2 years ago


managed security

managed security services David Hood, ANSecurity: at the heart of a true MSSP is knowledge. Mike Ahmadi, DigiCert: Organisations are now forced to ask the question: 'Is this our core competency?' money. Secondly, as an organisation faces an ever-growing number of devices requiring security management, with tasks such as managing digital certificates embedded in devices, the organisation needs to grow infrastructure proportionally. Looking towards the future, where it may be at least expected and perhaps even required for all internet connected devices to be securely authenticated and have an identity, we can easily see that this represents literally billions of devices. Managing PKIs for a few thousand users and devices is challenging enough. Managing it for millions and billions of devices requires an enormous amount of time, dedication and resources that are better spent on making cooler products." And Ahmadi concludes: "I believe, as organisations become more aware of these issues, they will soon come to understand that managed certificate security is best treated as another part of the supply chain and that managing the supply chain is something they are much better suited to handle." IMPACT ASSESSMENT On the question of whether the managed security service providers route is one that all should consider or even take, Joseph Carson, chief security scientist, Thycotic, has this to say. "Absolutely not. Before any organisation decides on the best cybersecurity strategy - whether it be internal, outsourced or a hybrid - it must first perform a business and data impact assessment. Based on that outcome, along with both regulation and compliance requirements, an organisation can then decide what security strategy best fits the needs for the business and this might be partnering with a managed security service provider," he states. Nor do you need to be a big player to get the economies of scale this might offer, he argues. "Organisations will have a budget, based on a business risk assessment, that will determine what security is required to reduce the risk of cybersecurity attacks. This will decide what solutions they must have and those that are nice to have. Based on the business needs, different managed security service providers who specialise in certain cybersecurity techniques might be best suited. It will be decided on what risks need to be reduced, along with the geographical location of the service provider." What about the costs involved? "Some managed security services providers can be expensive and others more cost-effective," states Carson. "It will really depend on how much cybersecurity solutions they will take responsibility for or whether you can pick and choose what services they will provide. Of course, this would assume you will still be maintaining in-house cybersecurity knowledge to manage." Equally important, does embracing managed security services mean relinquishing a degree of control over your own operations and possibly leave you more open to attack? "This really depends on the type of business and industry," he responds. "Relinquishing some control to managed service providers who specialise in threat hunting and advanced cybersecurity knowledge can help improve your cybersecurity posture. "Of course, it will depend on the knowledge and skills of the managed service provider. If they deliver services based on only technology and not people, then, yes, you could be exposed to a greater risk of a cyber-attack. It is important not just to pick a managed security service provider based on technology alone; they must also invest in the best cybersecurity talent to ensure you get the best value out of those technologies," he concludes. 28 computing security July/August 2018 @CSMagAndAwards

thought leadership SECURING THE CLOUD: THE FUTURE OF AUTHENTICATION NEIL LANGRIDGE, MARKETING DIRECTOR, E92PLUS, OFFERS HIS INSIGHTS ON A MASSIVE DATA SECURITY CHALLENGE THAT'S NOW FACING ORGANISATIONS EVERYWHERE The inexorable rise of digital connectivity and the ubiquity of devices is producing ever-increasing volumes of sensitive and personal data. For organisations, keeping that data secure, without affecting the productivity that is being driven by the digital revolution, is one of the biggest challenges for the IT department. This transformation in how we access data at work has been built on an undoing of the traditional network - from the old network perimeter (and access via VPN) for a small number of users working at home. As this access extended to mobile and flexible workers, so authentication became essential in helping to manage user security. The Username-and-Password method as a secure access method has remained an essential part of the user experience - but, with the use of cloud applications, can it be fully trusted and is it affecting the user experience? We reached out to hundreds of CIO, CISO and IT leaders to ask them about how authentication can bridge the divide between security and productivity. At the heart of our findings is the challenge of balancing user experience with security. Clearly, both ride at the top of priority lists, yet, throughout, many organisations are looking towards a cloud-first approach and usercentric solutions, whilst relying on legacy technology. The 'digital transformation' approach that is often at the heart of many IT strategies - that are currently being championed by CIOs - is designed to embrace the opportunities and unleash employee potential through IT. However, if access to these applications remains a challenge to manage and secure, then their success could ultimately be restricted. The threat landscape for the modern CIO is forever changing and the introduction of GDPR adds a significant legislative burden on protecting the data that is now increasingly spread across local network, mobile devices and cloud applications. Ensuring that data is secured may be the primary focus, but providing access is the next step, and that its level of security will define the success of the cybersecurity strategy. No one will want to compromise a positive user experience, but security demands will mean that a different approach is required. This balance of user experience and security is central to risk-based authentication, which allows for the adaptation to the circumstances of the user's access to a service through a set of policy rules. Therefore, every deployment will be unique to specific needs and risks. This results in a collaborative relationship between job role and IT functions, thus providing an essential educational tool to users which assists them in balancing security with productivity, as well as enforcing necessary controls. Those rules could be in relation to the date/time, device, physical location, what service is being accessed and who the user is, and combine risk profiling with the authentication method: so providing the most effective security possible with a seamless experience for the user. It can even encompass E92PLUS SURVEY HIGHLIGHTS Neil Langridge, Marketing Director, e92plus. compliance requirements, to support compliance requirements, and drive user selfservice for simple (but admin-heavy) tasks such as password re-sets. This approach enables organisations to embrace the flexibility of cloud applications, the productivity of a mobile workforce, and the productivity of technologies such as SSO and IAM while ensuring that an enterprise security policy is in place and an authentication solution can provide the first line of defence against the biggest threats. Only 40% of organisations are using multi-factor authentication for cloud applications 88% of organisations expect that to grow in the near future Only 71% of organisations adapt authentication requirements based on the use case The biggest drive for SSO, from more than 50% of respondents, is an improve user experience. @CSMagAndAwards July/August 2018 computing security 29