Ian Yip is manager of identity and security management products for NetIQ Australia.
The speed at which organisations have been forced to deal with cloud and mobility challenges, particularly around security, highlights that IT departments have been reactionary and dictatorial.
But now the credit card-wielding business user has become the riptide pulling them out to sea.
To survive a riptide one must swim across the current, not against it. IT departments should work across all the challenges they face instead of fighting each one head on. This is the strategic way to tackle security challenges posed by cloud, mobility and other fast-moving technology trends on the horizon.
When it comes to security challenges posed by these trends, rather than dealing with the symptoms, IT should be dealing with the cause. Doing so allows for a more cost-effective, integrated effort in dealing with the additional risks introduced by the cloud and mobile evolution.
To diagnose whether one is dealing with the symptom or cause, we need to ask the key question: “In the absence of the thing I am securing, is the issue still present?” If the answer is “yes”, we are dealing with the symptom.
For example, implementing a Mobile Device Management (MDM) product in an attempt to tackle mobile security issues, only secures the device. It does nothing to secure similar concerns on cloud platforms that the organisation is using. MDM addresses a symptom, not the cause.
Cloud and mobility are only the start. Lying in wait is the Internet of Things (IoT). The rise of wearable computing and smart devices, the further amalgamation of enterprise and consumer technology, and the blending of our professional and personal lives will only accelerate the speed at which organisations need to adapt their security processes, policies, strategies and technologies.
The challenges increase exponentially when IT departments attempt to deal with the IoT. Addressing each issue separately, the way many do today, will not be feasible. Instead, organisations need to define the following:
• Resources – What are you trying to protect? This is almost always going to be information. Often, IT departments classify the applications housing information as resources, but without the information, applications do not need to be protected. The classification of data needs to be considered here as this has a bearing on access control policies.
• Entry – How is each resource accessed? Through an application? Database? As a text file on a file server? Do the access control policies and enforcement mechanisms cover all the combinations and can they be easily managed? Where are the blind spots? Where is access not enforced?
• Locations and time – Where are these resources located? On-premise? In the cloud? Where are resources accessed from? Can people access a resource when they are outside the office? When can they access these resources?
• Identity – Who is accessing corporate resources? Can access be tied back to a single individual or is the audit trail ambiguous? Can you enforce access based on who the person is? Are the monitoring mechanisms able to understand identities?
• Exit – How can information leave the organisation? What are the allowable circumstances and combinations where this can happen? Can this be enforced or at the very least monitored? Are there blind spots?
• Flow – How does information move between entry and exit points? What about all the points inbetween? Is the flow of information completely auditable and enforceable at all touch points?
A security policy that takes the points above into account when enforcing and auditing access to protected resources is a contextual one. Context, in this instance, stems from the 'why' that determines an access control decision. A contextual security approach addresses the cause of the mobile and cloud issues rather than attempting to solve each individual symptom with tactical products.
The points above form the acronym “RELIEF”. Achieving security RELIEF through a contextual viewpoint provides the most future-proof way to address security in today’s fast-evolving, constantly moving technology landscape, and is the IT equivalent of swimming across the riptide to get back to shore.
Ian Yip is manager of identity and security management products for NetIQ Australia.
.png&w=120&c=1&s=0)
EDUtech AU
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
