On the heels of President Obama’s most recent directive on rules for computer IT within the federal government, it is important that we, as an industry, examine the larger issue this directive brings to light: policy enforcement and management.
From government to business, let us assume that everyone understands and agrees on the need for data protection. However, very few organizations have looked at their policies and procedures to determine if their actual approach to protecting data is consistent with their stated approach.
Consider, for example, a law firm. Have you ever tried to walk into a law firm’s office without an appointment? Impossible.
Have you ever tried to get a lawyer to talk about his client? No luck.
But you would be surprised to know that several law firms allow their lawyers to save confidential client information on their computer’s local drive and/or the firms use remote access tools that have low-level or no user authentication, no entitlement management tools, and minimal (or no) data protection.
Simply put, we, as a society, do not “walk the talk” when it comes to computer security.
Compounding the issue are four axioms that are unfortunately invalid:
- First, there is a common assumption that digital and remote access solutions are inherently secure.
- Second, we are entitled to have the data we use on our personal devices. As consumers, we are hammered with messaging from PC and device manufacturers that all of our data should be on each and every device, wherever we are.
- Third, IT leaders are always right. Government and business leaders are often afraid to challenge “their” IT leadership; security is a black hole for non-tech people. Most alarming is that the approach to great — or even good — data security is well known, and in certain cases, deployments are already in progress.
- Last, what we have in place today is sufficient. CIOs and IT leaders become locked into existing and/or large brand name security or remote access solutions without challenging their ability to meet evolving corporate and security objectives; a great example is the industry’s lack of response after the March 2011 RSA Secure ID breach.
A current example of practices not matching policy is the U.S. government’s Homeland Security Presidential Directive 12 (HSPD-12). According to the Department of Homeland Security, there are wide variations in the quality and security of identification used to gain access to secure facilities where there is potential for terrorist attacks. In order to eliminate these variations, U.S. policy is to enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, government-wide standard for secure and reliable forms of identification.
This directive mandates a federal standard for secure and reliable forms of identification. Specifically, HSPD-12 requires the use of ID-1 cards for access to digital resources. However, while this technology is currently used for onsite computing sessions at government offices, it is not utilized for remote access. Without the use of ID-1 cards for remote access, it is uncertain that access to sensitive data and true user authentication are being properly addressed.
One common remote access solution is a virtual private network ("VPN") with a one-time password ("OTP") token. Unfortunately, this has proven to be an ineffective solution that does not authenticate against the person, but rather against a device.
Not only is this philosophy broken, but OTP tokens also have been — and will continue to be — breached.
Policies and practices designed to protect data and authenticate against the person must extend to remote access. Too often for organizations, remote access and digital security are punch lines that do not authenticate against the person, have no entitlement management component, and allow data to leave the friendly confines of their respective networks.
Digital security is about risk management and mitigation, and it should be looked at through the same filter as any other risk management decision in business. Two central questions to address:
- What is the cost to the organization of doing nothing?
- What are the up front and ongoing costs or savings associated with a new investment in a more effective security solution?
Candidly, there is no such thing as perfect security, but that is no excuse for the inadequate protocols and technologies being used more often than not.
Tony Busseri is CEO of Route1 Inc. (www.Route1.com), a security and identity management company. A track record of diverse, successful, and cost-effective deployments makes Route1 the single veteran source for remote access and identity management across multiple markets. Myriad organizations worldwide, both public and private, such as the U.S. Navy, ING, GMP Securities, the Department of Energy, and the Department of Homeland Security, reap the benefits of Route1’s proven technology and industry heritage to address access, data security, and entitlement management.