Cloud usage, mobile security and network segmentation are crucial elements to securing enterprises but unnecessary regulations from lawmakers and compliance policies may be inhibiting progress, according to some industry professionals.
Break up your network into a lot of pieces and once you adopt mobility as being native to the way you do business, then you move things out of the perimeter into scattered workloads which are harder to hack, and using your mobile device makes it easier to operate, Ed Amoroso, former CIO of AT&T, said Wednesday at a Former CISO/CIO luncheon hosted by Lookout in New York City.
“I’m sure that you feel that you’re just as productive sitting here as probably at your desk,” Amoroso said. “You don’t have to be tethered to a desk, we already know that, it turns out that that is also more secure.”
He went on to say that some of the restrictions that enterprises face when looking to implement these practices come from regulators and compliance managers.
Amoroso said that the primary control is always the external perimeter and gave the analogy of security pros, when they are being audited, spending up to 16 months to ensure that their networks meet all of the necessary compliance regulations and how it would be cumbersome to go back and segment networks and repeat the process to ensure compliances are still met. Amoroso said this is because the primary control is always the external perimeter.
“Every audit starts with the auditor saying do you have all your things inside a nice tiny perimeter and if you say no, then you’ll flunk the audit,” he said. “And the auditors are not computer scientists.”
(Santosh Krishnan speaks at a CISO/CIO luncheon in New York City)
The moment you marry cloud based data using devices not tethered to your office network the perimeter is actually irrelevant, Lookout Chief Product Officer Santosh Krishnan who moderated the luncheon said.
“Now that folks have put in all of these perimeter solutions, painstakingly, over the last 10 to 15 years to address the previous set of issues, the migration to cloud and mobility together has created a situation where there’s a lot of inertia that people need to circumvent,” Krishnan said.
One of the ways suggested to overcome this challenge was to make National Institute of Standards and Technology (NIST) the only acceptable framework of the U.S. as it would simplify the overall process. Amoroso said that most existing frameworks create a redundant process with different language asking roughly the same thing but all carrying extreme penalties for non compliance even if all of the framework isn’t needed. The result is that security pros spend more time ensuring that compliance requirements are met than implementing better security practices.