From the 1980's computing bureaus to the modern cloud, the IT industry has swung like a pendulum between centralised and distributed architectures. This era is now a hybrid phase where organisations mix and match architectures to suit the task at hand. However, for all of the benefits of hybrid IT, the complexity in terms of managing security has increased. For larger organisations and especially ones that work across multiple geographic and legal jurisdictions, the requirement to both secure systems and meet local compliance requirements is a major challenge. The ability to define policy is one thing but enforcing it across disparate systems, countries and cultural differences, is a headache. This article looks at how technology and process can be adapted to make the security functions more centralised and easier to manage. The goal: having policy set in central headquarters and successfully enacted, through automation and enforcement tools, out to the edge.
The complexity of multinational security
Companies with offices throughout the world have complex security issues. Normal expectations of employees to be able to access data from any device, anywhere, and at any time, are taken to the extreme with multinationals. Employees need to connect to the corporate network from a hugely diverse range of devices from almost anywhere in the world, at any time. Controlling this access is paramount to protecting the multinational's security. And of course, data privacy legislation and compliance regulations will differ from region to region. For example, with BYOD, a multinational company needs to be certain as to what extent it can legally access data on their employees' devices.
Cloud, compliance and centralisation
Most companies are embracing the cloud in some way and multinationals are no different. With many of their employees already using applications based in the cloud, and as is often the case, company mergers and acquisitions associated with multinationals, there will be more legacy systems throughout the globe to contend with. As they embrace the cloud, they will inevitably move towards hybrid IT. Once they do, industry compliance is a top consideration. They need to manage what and who is accessing the network and this means checking the status and health of each user's device. Multinationals need to verify compliance of laptops, iOS and Android devices to ensure that only authorised users with trusted devices have cloud and data centre access. This needs to be supported by a platform that enables centralised management of policy, compliance and authorisation.
Key steps toward a centralised policy
Securing the pathways between devices and data to allow user access, regardless of where in the world they are, is predicated on securing the tunnel between them, which can be achieved with Secure Socket Layer Virtual Private Network (SSL VPN) gateways and a robust Network Access Control solution. Network Access Control (NAC) solutions offer the means to check these devices by providing context-aware security, which gives consistent visibility over all endpoints. NAC solutions can build up a picture of what kind of behaviour is safe and what is not and then use this information, in real-time, to decide whether or not to allow access. For example, the NAC system might not allow a certain device to access the network because an additional device belonging to that user logged-in from a different location moments before. The technology understands that it is simply not possible for that user to be in both locations at the same time and so blocks access to the second request and then to the first request until it has further information.
Security is about layers or stacks so multinationals always need to consider how easily all of its IT solutions will work together. If systems cannot integrate to allow a holistic, centralised view, it will be incredibly painful for the IT team. This is especially true for multinationals who will have many legacy IT systems that will need to talk to each other, at least in the short term, before they can be replaced or upgraded. You can't have a centralised policy if the IT in different divisions and in different regions around the world, are not compatible.
Ease-of-use is always one of the keys to success when it comes to IT. Eliminating the need for multiple passwords and providing automatic access to applications and services that employees require to be productive will help to enforce central policies because users will find it easy to comply with those policies. Meanwhile, by deploying BYOD policies, you allow users to choose to work on their own devices that they love and are used to using.
Multinationals can learn a lot from regular-sized organisations but they must recognise that theirs is a bigger beast to control and secure. But perfecting a centralised approach means the company has a truly holistic view of its security and in today's cyber-attack environment, that is paramount to the company's overall success.
Contributed by Paul Donovan, EMEA sales director, Pulse Secure