Enterprise Security Stretches Across an Expanded Attack Surface
By Chuck Fishman, Media Entertainment and Publishing Director, Acquia
The rapid spread of mobile and the Internet of Things (IoT) technologies is bringing untold productivity and efficiency benefits to the enterprise. Yet every advance brings organizations fresh security challenges. In a large enterprise the combination of mobile, IoT and cloud represents a hazardous cocktail of risks that substantially expands the attack surface. Meanwhile regulatory authorities are stepping up the pressure to ensure companies take every step possible to maintain complete privacy and sovereign control over their data. If the advances of the last ten years stretched the network perimeter the current wave of technology is tearing it to shreds.
In recent years mobile devices have become more and more ubiquitous. It has become commonplace for individuals to use their smartphones and tablets as “all-in-one” computers to conduct business as well as for personal purposes. According to research by Gartner Group 70 percent of mobile professionals will conduct their work on personal smart devices by 2018. Mobile is just as important to the enterprise. In a study by Cisco 87 percent of enterprises agreed that mobility was a strategic imperative for success.
Today a significant amount of personal and professional data is stored on mobile devices. Companies and employees are well aware of the risks. A recent study reveals that almost a third of employees (31 percent) thought they were a bigger threat to security than hackers (30 percent). And Cisco has revealed that almost half (47 percent) of enterprises named security as their top obstacle to a mobility strategy while 74 percent of respondents in an IDG survey reported their organisations had experienced a data breach as a result of a mobile security issue. A further 44 percent had experienced mobile malware infections.
Internet of Vulnerable Things
It’s a similar story with IoT. According to Gartner, the IoT market will top $309 billion in direct revenue by 2020, with most of that money stemming from enterprise services.
“Organizations cannot rely on employees, IoT devices or cloud providers alone to secure their communications or keep sensitive data private”
New internet-enabled devices are entering the market almost every day. Many of them have weak security controls, opening up new ways of accessing data.The vast majority are not designed with threat detection in mind. Some of the threats IoT devices can bring to the enterprise include Domain Name System (DNS) attacks; network access by wearables; exposed APIs; permissions left open; networks receiving more data than they can manage and legal issues over how/where IoT data should be stored.
Privacy under Pressure
The recent standoff between Apple and the FBI over whether or not Apple should create software to unlock an iPhone brought the issue of mobile data privacy to the forefront of worldwide media attention. Facebook, Google and Snapchat, all prominent players in mobile data, have all since stepped up their investment in encryption technology.
Encryption of mobile messaging data is just the start of the enterprise privacy discussion. Similar privacy debates exist for data in IoT and in the cloud. Major vulnerabilities have been found in IoT devices that leaves their data wide open to interception. Last December an attack on the industrial control systems (ICS) of Ukrainian energy companies, caused power outages for around 225,000 customers. Flaws have also been found in CCTV and cloud-based video systems that could allow hackers to exploit and tunnel their way into enterprise systems.
Data stored in the cloud that is arguably the subject of the biggest privacy challenge of all. According to a report by Intel Security only 13 percent of decision makers from around the world completely trust public cloud providers to secure sensitive data. Many organisations simply don't know where their data is and cloud is part of that problem. A key question, for example, is that if the IT department doesn't know what data they have even on their own premise then how can they hope to control and secure the data when it is in the cloud?
The issue of privacy is a long way from being resolved. Such problems are visible in the protracted efforts of those working international regulatory agreements such as Privacy Shield to determine how and where cloud data should be stored. In the meantime, companies are being advised to ask searching questions of cloud service providers–for instance, how much protection does our sensitive information have? What will happen if this data is compromised? Who is accountable?-As part of their due diligence.
Control Data Access, Control Privacy
What companies need are secure access tools equipped with comprehensive authentication and data encryption technology to support multiple device types and platforms. One of the most proven, secure ways to take protect access is via location-to-location VPNs. To meet the diverse connectivity challenges of the modern enterprise VPNs need to be flexible for use in different environments and capable of centralized management by administrators. Some cloud service providers offer VPN as a Service (VPNaaS), making it even easier to manage remote connections without compromising security.
It is clear that organizations cannot rely on employees, IoT devices or cloud providers alone to secure their communications or keep sensitive data private. To ensure privacy and meet compliance standards valuable data traffic should never be in open or clear text. All access points should be encrypted via a VPN prior to upload, in transmission and while at rest. This proven, established technology is one important security constant for an enterprise attack surface that is being continually stretched to its limits.