We recently interviewed Swapnil Mehta, EVP, Products, North America, Aurionpro Solutions Ltd, to understand their security outlook and strategies to enable organizations protecting corporate data. In this interview, he has shared his thoughts and views regarding effective security policy and solution implementation in an organization.
Q) Security is an on-going process. How should organization justify investment protection and to what extent will CFOs comply with CISOs?
A) Organizations adopt a very myopic mind set when weighing the costs of potential breaches versus the cost of the protection against them and often choose the lower cost option. It is important to recognize that security is no longer the cost of doing business i.e. compliance, but the great opportunity to build brand credibility and reliability. The real challenge is how to measure the value of reputation and customer retention. Security is not a purely financial decision and it cannot be achieved with disparate layers of protection. The CISO should review reports prepared by providers that analyze the real security threats and be able to accurately articulate the potential business impact to his/her organization. Available data exists to substantiate the business case. This should be coupled with a security architecture framework that defines end-to-end protection across multiple threat defense layers along with the requisite processes to successfully execute on that architecture. The CISO should also avoid creating the illusion that the security systems enforced will be “invincible”. Security breaches are probable but they don’t have to be as dramatic as some of the examples we have witnessed recently.
Q) Considering the growing number of advanced, complicated and targeted attacks, how should a Bank review its strategy?
A) Security isn’t a point solution or a collection of individual items that can be disconnected. Rather, it is a cohesive combination of technology and processes that must be diligently applied, maintained and monitored. Given the high profile nature of cyber attacks in 2014, it is imperative that organizations review their current approach and identify gaps in protection on both facets. The strategy must be well defined, documented and enforced across the board. With the right architecture and processes in place, the organization can benefit from the agility to adequately defend against inevitable breaches. A Bank’s success lies in its ability to build in layers of security and ensure that when security is compromised, the risk mitigation and threat response mechanisms are swiftly enforced. Good security is a leveled balance of proactive prevention and responsive reaction.
Q) Multi-layered security in a heterogeneous IT infrastructure that runs across various operating systems has always challenged administrators. How should an organization address this issue?
A) The best option for an organization is to opt for the the Privileged Accounts Management offering. That is most imperative here. Security breaches are all too often associated with compromised credentials to privileged accounts. Organizations should implement a password vault solution that centralizes access, audits that access, and automates the change of these passwords across all connected systems and applications. This approach has to be coupled with diligence in applying security patches consistent with best practices of the various operating systems.
Q) Despite having advanced security solutions in place, organizations fail to identify the potential vulnerabilities or loopholes existing in such systems. In this scenario, what are the best practices that an organization should follow?
A) Organizations not only have to be diligent, but also constantly evolutionary in nature. Without addressing unknown threats that can beat the security solution they’ve put in place, they will always be in reactive mode. This may be the reality owing to budgetary constraints where some part of the solution is a weak link. If we accept the possible that some breaches are inevitable, then it is imperative that the organization is equipped to be as responsive as possible when a threat is identified to mitigate the potential damage. Organizations should subscribe to third party security providers that offer alerts to major vulnerabilities as they are identified along with remediation options.
Q) As advocated, can your provisioning practice really protect data, without compromising corporate business policy, high data availability to field forces at anywhere and also in a user friendly mode?
A) Implementing effective authentication and authorization solutions i.e., classic identity and access management, is essential. These solutions must address internal employee access but also external, client-facing access needs. As important as data theft prevention is, equally important is preventing data misuse and traceability. Corporate data cannot be truly protected without ensuring that these solutions also safeguard identity and authentication data as well as the context in which that data is applied to authorize access. Organizations have to evaluate whether to use their own identity provider or a third party provider or even hybrid of the two. Particularly when addressing the client-facing user community, how much identity data should be stored and should credentials be stored at all? Strong governance processes must be in place to secure access to data and manage who controls granting/revoking authorization.
Q) What best practices do you advise organizations to comply with zero day attack?
A) This is a significant challenge as you really have to deal and beat a hacker who has discovered of exploitable vulnerabilities? Two key, time variable metrics are in play:
1. How long does it take to recognize that your system is compromised? Typical exploits can go unrecognized for hundreds of days and all too often it is an outside, affected party that makes the discovery.
2. How long does it take you to resolve the breach? Breaches are inevitable but agile, rapid containment is not impossible.
Some best practices to following in this regard would be. :
1. Don’t focus on prevention only; known threats are well covered by signature-based tools. Zero day attacks are unknown threats.
2. Implement intrusion detection/perimeter defense solutions for advanced threat detection
3. Secure remote access points; VPNs are vulnerable via Heartbleed, for example
4. Collect and review network forensics data
5. Implement strong authentication solutions, multi-factor
6. Manage privileged accounts