June 09, 2015
How To Make Your Computer Security Indestructible
Walk along the Arno river in Florence, Italy and look south. You might spy the walls of Fort Belvedere, built in the late 1500s.
The fort’s location, wall configuration, and limited number of entrances all enhanced the fort’s defensive strength. Sited on a hill, the fort allowed defenders to watch distant attackers approach. Every wall of the fort is visible from another wall of the fort: try to scale a wall, and you’re vulnerable to an archer’s arrow from an adjacent wall. As with most Renaissance-era forts, entrances could be controlled and guarded.
The fort helped defend the city for many generations, until warfare moved to the clouds. Fort walls slow a land attack, but do little to block a bomb dropped from above. Modern air attacks prompted military defenders to devise new defenses. Forts remained necessary, but not sufficient to keep a site secure.
Today, even though people and data are in clouds, computer security at many organizations still looks a lot like Fort Belvedere. Servers sit in locked rooms. Firewalls defend against network attackers. Access control policies and passwords attempt to restrict access.
When people, devices and data all move, a location- or organization-based security strategy falls short. Much like modern radar made remote attackers visible again, you may need to rethink your organization’s approach to security.
An IT Auditor performs three critical roles: they seek to secure network connections, authenticate access, and certify data security compliance ...everywhere.
1. Secure connections
Old: Connections allowed only from company equipment and/or locations.
New: Connections allowed from any device, anywhere; but all connections encrypted (e.g., via VPN and/or SSL).
2. Authenticate access
Old: People may access systems on-site, from specific devices, or while connected to a company’s computers remotely. Username and password required for access.
New: People may access apps, data, or services anywhere, from any device. Many of these are external to the company. Multi-factor authentication required for access (e.g., username, password, and six-digit code or USB key).
3. Certify data security everywhere
Old: Data stored on company-controlled servers, often not encrypted. Internal security audit.
New: Data secured on vendor services, and encrypted everywhere (e.g., files on Google Drive are encrypted both in transit and while at rest.) Security audited by external vendor (e.g. Backupify passed a Service Organization Control (SOC 2) Type II audit in 2014).
Working defenses or stage set?
An IT Auditor changes security from a system that defends data “inside” the organization’s “fort” to a system that secures the organization’s data anywhere. For many companies, that’s a big change from current practices.
But the change is necessary. An organization’s defensive structure must adapt to remain relevant.
So the next time you walk past your servers, as a few questions. Do your security systems still serve a strategic defensive purpose? Or have changing technologies and people’s practices reduced your security systems to little more than a showpiece? Consider adding an IT Auditor to your team and you’ll know the answer.