 "Security Is The New Business Enabler")
Not so long ago, IT security was all about the firewall, the DMZ and the network. This situation has drastically changed in today’s world. What the business wants now is not just security for certain operations and parameters, but security with more layers i.e. security with depth. Most companies already have a good infrastructure and network security setup in place - but these are merely bare essentials. The invasion of multiple devices, consumerisation and portability of IT has the increased the accessibility of IT and the fading segregation between work and personal has increased points of input and output of data. In conversation with Biztech2.com, Vic Mankotia, VP – Security, Asia Pacific & Japan, CA Technologies shares how security needs to adapt to the way information is being created and consumed.
How have security conversations and their implications on enterprise ecosystems evolved?
The trust relation to carry out commerce and business keeping security parameters in mind becomes a very complex scenario. Commerce needed to build something for trust and needed authentication. Just one factor of authentication was not enough and hence a second factor of authentication was required. Security has changed from infrastructure and network-centric to device and data specific. The identity of who is sharing with whom and the access to the data that is being shared is key. The generic security conversations aren’t outdated. They still happen but are more commoditised. People are now not looking at ecosystems in singularity but at environments in which the individual connects and becomes part of an ecosystem. No CISO can tell me today where the network begins and where it ends. It mostly may begin with the corporation and end with the identity of the user. Another way to say it is, identity is the new parameter for security.
Security has always been viewed as a burden to the balance sheet. We’ve been through that phase when IT became an enabler of business and grew to being more than a cost centre. The same transformation is in the wings for security.
Mobility and the increasing volumes of enterprise data complicate security. How are emerging trends affecting the security landscape in the enterprise?
When we talk of mobility, the first thing that comes to mind is the mobile devices, people sitting together and congealing data. The generation today is creating data and consuming data rapidly. When data enters repositories, most of it is unstructured data - almost 70 percent of data created is unstructured data i.e. video, presentations, pictures, social data, etc. Analytics out of structured data can be obtained quickly but it’s difficult to get analytics out of unstructured data. For example, take location data and map credit card usage; collate age, finances, gender, traffic, etc. for fraud prevention. But, the issue that now arises is what are the rules and regulations that govern obtaining such information? What kind of privacy laws are we affecting? Can organisations use this information for other uses and where does the line get drawn? What part of your privacy is privileged to you and what can be utilised for other activities like forecasting? This is a lot of work in progress. As the technology progresses these will get fine-tuned and better cover all the issues that data security poses.
Real-time security is never real-time because you will never know the threat real-time. What organisations can do is delay the attack and then counter it. What one needs is anomaly detection. Behaviour that is inconsistent and doesn’t fit the profile shows up as an alert and prompts for an action and confirmation of identity. Data of the individual from various touch points should tell you a story and form a picture and analytics aids security to discover when something seems amiss with this. The system acts on certain assumptions but, as I said, there is no real-time security. In the industry, they say the best that can be done is zero the attack.
Does security come at the cost of business continuity and profit?
Profitability and business continuity are small prices to pay to be secure. For instance, when an employee who doesn’t work on Saturday tried logging in from their office desk on a Saturday and made it through via a couple of failed attempts, should raise a signal and cause some alert. Maybe the system would be locked down (the action would depend on the security program) and the employee would need to raise a helpdesk ticket. When the person logs in on Monday, a change of password and an action log of the applications that have been accessed on Saturday should be cross verified. This may cause a small disruption to the productivity of the person on that day - indirectly affecting the business. But for security measures, this is a must.