The role of security is changing as evolving business models become more dependent on digital documents, communications and transactions. This past year has seen an accelerated move to the digital environment, bringing with it advanced cyber, data loss and breach threats. In order to be equipped against these threats, security vulnerabilities must be addressed, and critical assets and sensitive data secured.
VPN and Encryption
Encryption of sensitive data and verification of user and device identity is crucial to ensuring data security for Government, Public Sector and Organisations. When data and/or applications are moved to the cloud, security teams must reshape security policies to align. Without encryption, the cloud and all of the data within, is at risk of cyber-attacks. With the right setup and control, organisations can have information hosted with a cloud provider, but encrypted and protected by a third party.
Equipping the network with a Virtual Private Network (VPN) ensures that data is encrypted whilst in transit. In order to do so, organisations must source a VPN provider that offers a level of trust matching the security level of their data. VPN’s also have varying qualities in terms of capacity, feature sets, security, encryption, key management, grades and much more; all of which must be taken into consideration when choosing a VPN partner.
As the move to remote working becomes a more permanent feature, organisations should ensure that users and employees are equipped with hardware and software that is separate from personal devices or integrate software-based security solutions that can provide high-grade solutions similar to separate hardware.
Zero trust security requires identity verification for every person, or device, trying to access a private network, regardless of whether they are sitting within or outside the network perimeter. There are a number of elements to take into consideration when implementing a zero-trust policy, one of which is multi-factor authentication. This is the process of needing more than one piece of evidence to authenticate a user, for example, submitting a password followed by a one-time code sent to a registered device. Access control can also be limited or monitored to increase the security protection of data and minimise exposure to sensitive parts of a network. Conditional access policies and technologies is an important feature to minimize the risk level when providing access to sensitive information.
In the future, with military grade protection mechanisms in place, it could be possible with multi-tenant and MLS zero-trust cloud solutions, for physical infrastructure to support multiple classification levels, ensuring information is protected in the applications layer instead of the network layer.
Vulnerability among users
When it comes to security breaches, incidents of human error must be taken into consideration. In-office security policies must now be established at home, applying also to situations where public networks and restricted bandwidth is in use. The weakest link in a security chain can sometimes be the user and so the security protocols in place needs to be able to work around that. New security controls, replacing or enhancing security controls already in place within the private network, should be used to provide the same security level and control for users not connected to the private network but working from home or other public networks.
Further policies, such as multifactor authentication, biometric logins, AI recognition and no-password, must also be put in place to protect user access, as well as regular risk assessments to ensure processes in places are adequate. Alongside all of this, consideration must be placed into where the trust lies for organisations digital entity to ensure passwords and 2-factor authentications are protected, as well as how breaches will be handled to ensure risk is minimised.
As the risk of cyber breach increases, it is critical organisations have a back-up strategy in place that is on a different cloud from the primary data to ensure and maintain business continuity. Whether on site or remote backed, data back-ups should be updated and tested regularly to ensure they remain both up-to-date and available should a breach occur.
In order to set-up a backup strategy, organisations must first understand what their needs are and to consider all layers and levels of their services. If, for example an organisation’s prime location does not have network resiliency, then a remote cloud backup will not be sufficient at times of limited network connectivity.
Collaboration tools and protection of smart devices
Platforms, such as messaging, conferencing and collaboration tools, must be evaluated regularly against compliance, data privacy and security principles. Many devices do not have the ability to hold adequate levels of security and are often better fenced off with shell-security.
Also, as access environments change, policies must be put in place to monitor and limit access to home devices. We are seeing an increase in IoT devices, such as smart speakers and cameras; in order to ensure network security, home and work devices should be segregated on networks. If this is not possible, security controls should be in place on the work device to ensure logical isolation from home devices.
Ensuring network and organisation security is more than just checking off a list of security controls; organisations must be aware and have an understanding that the security threat picture is ever evolving and changing and that no one solution will fix all. As the threat landscape evolves, organisations need to ensure they are protecting not only their own identity, but those of their employees and customers also.
About the authors
Lars Nesse is Head of Nordic Projects at Airbus Defence and Space. He has extensive expertise with Joint Intelligence, Surveillance and Reconnaissance systems specification, design, delivery, integration and interoperability from a long career with NATO, Norwegian Defence organisations and Norwegian Defence Industry.
Øystein Hermansen is an Identity and Access Architect with Capgemini and member of the Center of Excellence team for Cyber Security in Scandinavia.