Traditional security models becoming exhausted

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.net-security.org/secworld.php?id=15835

The Nexus of Forces is transforming the approach towards information
security as new requirements are brought about by social, mobile, cloud and
information. Gartner predicts that traditional security models will be
strained to the point that, by 2020, 60 percent of enterprise information
security budgets will be allocated for rapid detection and response
approaches, up from less than 10 percent in 2013.

An increasingly mobile workforce is demanding access to systems and
information at anytime from anywhere. In this interconnected and
virtualized world, security policies tied to physical attributes and
devices are becoming redundant and businesses must learn to accommodate new
demands being made on IT while also maintaining more traditional security
controls.

“We are faced with a ‘perfect storm’ - the convergence of socialization,
consumerization, virtualization and cloudification that will force radical
changes in information security infrastructure over the next decade,” said
Tom Scholtz, vice president and Gartner fellow. “Organizations are changing
radically - tearing down and redefining traditional boundaries via
collaboration, outsourcing and the adoption of cloud-based services - and
information security must change with them.”

Mr. Scholtz said that rapidly changing business and threat environments, as
well as user demands, are stressing static security policy enforcement
models. Information security infrastructure must become adaptive by
incorporating additional context at the point when a security decision is
made, and there are already signs of this transformation. Application,
identity and content awareness are all part of the same underlying shift to
incorporate more context to enable faster and more-accurate assessments of
whether a given action should be allowed or denied.

BYOD is one of the most significant IT transformations happening today. It
is driven by an intense desire among employees to use personally-owned
devices. IT organizations have realized that they can potentially benefit
from the model as well. The transition to enable BYOD takes an organization
through four phases.

The first phase includes IT's rejection of personally-owned devices. This
becomes an untenable solution, leading the organization to move to the
second BYOD phase, accommodation. At this second stage, organizations
recognize that end users want to use personally-owned devices, and IT must
accommodate that demand by implementing compensating controls. Data
protection is the organization's primary concern.

The third phase is 'adopt'. In many organizations, mobility represents an
opportunity to improve externally-facing customer services, internal
business processes, productivity, and employee satisfaction. This means
that IT organizations must focus on issues beyond security in support of
personally-owned devices. In this phase, the enterprise focus shifts to
productivity and employee satisfaction and from a reactive to a proactive
approach. The fourth phase is assimilate, which represents the realization
of the personal cloud. Integrating the user experience (application and
data accessibility) is a key focus at this phase. Here, BYOD is fully
adopted, and the focus of the enterprise is to optimize, operate, and
evolve the strategy.

Different types of organizations are likely to take advantage of different
forms of externally provisioned cloud services. Highly sophisticated
organizations, with large amounts of data that would be of interest to
either competitors or regulators, are naturally hesitant to hand over
control of their data's destiny to external parties. Smaller and less
sophisticated organizations not only have fewer concerns about being able
to demonstrate their data protection, but they also have less ability to
build and maintain their own IT infrastructure.

In practice, SMBs are more likely to entrust large amounts of the
organization’s own data, and processing, to cloud-based services. Other
than storage (and PC backup is an especially appealing form of service),
these types of customers have relatively little ability to create their own
applications, or even manage their own servers, so they are most likely to
take advantage of software as a service (SaaS) applications.

In contrast, large and sophisticated organizations are looking for
inexpensive and convenient environments in which to deploy virtual
machines. Having greater needs for data governance and a relatively greater
ability to take advantage of it, enterprise customers are most likely to
gravitate toward infrastructure as a sevice (IaaS) first. However, the
business units within an enterprise may well have the characteristics of
SMBs, so most enterprise class organizations do have many pockets of SaaS
use.

“The megatrends of consumerization, mobility, social, and cloud computing
are radically transforming the relationship between IT, the business, and
individual users. Organizations are recognizing and responding to the need
to move from control-centric security to people-centric security,” said Mr.
Scholtz. “People-centric security focuses primarily on the behavior of
internal staff - it does not imply that traditional ‘keep the bad guys out’
controls have become redundant. Indeed, many of these will be essential for
the foreseeable future. However, people-centric security does prescribe a
major change of emphasis in the design and implementation of controls -
always trying to minimize preventative controls in favor of a more
human-centric balance of policies, controls, rights and responsibilities.
It tries to maximize human potential by increasing trust and independent
decision making.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.