An organisation’s IT perimeter used to be easy to identify but gone are the days when the limits of your security cordon were the walls of the datacentre. The changing nature of technology and the way
Gone are the days when the limits of your security cordon were the walls of the datacentre. Now, it isn’t the stray floppy disk or errant memory stick we need to worry about – many of us are wondering where the limits of our IT perimeter are.
An organisation’s IT perimeter used to be easy to identify. It was a physical location: your datacentre, or your branch office. It was easy to understand and that made it easier to secure.
It was very clear exactly where you need to put your firewalls and much easier to develop policies to ensure IT security.
Today the location of our IT perimeters is a far more complex notion.
The changing nature of technology and, especially, the way we consume it means our IT perimeters are not only harder to define, they are also subject to constant change.
Cloud technologies are responsible for much of this change. Software as a Service (SaaS) solutions – like Office 365, Google docs, Facebook, webmail, SalesForce, and a multitude of others – have made it more difficult for IT departments to “own” the IT being used within the organisation. When staff can choose and deploy their own software solutions without IT approval, IT loses its role as gatekeeper.
With the new “freemium” models, and below-the-approval-threshold subscription pricing, IT can lose all oversight of what is being deployed when and where altogether.
Even more so, when new SaaS solutions are brought into the corporate network on non-corporate devices. This “Bring Your Own Device” (BYOD) trend has brought further complexity to the organisation’s IT infrastructure and placed even greater pressure on the people responsible for managing it.
Do you give these devices access to the corporate network when they haven’t been approved by IT? How much? Is everyone aware of these policies? How can you enforce them? And have visibility over compliance?
The trend continues: the increasing adoption of cloud Infrastructure as a Service (IaaS) solutions like AWS and Microsoft Azure, means that even more data is residing outside the walls of our organisations. This brings into play additional compliance and regulatory concerns.
And this is happening at a time when organisations are holding more sensitive data – in particular, about our customers – than ever. Where is your data residing? Where is data processing taking place? How are you securing that data?
As data moves to the cloud and back, organisations are placing greater loads on their network and are looking for ways to reduce the costs associated with this increasing network traffic. The same virtualisation technologies that have made cloud possible, are now changing the way we operate our networks: virtual WANs over ISPs are replacing dedicated fibre and WAN solutions, further complicating our notion of where our IT perimeter is and who has responsibility for securing it.
The new trends of the Internet of Things (IoT) and edge computing are set to complicate the picture further. As new, intelligent IoT devices join our networks, the IT perimeter becomes further complicated.
And our networks are only as secure as the least secure device on them.
Thanks to edge computing – processing data on the nearest devices before sending it on to the datacentre or cloud – business logic is now all the way out, close to the perimeter, on many different devices.
How do we secure this business data and business intelligence?
It’s clear that the IT perimeter is now far more complex that it once was. And, instead of being clearly definable, it is very different from one organisation to another.
This makes an Information Security System Audit more important than ever.
It is vital to understand the systems and devices on your network, and understand where your data resides. What are the acceptable levels of risk associated with each of those systems, and each set of data?
By doing this work, it is possible to get full visibility of where your IT perimeter really is… And to define, understand, and mitigate the risks.
Mitigating the risks will require a combination of technology solutions, policies and procedures, staff education and cultural reinforcement, and compliance monitoring.
Grant McGregor can help you assess the limits of your IT perimeter – and help you to assess which solutions and approaches can help you to secure it.
To speak with one of our security consultants, please call us on 0131 603 7910 or leave your details on our Contact Us page.
Photo credit: woodleywonderworks via Foter.com / CC BY