How do you provide cybersecurity for an already complex ecosystem? How do we keep it simple for the end-users, so they don’t circumvent protocols put in place designed to protect them and their devices? Continuing our Security Maturity Model blog series, we’re looking into the incremental needs of larger organizations, or an organization spread out globally. How do we stay secure, while still providing seamless access to resources within the ecosystem and hosted solution?
Security Maturity: Level 3
Level 3 of the security maturity model deals mainly with Small and Medium Enterprises (SME). In this case, companies have more multiple locations around the country, plus some permanent remote workers to have presence in more locations. There is a proper IT infrastructure, either local, cloud-based (ex: Microsoft 365) or hybrid, managed by a small team of skilled personal who are fully responsible for it (maintenance, support, capacity management, etc.).
Security posture:
- Insure your business
- Protect your data
- Protect your endpoints
- Manage your endpoints
- Protect your local network
Educate your employees
Training is key to ensure your employees are not part of the problem when it comes to implementing security internally. They need to know and understand the current processes in place, as well as what is expected of them. Listen to their concerns and needs, and try to integrate them into your policies instead of “fighting” against them. This is also a great way to ensure user adoption and enforcement of said policies. Always balance security and usability, to ensure they also understand
Audit your security posture
Have an independent, third-party company regularly audit your security posture to validate it, and detect any flow to it, if any, that would need to be addressed.
Proactively monitor your organization
When hosting corporate resources and services internally, using a local, you would want to implement a monitoring solution in order ensure said resources are available at all times, and detect any service degradation or interruption as soon as possible, in order to react on it. While most solutions usually focus on servers and services monitoring, you may want to consider a solution that actually provides advanced mobile network and endpoint monitoring, such as ISEC7 SPHERE. This ensures end-users are able to access these resources form their mobile devices and use work apps for their day-to-day tasks.
Security Maturity: Level 4
Level 4 covers security measures for large enterprises. In this case, companies have offices and employees in other countries, and thus have an extra layer of complexity to deal with, not only from a technical point of view (e.g., securely connecting all offices) but also organizationally (different IT teams, language, work culture, time zones), as well as legally (different labors, Data Regulation law and regulations).
Security posture:
- Insure your business
- Protect your data
- Protect your endpoints
- Manage your endpoints
- Protect your local network
- Educate your employees
- Audit your security posture
- Proactively monitor your organization
Adopt a Zero Trust approach
As you transition to the cloud to decentralize your infrastructure and make it available globally to all your employees, no matter where they are and what type of device they use, it is time to adopt a Zero Trust approach to your security posture, with the motto: “Never trust, always authenticate”.
This is achieved by using a combination of advanced security features like Risk-based authentication (RBA) and Multi-Factor Authentication (MFA), Zero Trust Network Access (ZTNA) to mention a few.
Risk-based authentication will constantly evaluate user risk based on its location, the device used, the time of the day, the data accessed, and more to determine whether the request is legitimate or not, or simply need a complementary identification, for example using MFA, to confirm it is and so authorized the user to access the requested resource. Also, when moving to the cloud, services are now reachable, although not available, to virtually anyone on the Internet, unlike before where those were behind well-guarded walls. This is where ZTNA comes to play, offering VPN-like of control but for online resources and SaaS on both desktop and mobile devices, transparently and with no impact on end-user experience.
No matter the size or how widely deployed your ecosystem is, understanding your business and the operational needs of your cybersecurity solution is paramount in providing the right solution to
address your specific vulnerabilities. There are solutions available that are cost-neutral, however, they may not provide adequate protection or do not address ALL of the vulnerability within
your organization. The immediate benefits would be recognized as cost saving, however, if there is an attack, that cost saving is immediately lost. The team at ISEC7 can provide an objective
assessment of what can address the needs of your organization and/or risk mitigation needed to enhance your current solution.
Contact
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group
