EDITIONS
Analysis

Are you prepared to deal with “insider” threat?

Team YS
2nd Oct 2012
Add to
Shares
0
Comments
Share This
Add to
Shares
0
Comments
Share


thread

In the past enterprises used to have gated networks safeguarding against outside threats from hackers, viruses etc. It worked well till consumer technologies like mobile phones, tablets and cloud based applications (SaaS) started to penetrate the enterprise. Despite the obvious benefits of these technologies, they bring new threats to the enterprise of which many lack a thorough understanding.1.Connecting personal devices to enterprise network

A recent forrester research survey found 70% of data breaches are caused by an “insider” (current or ex-employee who has access to company credentials) and only 25% are caused by an external attack. Of the 70%, 31% are due to employee losing or having stolen his device, 17% unwittingly misusing corporate assets and 12% by a malicious insider. Without adequate safeguards against incidents of device theft enterprise data will be getting more vulnerable than ever. For instance, thefts of iPhones and iPads in New York City have increased at a rate ten times higher than other crime during 2012.

Another recent study by PricewaterhouseCoopers found that 88 percent of mobile device owners use their personal devices at work but only 37 percent have any malware protection installed on them. Enterprises need to rethink on their security policies and if necessary place security solutions to tackle them. However forbidding employee devices or all consumer cloud applications from workplace is not a good policy and may backfire the enterprise.

1.1 Control employees' devices?

Most of the current solutions under the umbrella of “BYOD” solutions are focussing to control the employees device. But often employees are not happy with adding a third-party security features or other strict restrictions (like 10 digit pin) on personal devices. Separating enterprise and personal data through containerization (as part of MDM technologies) have also not been very successful. Forrester research survey found that 30% of employees are concerned that there wasn't sufficient separation between consumer and corporate data on mobile devices. With employees becoming more privacy conscious, it is hard to see that controlling employee device is the correct approach.

1.2 Control the data

Instead of controlling the device, other approach is to secure the enterprise data. Data leak technologies on consumer cloud applications are still in early stage. Some of the data-leak technologies are integrating with Identity & Access Management solutions. Another promising direction is to control the applications that have access to the data while leaving the employees in control of the devices they own.

2. Sharing web based application accounts

Many of the social media (twitter, blogger, youtube) and other consumer web based applications (heroku, dropbox) support a single admin account. Often such accounts (for ex: company twitter account) needs to be accessed by more than one employee and password sharing becomes inevitable in that case. However:

  • Employees may access these accounts from unsafe devices or networks outside the company thus making the access details vulnerable to outsiders
  • Shared accounts may be accessed by malicious employee or ex-employee to post objectionable material or company secrets online. This can become a PR nightmare. Lack of log systems make it hard (if not impossible) to trace down the culprit.
  • Using the second factor authentication is difficult (if not impossible) for shared accounts even when the application (like google, dropbox) does support it.

The current Identity Management solutions do solve some of the issues with access control and delegation and revocation of user accounts but do not necessarily enforce security.

3. Unable to enforce security policies

A survey from 2008 (slightly old but the data still very relevant) commissioned by Cisco and conducted by InsightExpress found that :

           • “23 percent of IT professionals work for a company that does not have security policies.

        • 77 percent of IT professionals worldwide believe that their companies' security policies need improvement            and updating.

        • The majority of IT professionals believe that employees don't always adhere to policies because they don't            understand the risks involved with their behavior, because security isn't a top-of-mind priority or issue, or   because the employees just don't care.”

Policy governance and enforcement remains one of the key problem for cloud application and technology need to play a bigger role here.

Security is often not a top priority but in today's world enterprises cannot afford security lapses esp with the amount of confidential data that lies within a company. Enterprises should do a thorough risk analysis and place necessary security policies so that their network remain safe.

About the author:

Rudradeb Mitra is a cloud and web technology expert. He did his Masters on Technology Policy from University of Cambridge, UK. Currently he is busy working on his new cloud startup company based in Silicon Valley. He has also authored 10 research papers on variety of topics including future web technologies, data analysis.

Report an issue
Add to
Shares
0
Comments
Share This
Add to
Shares
0
Comments
Share
Authors

Related Tags