Securing Increasingly Decentralized Corporate Environments in 2021: Changes and Challenges for Access Management
By: Juhi Fadia
Originally published in InfoTech Spotlight
It is understandable that many IT leaders are solid fans of the centralized approach to cybersecurity, arguing that it allows companies to better assess and manage their risks by being able to control every application, device, and access privilege, by the user.
Especially for organizations that handle a massive amount of sensitive information (consumer data, health data, credit cards, social security numbers, payments, cash management, and more) alignment across business units is important and centralized models have been the best option.
Using “command and control” thinking, the IT team can direct and manage all security matters within a central governance body, where all business units would be forced to abide by the same policy set. Fans of centralized IT and security (by extension) also argue that centralized governance is far more efficient, as resources can be leveraged across the enterprise, limiting duplication, and controlling cost.
A growing number of proponents of decentralization argue, however, that highly centralized solutions are more fragile, as an attack can reverberate more broadly. A virtue of decentralized cybersecurity, some experts say, is that it increases the number of points of failure which sounds counter-intuitive, but means that in such an environment an attacker is forced to compromise more components and functions in order to penetrate a system.
Michael Fritzlo, Executive Chairman of Ironsphere, makes the case for the “best of both worlds,” where IT and security can co-exist, empowering business units to choose and use their applications, while also protecting the most critical infrastructure, devices, data, applications, and information in a centralized fashion, as appropriate.
“CIOs and CISOs today are embracing a hybrid cybersecurity model, which makes sense given the natural decentralized nature of the cloud and as-a-service cloud-based applications,” Fritzlo said. “The choice between a centralized and decentralized approach to cybersecurity isn’t binary, and we are seeing with our customers in government agencies, large financial institutions, communications service providers, and other industries that it only makes sense to get the mix right for optimizing productivity and profitability, but with proper governance.”
Michael Fritzlo said that the transformation to a hybrid centralized/decentralized environment starts with a hard look at the business and the security threats it faces, an analysis of regulatory requirements and auditing practices, and a review of the business applications in question. For example, a team that does not work with highly confidential or sensitive information may be able to subscribe to collaboration services like Slack, without the IT team requiring extreme oversight into what is happening on that platform.
On the other hand, teams that work continuously with records that include social security numbers, payment information, private health information, and other sensitive and valuable content need a more sophisticated and centralized approach including Privileged Access Management – fully monitored and managed.
“The advantages of the decentralized IT model are clear,” Fritzlo said. “The main advantage is speed and flexibility. If a user in sales operations needs a new app to support a new sales opportunity, the user can get permission from their local manager and can purchase and configure the cloud-based app in minutes and start working. Not much of a risk there, right? The challenge comes when this is multiplied by tens of thousands of users, without a clear policy in place, which is why IT leaders are moving to a hybrid approach and apply modern cloud-ready access management software to observe and control risk in the background.”
Fritzlo explained that quality security is a “team sport” in organizations. “Everybody has a role to play in supporting adequate IT security, so it is always important to set policies, communicate those policies, explain why those policies are important, and provide tools to make it easy and safe for users to take advantage of as-a-service applications. With the rapid growth of work-from-home scenarios, communications, and solutions for cybersecurity given decentralized workforces have become even more important.”
Automation, including access managers, are evolving to support multi-cloud, multi-application, multi-regional organizations, addressing a “moving target” when it comes to securing the perimeter at the edge and sessions from edge to cloud. “There is simply no way to secure the amount of computing and collaboration underway in enterprises manually,” Michael Fritzlo said. “With technologies like session management, single-sign-on or SSO interfaces, adoption of two-factor and multi-factor authentication, keystroke recording, and real-time analytical monitoring of activities, it is possible to give employees, contractors, and partners the productivity tools they need, without leaving infrastructure and assets at risk.”
We have all found ourselves in a different world of work given the events that have defined 2020, and few professionals are feeling the pressure more than IT and OT teams.
Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”
Two-factor authentication has been around for decades – requiring an additional step between entering a username and password, for example, then entering a one-time security code sent to a mobile device – to access applications, systems and data.