There is a security risk in your organization that can render all of your security controls worthless with a single click. It is dynamic and changes in real-time. It is the weakest link in your infrastructure, and no singular security appliance or software exists that can lock it down. What’s more, you have not one but hundreds—perhaps thousands—of these risks, each sitting behind a desk in your organization. While users represent the single largest security risk to organizations, there are measures you can put in place to mitigate the risk they can introduce to your organization. This eBook explores the different kinds of user-based risks in today's corporate environment, including mobile devices and cloud services, and gives actionable guidance on how to mitigate these risks.
Users have always been a security risk due to the fact that they require proprietary knowledge to do their jobs. That risk is growing, thanks in part to two technological trends that are changing the face of IT: cloud computing and mobility. The adoption of cloud services dissolves the network perimeter by moving network resources outside of the corporate firewall. And users are accessing these resources with personally owned mobile devices that are not necessarily locked down or connecting through a virtual private network.
Research firm Gartner projects that Software-as-a-Service (SaaS) and cloud applications will grow from $13.4 billion in 2011 to $32.2 billion in 2016. If those numbers are too big to grasp, look at it this way: 74% of companies are using some form of cloud services, up from 50% in 2009.
Chances are that your organization is among the 74 percent, even if you don’t know it. One challenge with cloud services is that they are frequently procured outside of the systems—and security controls—of the IT department.
The proliferation of Bring Your Own Device (BYOD) policies has also resulted in the IT department having less visibility into user activity as users connecting personally-owned devices to the network. Organizations have less control over the security on these devices and users may bring multiple devices – each running a different platform and operating system – within the course of a single workday. These new trends are forcing organizations to change the way they approach security. In the past, security efforts were focused on the perimeter. Security controls inside the firewall were “soft” because organizations dedicated the majority of their resources to hardening the perimeter. These measures are still important – but only to a degree, because organizations no longer have control over every asset that connects to the corporate network.
The proliferation of ways of accessing data has occurred at the same time that attackers recognized the profit that can be made from this data. As a result, attacks are becoming more rampant and increasingly sophisticated. As one example of the increased volume of attacks, US CERT reported a 620% increase in the incidents reported by US Federal agencies between 2006 and 2011. As attackers have gotten more sophisticated, we’ve also seen traditional signature-based security controls such as Antivirus software fall further behind.
Case in point: In late 2012, Symantec AV detected only one of 45 pieces of malware Chinese hackers used to breach the New York Times.
The reality is that the nature of the way we work and access data is changing and there’s no stopping it. When all is said and done—when your firewalls are properly configured, data is encrypted at rest and in motion, antivirus is up to date, access controls are assigned appropriately—a significant source of risk remains: The user.
Risk management best practices dictate that the resources you dedicate to protect an asset should be proportionate to the asset’s importance and balanced with your risk tolerance. But not all user access is created equal. Following best practices, users should be granted only the level of access required to do their specific jobs. As a result, different groups of users have different levels of access and, therefore, present different levels of risk.
The marketing intern with access to public information about your company presents a much lower risk than the finance manager. Your IT admins present yet another level of risk. Each of these users accesses a different level and type of information that has varying value to the organization. If stolen, the data accessed by the finance manager would result in greater damage than the data accessed by the marketing intern who is sending the company newsletter to customers and prospects. Quantifying user risk involves measuring four different types of risk for each user group:
• Business risk
• Entitlement risk
• Location risk
• Activity risk
Business risk refers to the types of assets users have access to; the company newsletter versus firewall policies, for example.
Entitlement risk has to do with the access granted to users, especially for those users who have accumulated more permissions over time.
Location risk takes into consideration the devices used to access the network and where that access may occur. Certain activities like traveling to client sites introduce an additional level of risk. Users are connecting to insecure public networks and are more likely to lose control of their devices.
Activity risk refers to user behavior on the network. Do you often have to clean the user’s machine of virus infections, does he use more cloud services than average, or does she frequently sideload apps onto her phone? When specifically quantifying mobile device user risk, organizations need to consider factors beyond these risks. Security teams also need to determine how many devices are being used. Include laptops, tablets and smartphones (some users may have more than one!). Older devices may still have access despite having been replaced with newer ones. Identify which devices have not accessed the network in a given period of time and consider blocking their access. Also consider limiting access to a maximum number of devices per user.
As you consider different types of user risks and investigate potential solutions for mitigating those risks, keep in mind that the specific controls you choose should be guided by the risk level assigned to those users.
Types of User-Based Risk
Users represent the single largest security risk to organizations today. We’re not just talking about knowledge workers who jot down their passwords on a Post-It note and stick it on their computer monitor. We’re talking about every single user—yourself included. Because even the most security-conscious IT user can make a mistake. Every individual with legitimate access to your network is a risk, from the marketing intern to the IT admin updating domain credentials, to your CEO.
There is a security risk in your organization that can render all of your security controls worthless with a single click. It is dynamic and changes in real-time. It is the weakest link in your infrastructure, and no singular security appliance or software exists that can lock it down. What’s more, you have not one but hundreds—perhaps thousands—of these risks, each sitting behind a desk in your organization.