The shift to cloud based applications is bringing about significant change in the way networks are bring structured. As a result, organisations are looking at ways to reshape their security perimeters to better secure their IT estate and protect data.
The issue of staying secure in the ‘application economy' is a major topic of discussion and one that will shape the next few years in cyber-security. However, there is still some confusion around defining the ‘application economy' and what organisations need to do to stay secure.
In previous years, cyber-security was predominantly about ensuring a strong perimeter around a network and a solid firewall to keep out the occasional threats. These days, employees have access to all sorts of solutions and platforms, sometimes outside of an IT department's control. These solutions can be useful for getting the job done quicker. For example, file sharing and collaboration tools. But often they also open the door to the vast wilderness of risks.
Patrolling the wilderness
It is this wilderness of applications, software and risk that we are referring to when we talk about the ‘application economy'. The economy that is full of opportunity and great for productivity. At the same time, it also means organisations have to completely re-evaluate their stance on security and ensure an ‘always on' mentality.
One of the main reasons for this rethink is the fact that users now access applications in different ways. Applications are hosted in the cloud and on mobile devices, which means employees are connecting through a wider range of devices that sit outside the traditional bricks and mortar security perimeter.
This evolving landscape often creates a problem for legacy systems, many of which were designed before cyber-security became what it is today. Organisations clearly need something that can secure their network against both old and new threats.
Hackers now also target individuals within organisations. Cyber-attacks used to be speculative but today's attempts are highly-organised and well targeted, often involving sophisticated groups who spend significant amounts of time planning the details of their attacks.
Also, the motives behind cyber-attacks are becoming more complex. In the past, cyber-attacks were mainly driven by financial gain. Today's threat landscape ranges from political and state-sponsored to insider-threats.
In a bid to guard against these new threats, many organisations are turning to Identity Access Management (IAM) tools. IAM tools don't just protect the perimeter, they protect the identities of everyone that logs on to the network.
IAM protects the network in four different ways:
1. Identity management – IAM collects a directory of all the authorised users in the organisation (including their level of access), editing the list as people join, when they change roles or when they leave the company.
2. 2. Access control – IAM allows organisations to set access restrictions as necessary. This gives them full control over who has access to different parts of the network.
3. 3. Authentication – IAM uses an authentication tool to ensure that people are who they say they are. Especially when they connect via a different device. Once authentication is complete, their access level is checked against the user directory to make sure that they only have access to the part of the network they are allowed to.
4. 4. Audit – IAM can keep a log of individual user's activity, including information on when they logged on, any records of failed log-ons and the files and applications they access while on the network. In other words, with IAM, applications, data and legacy systems all get the same high level of security.
The application economy offers many opportunities and organisations need to ensure that they are empowering employees to make the most of these opportunities without putting themselves and business-critical data at risk. The long line of high profile cyber-attacks over the past few years show what damage can be done and how disastrous the consequences can be.
Contributed by Mark Hughes, president, BT Security