Page 105 -
P. 105

Security Guide






                        evolvinG Security








                    In  the  past,  protecting an organization’s information   devices, operating systems, and applications being used. It’s
                    systems and data was often equated to protecting a castle.   a daunting task.
                    Castles used defenses like moats, large walls, and towers to   The loss of physical boundaries and the proliferation of
                    protect inhabitants from enemies lurking outside their walls.   devices mean that information security professionals need to
                    Information security professionals used the castle model as a   be more careful about controlling access to resources. They
                    metaphor to describe how security measures such as firewalls   also have to monitor user behavior much more closely than
                    and intrusion detection systems (IDS) could be used to create   before. Not everyone in the city can be trusted.
                    a barrier between internal information systems and hackers
                    working to compromise them. However, the castle model is   Vetting Insiders
                    no longer feasible for most organizations.          Employees acting maliciously  within an organization are
                       The rapid spread of smartphones,  laptops, and other   often viewed as one of the biggest concerns of information
                    network-enabled devices has completely transformed organi-  security professionals  (remember Edward Snowden and the
                                                                                         9
                    zations’ network architecture. Physical boundaries are nearly   NSA). Employers try to reduce the risk of rogue employees
                    gone. Organizations now have hundreds, and in some cases   by  conducting  thorough background  checks before hiring.
                    thousands, of devices (e.g., laptops, tablets, and phones) that   They conduct interviews, run credit reports, and adminis-
                    are used by employees both inside and outside the company.   ter personality surveys. But what happens when a company
                    Employees can use these devices to
                    access corporate servers remotely
                    and store corporate data locally.
                       Information  security  profes-
                    sionals  now  use  a  city  model  to
                    describe their  efforts to  secure
                    corporate information systems.
                    In the city model, authorized us-
                    ers, as well as visitors, are free to
                    roam the digital city with any de-
                    vice they’d like. But access to indi-
                    vidual buildings, servers, and data
                    is restricted. Users can access re-
                    sources only if they’re authorized.
                       But  the city model isn’t  per-
                    fect. If users’ devices are compro-
                    mised, hackers could use them to
                    access remote corporate networks
                    or steal data directly from the de-
                    vice’s local hard  drive.  Trying  to
                    secure this type of digital environ-
                    ment is even more challenging
                    when you consider the diversity of
                                                                                        Source: Tim Robberts/The Image Bank/Getty Images


                104
   100   101   102   103   104   105   106   107   108   109   110