+
EDITOR’S QUESTION
SCOTT GORDON (CISSP),
CHIEF MARKETING
OFFICER, PULSE SECURE
A
s more information and applications
become Internet connected, the
vast volume of data held and
processed through online systems has made
them a prime target for attacks. Securing
online resources is a case of reducing risk
through the creation and enforcement of
risk mitigating controls along with sensible
day-to-day secure processes combined with
constant testing and vigilance.
Security solutions have a major role to play
and the number of ways they can help is
increasing. Two major areas of focus are;
securing accessibility to systems and data,
along with securing data during transit and
at rest. Secure access is as fundamental as
having a door with a lock and key.
VPN – a security cornerstone
The prevailing technology used by the
clear majority of web connected systems is
some form of authentication process that
uses a combination of validated digital
certificates alongside a multi-factor method
of authenticating user authority to access
secure systems and data.
Under the catchall of Virtual Private
Networks (VPNs), the vast majority of
connected systems will require a Secure
Socket Layer (SSL) connection to be
established between the person requiring
access and the target website of the
remote server. In the case of more secure
applications, additional login processes
such as two factor authentication (2FA) will
need to take place to ensure that the person
attempting to gain access is a legitimately
authorised person.
Secure Access is a broad collection
of systems that handle many of the
intermediary steps within the chain. This can
include validating that the device used to
make the connection is up to date with its
www.intelligentcio.com
operating systems and patches, as well as
checking that the various digital certificates
and encryption keys are valid, properly
exchanged and verified.
/////////////////
Policy-based management is vital
This process leads neatly to the protection
of data in transit and at rest. Also, within the
purview of VPN, this means protecting data
between users, devices and online systems.
While process is mature and increasingly
automated, secure access management
tools enable organisations to enact flexible
policies that ensure controls are followed
and when needed, can instigate additional
security measures. These controls can be
based on factors such as where the user
is connecting from, the type of systems
being accessed or even heightened due to a
vulnerability, new threats or regulation such
as PCI DSS or GDPR.
Automated security policies are also vital as
information starts to reside between multiple
on-premise, cloud and SaaS applications.
As users and data flows within this hybrid
environment, security policy must fluidly
adapt to the different access and security
models that each platform mandates. For
example, federated login and single-sign-on
technologies are a practical way to reduce
the friction of users moving between these
hybrid structures while enforcing centralised
control over access and user privilege.
Mobile security – defending data at
the last mile
smartphone, tablet or laptop. Secure
Access technologies can invoke device
health checks to ensure device defences
are current and active. Additional controls,
such as the use of containers to segregate
personal from corporate apps and data,
can be added for appropriate cloud-based
apps and data protection.
A marathon not a sprint
With all the talk about data in the cloud,
it is possible to question what exactly is
accessing that sensitive data; chances
are, it is possibly an insecure mobile
device. What happens to the data when
that device is lost or compromised?
As such, security policy and controls
must be seamlessly extended to the
As more information heads online, CIOs
must continually assess their organisations
security posture, compliance and readiness.
This takes ongoing vigilance and as
threats and regulations progress, so must
secure access controls, policy and end-user
education continually evolve as well.
INTELLIGENTCIO
37