The Need for a New IT Security Architecture:
Global Study on the Risk of Outdated Technologies
As we saw in the first Ponemon security study, seventy-four percent of businesses say a new IT security framework is needed and eighty-three percent say their organization is at risk for security breaches because of the complexity of business and IT operations. But what does a new security framework look like? It’s all about the apps and data. If complexity is the problem, then the answer is to simplify security by shifting IT away from device-level, platform-specific, end-point security. Offer a comprehensive solution for app and data delivery across any device, network, and cloud.
At the same time, future proof enterprises for emerging requirements and challenges (e.g. becoming the borderless enterprise). While the first report primarily dealt in trends in cybercrime, human factor risks, and organizational factor risks, the second deals with risk created by outdated and inefficient IT security technology – due to disruptive technologies, lack of visibility, lack of resources i.e. budget, time, and expert staff.
Emerging and disruptive technologies — love them or hate them — are seeing employee adoption with or without IT approval. And as IT validates and transfers them out of the realm of Shadow IT, it stays in a constant battle against technology sprawl.
Today’s application and data delivery models truly are an archeological dig of platforms and technologies — from mainframe, client-server, PC, Web / SaaS / Cloud, Mobile, and emerging IoT. Unfortunately, the reality is that many times there isn’t enough budget allocated or resources available to update or migrate legacy systems. But security vulnerabilities tend to increase with time and that has led to a proliferation of point security solutions that independently secure applications and tame consumer-grade services like file sharing, cloud apps and services, and personally owned mobile devices.
The result is a challenging and confusing patchwork of identify and access management, network, application and data security products to meet compliance mandates. This is complicated by the lack of interoperability, information sharing, and central management of these nonintegrated point solutions. It’s an inefficient and inadequate approach that quickly becomes outdated. Our survey found that:
- Sixty-nine percent of respondents believe some of their organization’s existing security solutions are outdated and inadequate
- Only forty-five percent say their organization has the right policies and procedures in place to protect information assets and critical infrastructure
- Only thirty-six percent say they effectively reduce the inherent risk of unmanaged data, only thirty-five percent say they effectively reduce the risk of unapproved applications, and only thirty-nine percent say they have the security technologies to adequately protect information assets and IT infrastructure
The report also identifies the challenges and shortcomings that organizations are facing with regard to visibility – into end user activity, detecting emerging attacks, and demonstrating compliance. If the assumption is that only two types of companies exist — those that have been hacked and those that will be — the appropriate approach is to increase capabilities for quick, accurate, and relevant detection. Visibility includes performance — circumventing security controls is easy to rationalize if they interfere with getting work done. Our customers have identified several pain points — some emerging attacks, some not — all mitigated with a comprehensive approach to app and data delivery.
- Mitigate against email and web browser-based attacks
- Protect from insider threat
- Password free access to Windows and SaaS apps
- File sharing security that end users will adopt
- Mitigate DoS and DDoS attacks
- Enable contextual access for all apps
- Protect data on mobile devices
- Secure legacy apps with multifactor authentication
Encrypted, virtualized or containerized delivery of critical apps and desktops also goes a long way towards building a compliant infrastructure – one with a reduced scope of audit. Whether dealing with sensitive data or intellectual property and under multiple compliance standards such as HIPAA, PCI-DSS, FISMA – they all require systematic logging, reporting, and auditing capabilities. According to the results:
- Fifty-three percent say the new IT security architecture should provide a unified view of users across the enterprise
- Forty-eight percent say they want to be able to keep up with new or emerging attacks
- Forty-eight percent say their current security infrastructure does not facilitate compliance and regulatory enforcement with a centralized approach to controlling, monitoring and reporting of data or they are unsure
An additional finding of the report identifies insider risk. Who is an insider? Employees, contractors, vendors – anyone that works with your apps and data. Patchwork security solutions are not effective in addressing insider risk especially when the perimeter is expanding and becoming more porous. The new model starts with identity as the new perimeter. Identity unlocks contextual access providing distinct levels of access for different groups, locations, and endpoints.
But what about user behavior? Technologies with the most promise to revolutionize security are machine learning and big data analytics – combine these with identity and access management and the industry can unlock the power of intelligently discerning end user behavior to distinguish between a malicious action and a mistake. But that takes a unified approach where telemetry, analysis, insights and alerts are streamed and acted upon dynamically – between multiple application and data delivery controllers. What do insiders at the surveyed organizations do? Our survey found that:
- Fifty-nine percent say that their employees and third parties bypass security policies and technologies because they are too complex
- Only thirty-two percent are confident that employees’ devices are not allowing criminals access to their corporate networks and data
- Forty-two percent say their organization’s security policies hinder employees’ productivity
Disruptive technologies will not go away. In fact, the pace will only continue to accelerate. We continue to take the traditional approach and bail water or adopt a unified identity-based approach to app and data delivery that allows organizations to Secure the Future of Work.
To see more of our results, visit our landing page. Stay tuned for more survey results at RSA 2017 and don’t forget to stop by our booth in the North Hall, No. N3534!