Kurt Roemer, chief security strategist, Citrix
Kurt Roemer, chief security strategist, Citrix

There has been a seismic shift in the way the enterprise handles data. Organizations used to own everything end to end – the applications, data, network, storage and the servers. The rise of mobile technology and the cloud, driven by trends like bring-your-own-device (BYOD) and SaaS, has precipitated a huge increase in access.

Sensationalist stories about cyber attacks perpetrated by gangs of external hackers tend to generate the headlines, but if we focus too exclusively on that we risk missing the pressing dangers of human error and malicious insiders. People expect to be able to access data from wherever they are, on any device, and at any time. That expectation creates an expanded set of security problems.

The old access model handed you the keys to the kingdom as soon as you logged in with valid credentials, giving you an all-access pass to extract data. The result was a string of data breaches and high profile attacks.

Verizon's 2014 “Data Breach Investigations Report” reveals that fraud detection is in decline and most breaches are now detected by law enforcement or third parties. In 88 percent of cases last year breaches weren't discovered until weeks after the event.

It takes minutes for data exfiltration to occur – whether malicious activity or by mistake. Clearly we need a new model.

Re-imagining access                               

If we're going to successfully tackle these security challenges head-on then we need a simple model that can be applied to every information access request and transactional decision. The five W's of access is the answer.

  • Who is trying to get in?
  • What are they accessing?
  • When is this happening?
  • Where in the world are they?
  • Why do they need access?

Let's break down the elements a little further and look at how contextual analysis and behavior modeling can enable effective fraud detection and access specificity in a timely manner.

Establishing identity and plausibility

The concept of identity is rapidly evolving. It's not just user credentials, an ID and password, or even two-factor tokens anymore. Considering who you are, where you are, and what you're trying to do is the only way to establish context and decide whether additional security measures are appropriate.

You may be able to log in and get access to public information using a Gmail or Facebook account. We want to make it easy and convenient to access this kind of data because the risk is low and it's more convenient for people trying to work, but as soon as you try to access more sensitive data there must be a defensive mechanism that asks for greater proof of identity.

Through behavior modeling we can throw up a red flag when a user does something out of character. Why are they logging in at 3:30 a.m.? Are they using a device that isn't registered with IT? Are they logging in from another country? Are they trying to access a project that they're not directly involved in?

Anything that doesn't fit the usual model is an anomaly that requires explanation.

Concentric rings of security

The burden of proof should grow heavier as the data they are trying to access grows more sensitive. Security checks must be performed more often and validation must be more stringent when the risk is greatest.

Trust models must be established and constantly verified. Whether it's by scanning an employee ID, using biometric data, or webcam facial recognition depends on your requirements. You may restrict some transactions to specific trusted machines and networks. You need encryption in place and a system to protect the transaction that verifies, logs, and defensively proves audits.

It's all about being proportionate, because at the other end of the scale you don't want to subject low-level employees accessing public data to multi-factor authentication procedures and repeated logins throughout the working day.

Automating the system

Most organizations are already collecting a sophisticated set of data about their employees, they just aren't analyzing it. For this to be effective the system has to be automatic, so it should be capable of using this data to create a detailed model that can be cross-checked against current behavior and access requests in real-time.

Going further it should be predictive, extrapolating necessary policy changes or equipment updates from calendar events, or authorizing access from a specific locale based on your flight confirmations. Collating and interpreting this data enables you to act on it before it's too late. It's the difference between preventing a breach by slamming the gate shut in time, or conducting a forensic analysis after the horse has bolted.