 2 – What is IGA
With the increasing use of cloud technologies in many enterprises today it has become important for enterprises to have a central and efficient way to manage policy, privileges, and activities of the SaaS applications they’re utilizing. Identity Governance and Administration tools provide that service to the enterprise. Looking at Gartners definition for IGA tools we can begin to understand how these tools help establish control over identity life cycles, access requests, account provisioning, and access governance.
IGA consolidates the functions of user administration and provisioning (UAP) and identity and access governance (IAG). The core functions of IGA include:
- Identity lifecycle management – Maintaining digital identities and their relationships with the organization and their attributes
- Entitlement management – Maintaining the link between identities and access rights
- Access requests – Enabling users to request access rights through a friendly user interface
- Workflow orchestration – Tasks that enable functions for access approvals, notifications, escalations, and integration with business processes
- Access certification – Ensuring managers and resource owners certify access rights of users
- Fulfillment via automated connectors and service tickets – Propagating changes initiated by the IGA tool
- Reporting and analytics – These include: role mining, evaluating quality of service, usage patterns, and adherence to service-level agreements.
Ancillary functions include:
- Role and policy management – Maintaining rules that govern automatic assignment and removal of access rights
- Password management – Enabling self-service password rests and policy enforcement
- Auditing – Evaluating rules and controls against the current state of identities and access rights.
IGA is not, however, Metadirectories (tools that synchronize user and account repositories) and it is also not Virtual directories (directories that provide data about users, devices, groups, and tools from multiple data repositories).
In addition to using IGA, many organizations would find tools like Segregation of duties (SOD) control monitoring and File-centric audit and protection tools (FCAP). SOD tools help detect and remediate conflicting entitlements within transactional systems. They provide features for risk analysis, emergency access management, compliance provisioning, role management and access certification. FCAP tools provide the ability to discover, administer, and monitor access to unstructured data stores. Increasingly, IGA and FCAP tools are being sold as one.
References:
Gaehtgens, F., Iverson, B. (2016). Definition: Identity Governance and Administration. Gartner.
Post 3 – Communicating Security
It’s no secret business leaders and IT leaders don’t often see eye-to-eye in the realm of IT Security. IT Security is usually the team of naysayers while business leaders seldom have an understanding the risks associated with the direction laid out for the organization. Being able to communicate the security and risk to business shareholders is a skill that all IT professionals should well-versed in. Not being skilled in this breadth often keeps security professionals from having a seat in the strategic planning and executive table.
Poor communication results in inefficiencies and failures, which, in turn, diminish the perceived value of the enterprise’s security and risk management initiatives. Struggling to translate risk into business language is one of the major reasons security and risk management programs fail. The professionals in the security and risk management field need to communication from a nontechnical perspective. They need to study business writing and communication and gain an understanding for how the enterprise and specific business units work.
Gartner identifies six elements that should be part of any effective business communication plan, which includes security and risk communication.
Structure: Every communication piece should be structured with an introduction (short high-level summary of the problem and the resolution), the argument (main details of the message), and the conclusion (reiterate the message and next steps).
Clarity: Be very clear about the message. Aim for one topic per message.
Consistency: Consistent is key. Mixed messages and inconsistency leads to distrust in the security team.
Medium: Match the medium to the audience, time frame, culture, and venue. Be cognitive of whom your target audience is when preparing your message.
Relevancy: Don’t talk technical details to people who have no interest in technical details. Make sure the core message is interesting to the people you’re communicating to.
Primacy/Recency: Have a strong opening and a strong closing; people only remember the first and last things told to them.
The issue of IT security isn’t going away anytime soon. Having a team of risk and security professionals who can communicate to senior leaders will ensure your risk solutions get implemented and will be effective.
References:
Wheatman, J. (2017). Top Tips for Communicating Security and Risk to Business Stakeholders. Gartner.
Recent Comments