Security Beyond The Perimeter

securityThere has been a certain amount of excitement in the news media, as someone purportedly associated with ISIS has taken over and defaced US Central Command’s Twitter account. The juxtaposition with recent US government pronouncements on cyber security is obvious: Central Command’s Twitter Account Hacked…As Obama Speaks on Cybersecurity.

The problem here is the usual confusion around IT in general, and IT security in particular. See for instance how a mainstream news outlet like CNN reported that story:

The Twitter account for U.S. Central Command was suspended Monday after it was hacked by ISIS sympathizers — but no classified information was obtained and no military networks were compromised, defense officials said.

To an IT professional, even without specific security background, it is pretty obvious that there is a huge difference between defacing a Twitter profile and accessing “classified information” or “military networks”.

It was their main recruiting poster, hung nearly ten feet up a wall! This means the hackers have LADDER technology! Are we headed for a future where everyone has to pay $50 for one of those locked plexiglass poster covers? More after the break ...

XKCD

However, there is a real problem here. IT professionals also have a blind spot: they don’t think of things like Twitter accounts when they are securing IT infrastructure. This oversight can expose organisations to serious problems.

One way this can happen is credential re-use and leaking in general. Well-run organisations will use secure password-sharing services such as LastPass, but without IT guidance, teams might instead opt for storing credentials in a spreadsheet, as we now know happened at Sony. If someone got their hands on even one set of credentials, what other services might they be able to unlock?

The wider issue is the notion of perimeter defence. IT security to date has been all about securing the perimeter – firewalls, DMZs, NAT, and so on. Today, though, what is the perimeter? End-user services like Dropbox, iCloud, or Google Docs, as well as multi-tier enterprise applications that run at least partly in the public cloud, span back and forth across the firewall, with data stored and code executed both locally and remotely.

I don’t mean to pick on Sony in particular – they are just the most recent victims, and I am sure that their IT department is having no fun at all right now – but their experience has shown once and for all that focusing only on the perimeter is no longer sufficient. The walls are porous enough that it is no longer possible to assume that bad guys are only outside. Systems and procedures are needed to detect anomalous activity inside the network, and once that occurs, to handle it rapidly and effectively. Further, security needs to take business operational needs into account. Sometimes you really do need do reboot a production system right now, but other times a small amount of planning and communication can help everyone achieve their goals without disruption.

This sort of integrated, proactive management of security cannot happen if IT is still operating as “the department of NO,” reflexively refusing user requests out of fear or potential consequences. If the IT department tries to ban everything, users will figure out a way to go around the restrictions to achieve their goals. This is how “shadow IT” happens: in the absence of an officially sanctioned corporate solution for file sharing, collaboration, application development and testing, or whatever other task, users figure out their own approaches. The risk then is that these users, who do not have an IT operational or security background, may inadvertently make choices which put the entire organisation and even its customers at risk. Instead of shutting them down, IT needs to engage with those users and find creative, novel ways to deliver on their requirements without compromising on their mandate to protect the organisation.

While corporate IT cannot be held responsible for the security of services such as Twitter, they can and should advise social-media teams and end-users in general on how to protect all of their services, inside and outside the perimeter.

For more on this topic, please download our free ebook or see bmc.com/compliance.

 

These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

Share This Post


Dominic Wellington

Dominic Wellington

Dominic Wellington is BMC's Cloud Marketing Manager for Europe, the Middle East and Africa. He has worked on the largest cloud projects in EMEA, and now he calls on that experience to support new cloud initiatives across the region. Previously Dominic supported BMC's automation sales with direct assistance and enablement throughout EMEA. Dominic joined BMC Software with the acquisition of BladeLogic, where he started up Southern Europe pre-sales operations. Before BladeLogic, he worked in pre-sales and system administration for Mercury and HP. Dominic has studied and worked between Italy, England and Germany.