Smart Enterprise Magazine

Volume 6, Number 3, 2012

Issue link:

Contents of this Issue


Page 18 of 23

Smart Solutions access to information that could drive revenue and spur innovation is ultimately counterproductive, and "rogue IT" is also springing up where users bypass IT entirely and implement their own solutions. These scenarios must change, says Carrie Gates, Distinguished Engineer at CA Technologies. She told us recently that in a world where companies must keep pace with fast-changing customer demands and new opportunities in far corners of the globe, security officers and policies can no longer rely solely on block-and-tackle defense tactics. They need to help the enterprise team play a little more of an offensive game, too — creating some space for the ball carriers to score on their running plays, if you will. (Gates also spoke on this topic at a recent RSA conference recorded here.) The big question has been how organizations can protect the enterprise while enabling access and innovation (see our blog, Protect and Innovate, for some recent coverage). But given the urgency to do both, security professionals have to move from debate to action, Gates says. They have to protect against breaches and at the same time "allow and enable access for the right people at the right time to the right information in the right way on the right devices." Her prescription for achieving this requires the chief security officer (CSO) to shift the old mindset and also make practical adjustments to traditional ways. The security industry is doing its part by providing new tech- nologies that let companies manage data access based on both the content and the individual accessing it. Updating the way businesses approach security, as well as adding new tools to the CSO's arsenal, are steps toward security that enables business innovation. Still, Gates understands that there's no blanket solution. For example, the U.S. National Security Agency, which is responsible for collecting and analyzing foreign communica- tions and intelligence, by necessity would have a very different approach to security than a university. The healthcare industry, which is subject to many privacy and regulatory controls, provides a great model of a sector that has had to balance patients' privacy with the use of their data by researchers who want to improve diagnoses and outcomes. Says Gates: Patient data may have to become anonymous, where the individuals cannot be determined, but at the same time [the information] is still provided to researchers. A big step toward striking this type of middle ground is for CSOs to reconsider one-size-fits-all approaches to data access. A basic question about information, especially data that might live outside enterprise borders — on USB keys or online file-sharing services — is: "What is the value of the data to the business. What is the impact should something happen to it?" Based on the answers, it is easier to build "extra protections on the highly valuable information while relaxing the requirements on information that might not be so valu- able," Gates advises. All the while, the goals should be to help "workers accomplish tasks and grow revenue." Similar advice applies to the bring-your-own-device (BYOD) trend. "If you're dealing with someone who is accessing infor- mation that is not particularly sensitive to the organization, and your concern really isn't the protection of that informa- tion, then it may not matter if they're using their own device versus a device that is more tightly controlled by the organization's IT department," she says. "Conversely, if you're an organization that is very concerned with the information — maybe it's financial results prior to release at the end of the quarter" — then extra protections for that information, or prohibitions against putting it on someone's own device, have to be implemented. Technology tools can help implement these practices and automate security policies for information access in a more per- sonalized way — whether by device or individual. For example, Gates said, by combining the CA DataMinderTM IdentityMinderTM product with CA and CA SiteMinder® , organizations can realize the next generation of identity and access management — controlling not only user identities and their access to information, but also THREE WAYS TO RETHINK SECURITY RECONSIDER one-size-fits-all approaches to data access in light of new consumer devices. ASK how valuable is this data to the business and what is the impact should something happen to it? What risk does losing this data represent to the business? Then secure it accordingly. USE TOOLS to automate security policies about information access. how they handle that information once granted access. By add- ing CA RiskMinderTM to the mix to assess the fraud potential of every online login and transaction, organizations can have even greater confidence in their data security. With CA DataMinder, organizations can protect, control and classify sensitive data — where it is stored as well as how it is used. With CA DataMinder as part of an identity and access management solution, says Gates, "you can say, 'Yes, they should have access to this information, but they shouldn't be handling it in this way,' or 'they shouldn't be, for example, emailing this information to someone else.'" IT security organizations also can address concerns about Trojans or viruses making their way onto the corporate network from personal devices by monitoring information exchanges between such devices and the network. Says Gates: "There are a number of different ways that the threats can be mitigated if you know what your threat model is and what makes the most sense for your security posture." n JENNIFER ZAINO is a freelance business and technology writer. A version of this article originally appeared on Smart Enterprise Exchange. 2012 • SMART ENTERPRISE 19 PHOTOGRAPH: 0PP0SITE PAGE, DAVID MENDELSOHN/MASTERFILE; THIS PAGE, SHUTTERSTOCK

Articles in this issue

Links on this page

Archives of this issue

view archives of Smart Enterprise Magazine - Volume 6, Number 3, 2012