CISOs Should Make it Convenient and Compelling for End Users to Comply with Security Policies

Dave Taku, Director Product Management, Identity & Access Management, RSA in conversation with dynamicCIO gives suggestions on how organizations go about dealing with Shadow IT from an information security perspective.

Q. In your conversations with CISOs what challenges have they been talking about?

In my many conversations with customers when I ask them what keeps them up at night and has them most concerned, 9 out of 10 organizations talk about shadow IT and the fact that they don’t have a good grasp of what’s going on in their own networks.

End users today have very different expectations from IT in terms of security. Consumerization of IT and emergence of products like iPhone, Google services, etc. have created such an ease of use and access to information that end users now expect the same type of access to information from their organizations as well. When IT is unable to keep up with this demand for user access from anywhere to anything, line of business (LoB) and end users in order to be productive go outside of IT to pursue other ways of sharing information.

Q. How is this shaping information security within the organization?

This has created a very different type of market dynamic, and simply protecting access to the perimeter and providing strong authentication is not enough. The CISO needs to ensure access that is both secure and convenient for the user - employee, contractor, business partner, supplier, customer, etc. - and to make that access available regardless of where the information resides, whether on premise or in the cloud.

Q. How should organizations go about dealing with Shadow IT from an information security perspective?

In a lot of cases, organizations are trying to treat the symptoms as opposed to treating the actual problem. There are products in the market trying to stop shadow IT or gain visibility into it. In a lot of ways that is a losing battle because its difficult for those platforms to keep up with the changing and dynamic nature of the consumer tools that are available to end users.

CISOs should make it easy, convenient and compelling for the end users to comply with the security policies instead of trying to circumvent them. If they can provide easy, secure and seamless access to information regardless of where the user is and where the information lives, then they can really stem a lot of the motivators and drivers for the LoB and end users to pursue the applications that end up becoming shadow IT.

It is also extremely important for the CISOs to have a very reliable view of the applications in their environment in terms of who has access to what and to keep pace with the changes within that environment. The other piece of dealing with shadow IT is going back to the aspect of convenience – how to make it convenient for the users to take advantage of what they already have so that they are not going out exploring other alternatives as part of shadow IT.

Q. What trends do you foresee considering the nature of changing threat landscape?

More and more attacks today are not against the vulnerabilities in the network or firewalls that attackers are exploring. Its advanced threats against users’ identities themselves. In many cases you have an attacker who has through a phishing attack or some other means gained access to a legitimate user’s legitimate credentials. So, they are coming in and impersonating a legitimate user. In that case, how do you tell the true users from the impersonators? The only way to do that is to have the ability to look at the risk context and make some real-time determinations.

This comes two-fold. The first is purely from a run-time and access perspective. If a user is making a request, there is a lot of context that we can gather about who that user is that helps us get a complete picture. Is the user coming from a trusted location, or a location that you expect the traffic to come from, or corporate office, or home office, or is it from a corporate issued laptop, or a machine that the user has used before? And, also looking at patterns of previous behavior for that user for your entire organization gives you a better picture of whether the user is who they claim to be.

The second piece is that as users are authenticated are they accessing the resources that they should and are these resources actually valid for that user when compared to other users? Its not only getting a picture of who has access to what but also making some determinations about whether or not that access is appropriate.

Categories: Technology

About Author

Write a Comment

Your e-mail address will not be published.
Required fields are marked*


Recent Comments