In today’s “cloud-first, mobile-first” world, a new enterprise security model is needed by companies and other organizations to respond to the new challenges that have arisen that have made it more complicated to prevent data breaches, according to Eric Karlinsky, Okta group technical marketing manager.
Organizations have grown accustomed to the traditional IT security model in which there is a stack of networking equipment called the networking perimeter, he explained during a Feb. 16 webinar. The “good guys” have traditionally been inside that perimeter and “all your resources are inside that perimeter and it’s protected by your stack of hardware and software and your tools, and then outside of that that’s where the hackers live and the malicious users operate, and as long as you can keep them out and keep them away from your internal resources, then you’ve done your job as a security practitioner,” he said.
But “obviously that model is changing in a lot of ways” because it’s based on some flawed assumptions, he said, adding: “That networking perimeter is not as relevant as it used to be” because in today’s cloud and mobile-dominated world, users are “logging in from everywhere.”
One major issue is that 73% of passwords used are duplicates, he said, citing data from a 2015 TeleSign consumer account security report. Therefore, one can’t assume that all users inside one’s perimeter are “good” anymore, he said. There are also “insider threats” including employees who abuse their access to company resources and, if an attacker gets access to a user’s credentials and password, then that attacker has access to a growing number of applications, he pointed out.
Another significant issue is that if one looks across the cloud app usage by an organization under the increasingly popular Software as a Service (SaaS) subscription model, “you can assume that about 15 times” as many applications are actually being used compared to what an organization believes is being used, he went on to say, citing Cisco data. For example, even though an organization might be subscribed to a Box service plan, employees may be using Dropbox or Google Drive for personal storage, and corporate resources often find their way onto those personal accounts, he said. Those SaaS applications are also not on an organization’s premises; they are on the Internet, so all the corporate security investments that were made are not protecting the organization any longer, he said.
Citing the findings of a Frost & Sullivan report, he said 62% of workers report using personal devices for work. The traffic conducted on those devices is, of course, not within an organization’s network, he said.
The main security challenges that have “plagued” the traditional IT model for many years include data breaches, weak passwords, lost and stolen devices, phishing scams, social engineering, managing access, visibility into user activity and man-in-the middle attacks where an attacker secretly relays and sometimes changes communication between two people who believe they are only communicating between each other, he said.
The categories of attacks have remained pretty much the same in today’s cloud-first, mobile-first environment, he said, adding: “What’s changing is the emphasis or the preferred methods of circumventing these security paradigms. So, the attackers are using a lot more social engineering and trying to steal credentials through phishing or through other tactics. They’re exploiting poor management of access and they’re getting more and more visibility into user activity because, again, that traffic is not occurring on your network anymore.”
One thing in common about all such attacks is that they are are all about identity – stealing the user’s credentials and then impersonating the end user to get access to what the attacker wants, he said. Therefore, it’s important that organizations select a new security model like Okta’s that’s based on identity and is made up of several components, he said.
The three keys to security have always been preventing attacks, detecting attacks when they happen and then selecting a response to mitigate the damage, he pointed out. What’s important today is prevention that consists of single sign-on to access a platform so the user doesn’t have to enter a password more than once, as well as multi-factor authentication and lifecycle management that, among other thing, enables an organization to suspend contractors after a certain period of time, he said. Single sign-on is useful for security if it’s based on the Security Assertion Markup Language (SAML) or emerging OpenID Connect protocol because they are more secure than other options, in part because there is no password stored in a downstream application when using those protocols, he said.
Also important is that “if you have a high-quality password vaulting experience, then you can store a complex and random password [and] the end user doesn’t even have to really ever enter that password or remember it,” which makes it possible for more users to select complex passwords that won’t be easily compromised, he said.
Detection today, meanwhile, must be based on risk-based analytics that includes the ability to quickly identify unusual and suspicious behavior, and response to an attack must include contextual access policies and centralized reporting like Okta provides with its security solutions, he said.
Traditionally, user experience has been at odds with security techniques, he went on to say. That’s a problem, he said, because “anything that introduces friction into the end-user experience is going to be rejected and, if it’s rejected, then it can’t be used to help secure your organization.” If you introduce multi-factor authentication to Box, for example, and there is too much friction to the experience, then users will be “even more likely” to use their own personal Dropbox or other account to store corporate data and do their work, he said. Therefore, he added: “User experience can’t come at the cost of security. It has to be front and center. It has to be a priority.”