From: SC Magazine
 
Matt Ulery, director, product manager, NetIQ
 
As an information security professional, there are two security issues that I continually hear about when talking to IT organizations today: protecting against malware and advanced persistent threats (APTs), and securing data in virtual and cloud environments.
 
Advanced persistent threats

Hackers and computer criminals have shown an ongoing ability to stay one step ahead of the security professional. This is occurring in large part because security is often not treated as a sustained effort, and too many organizations take a check-box approach to implementing security or meeting compliance objectives. 

As a result, long-term coordinated attacks can often exploit inadequate defenses over a period of time. In many cases, these attacks are well disguised and designed to undermine typical security controls deployed within many organizations. Often these attackers are well-funded, financially motivated and in some cases nationally sponsored (by China, in particular).

These entities have changed the game by leveraging new types of attacks that traditional systems can’t easily detect. With APT, we require a fundamental change in mindset by IT professionals to a state of sustained vigilance. There are no “quick fixes” for APTs and no single product is a cure-all.

Organizations need skills and tools to find patterns, correlate activities across applications and infrastructure, and conduct forensic analysis to find the clues that you may be compromised or that you are about to be compromised. They need to be able to do this in real time, and most organizations do not have the visibility, solutions or skill sets to best protect themselves against these kinds of sophisticated attackers. The information needed to detect attacks exists within the enterprise regardless of whether the attack is by an external party or an insider. Organizations that are not proactively collecting and analyzing this information lack the visibility needed to detect and respond to threats.

Virtual and cloud computing  

Securing data, both personal and corporate, within virtual and cloud environments without the ability to implement and monitor controls presents a significant challenge for IT security personnel. As virtualization and cloud technologies continue to expand – due largely to the need to lower costs in IT – this trend has required us to grow, and in some cases, change our approach to security monitoring.

Not all virtual and cloud environments offer customers the ability to implement and manage effective security controls, and this can pose tremendous risk, particularly as many service providers do not guarantee the security of data stored within their environment, and the owner of the data generally retains liability if a breach does occur.

Organizations must understand that outsourcing IT does not transfer responsibility for data or liability associated with its security. Companies can mitigate the risks somewhat here through carefully structured contracts with clear SLAs, but that is not a failsafe by any means.

It may be difficult to implement parallel security controls so that confidential data accessed on the network is treated in the same fashion outside of your organization. End-users cannot be expected to know the location of an application or how to avoid placing sensitive data in a virtual or outsourced repository that may not have adequate controls in place. So, while there is no question about the ease and convenience of virtualization, these services may prevent IT from applying needed security controls, allow end-users to unintentionally expose confidential personal and corporate data, and ultimately put the business at risk of liability.

IT cannot stop this trend of business users contracting discreet services to support their objectives. IT needs to enforce protection at the data level, regardless of where it is located. Whether this is infrastructure or platform as a service and the organization maintains control of the systems, this can be addressed as an extension to current enterprise monitoring. Where the organization gives up control of the infrastructure for the benefits of SaaS, the risks must be addressed through a carefully structured contractual agreement, which includes terms for auditing and reporting. Without such protection, the organization is exposed as employees move critical information to cloud services.

Considerations for any security program

As new threats and deployment models increasingly impact organizations’ security strategies, it is important to formulate a security model that accounts for these changes.

Ultimately we need to change our view of “trusted” users and focus on the behavior rather than the user. For that reason, a “zero trust” model is the most appropriate approach if organizations are to fully protect data and systems. In this context, no user is blindly trusted. Activity must be continuously monitored and identity continuously verified. The approach of controlling rights through an overall identity/role lifecycle, and the monitoring of those rights through continuous monitoring will ultimately help better ensure that corporate data is protected against new threats that routinely impact organizations worldwide.