November 2, 2018

IT Security: Taking the RIGHT Approach

Davitt Potter

By Davitt J. Potter
Leader, Global Security Practice
Arrow ECS

 

I recently had the privilege of meeting with several Arrow partners where we discussed “what’s coming, what are you seeing, what can Arrow do more of?” Resoundingly, the answer was that IT security continues to grow, but that guidance and assistance is still very much needed for both our partners and their end-users.

Whether it’s security consulting, selling hardware and software solutions, security and compliance auditing, testing services, or professional and managed services, a comprehensive ITsecurity strategy is more critical than ever.

Far from just bolting pieces of hardware and software together, security professionals are concerned with the risks to the business and how to mitigate those risks while still enabling business. Training and awareness of security technologies continue to be a major opportunity for our VARs and their customers. So, how do you capitalize on these trends?

Proper IT Security Is About Being RIGHT

Wait, what? Seems kind of simple and a bit vague, or “catchphrase,” doesn’t it? Bear with me and hear (well, read) me out.

What I mean is this: Actual security means that the right people have the right access to the right data from the right devices at the right times from the right places. (And once you’re “right,” then you can prove it!) So let’s talk through each of these five categories at a high level.

The Right Devices (“Never trust a stranger…”)
Your customers are not always in control of the devices that touch their network – hotel kiosk computers, borrowed laptops, personal tablets, smart phones, etc. While it’s tempting in some cases (and perhaps appropriate!), modern businesses must allow the use of personal or non-company-owned devices.

A proper approach from an enterprise mobility management/mobile device management perspective allows companies to decide what level of access trusted or non-trusted devices should have. “App stores” can include a company’s custom apps and allow some level of access to non-company devices, while granting more access to trusted and fully managed corporate devices. In this area, we’re really looking at EMM (a.k.a. bring your own device [BYOD]). Virtual desktop infrastructure is also a very viable component in this space and can be a powerful tool for organizations with remote offices and users. VDI is also a fantastic way to centralize data, ensure proper desktop security, and eliminate an exfiltration vector.

From an internal standpoint, the right devices need the right software and the right patches. One of the biggest takeaways from numerous breach reports and interviews last year was that critical infrastructure still isn’t patched. Therefore, it is imperative that companies patch their servers, routers, switches, and people. And since we now effective and manageable ways to do this – from a wide variety of vendors – you can help your customers avoid ending up as a news blurb on Slashdot.

We also need to talk about endpoint software – antivirus; next-generation endpoint; managed detection and response; and endpoint detection and response. Traditional antivirus has been supplanted by next-generation endpoint – and it’s about time. Behavior-based responses and advanced malware detection and remediation, integration with virtualization tools, SIEM platforms, and API integration with third-party tools make it time to migrate off of old antivirus platforms.

The Right People (“I really wanna know… who… are you?”)
All apologies to the Who, but understanding who your users are is critically important. Usernames and passwords are easily compromised or stolen, shared, or socially engineered. A simple but effective method, such as multi-factor authentication, is usually an important and critical first step on the security path. 

But, your customers can’t rely on passwords alone. They must ensure their user lists are up-to-date with directory tools and provisioning/de-provisioning tools that include workflows, checklists, and the ability to provision other internal tools and systems, as well as remove employees when their roles change or they leave the company. Technologies in this area include authentication, IAM/PAM, virtual private networks, directory services, MDM, and EMM (some overlap with above). Newer technologies, such as end-user behavior analytics, are also providing powerful insights into how users behave. For example, is that really Davitt? Or did somebody steal his credentials?

The Right Access (“Do you know where you are?”)
Of course, no security conversation can be had without talking about firewalls. “Old school” firewalls that just do port and protocol have been outstripped and outshined by their application-aware/next-generation/Layer 7 brethren. OK, but what does that actually mean? It means that we can now determine what applications users are actually using (such as, Facebook, Twitter, Office365, Dropbox, etc.) and what data is going to these apps. We can also integrate with internal directory services and understand who is doing what – or, in this context – are the right people doing the right things from the right devices. Today, internal encryption is a major issue, so I recommend considering SSL decryption and analysis as part of a network visibility conversation. If you can’t see a threat, you can’t stop a threat.

So now we have a pretty solid handle on who is coming and going on the network. But how do they get there? Most of us use some sort of VPN access; I’d recommend tying it to the above strategies to enhance those connections. Multi-factor VPN access is very straightforward to enable and configure. 

Once users are authenticated, your customer needs to know what they have access to in the network. Role-based access control isn’t new; but new and better tools to define and orchestrate this critical function can do a lot to mitigate the damage done by stolen or compromised credentials. Be sure to talk to Arrow about identity access management, privileged access management, and multi-factor authentication. We can help you design and implement your controls.

The Right Data (“The heart of the matter…”)
OK, now we’re into the real heart of the matter – the data. All the rest of this framework is to protect your customer’s data. Along with IAM/PAM technologies, we’re also talking about encryption (data at rest), data loss prevention (data in flight), and, in some cases, micro-segmentation. Newer micro-segmentation gives organizations the ability to very finely tune their internal security policies – such as isolating HR from engineering or blocking sales from HR machines, while also enabling network visibility into application usage, user identity, and SSL decryption. Advances in SDN have allowed this to be policy-driven and highly automated. From a data center standpoint, it’s also now far easier to deploy firewalls in tiered environments – control the database server, the web server, and the end-users – and only allow the necessary traffic in between. 

Also be sure to consider backups – are they protected, encrypted, and readily available? If your customer is storing them off-site, do they know how they’re protected and what controls are in place?  When is the last time they checked or did a test restore?

The Right Time (“Right now is your tomorrow…”)
While many organizations are 24x7x365 operations, it’s still valuable to know when things happen and get further insights into them. Security analytics/SIEM tools are very valuable at collecting and providing insights into this data – from rebuilding attack sequences, to finding anomalous user behavior, or providing a window for investigations. The analytics tools are what really provide contextual data to make business-aligned decisions vs. reactionary responses. SIEM, security analytics, and user behavior analytics are used to assist here.

Security Never Stops

As you can see, there is a lot to consider around security. From an overall strategy exercise to the tactical execution, Arrow can assist each step of the way, as well as integrate your customer’s security plan into their overall IT business objectives, including infrastructure and cloud considerations.

Security is a process and requires constant vigilance, review, and a methodical application of strategy. Let Arrow’s highly skilled engineers help you zero in on the right solutions for you and your customers.

Contact Us

So, what are you waiting for? Test drive our Arrow Solutions Lab online or on-site in Denver or Atlanta and discover how Arrow can help you find the right approach for designing, demonstrating, and deploying the right security technologies for your customers.

Contact your Arrow representative or send me an email at dapotter@arrow.com.