If a network is compliant with regulations, does that mean it’s secure? Unfortunately for both IT professionals and businesses, it does not.
“Compliance is not security, but security can be compliant – with a set of requirements and guidelines that ensure data is confidential to authorised users, has integrity, has not been changed or modified, and is available on demand,” says Anton Jacobsz, managing director at Networks Unlimited, an African value-added distributor of NETSCOUT solutions across the continent.
He adds that compliance is about making choices to implement security controls in an organisation aimed at keeping data safe and secure, but also available. “After all, critical data, like customer lists and corporate secrets, would be useless if it were not available to your employees.”
“To protect it data, first put on your Hollywood screenwriter’s hat and think of all the bad things that could happen to the data, the devices it resides on, and the networks that carry the devices. This process is designed to identify risk and build a set of requirements that will mitigate it – in a threat model,” continues Jacobsz.
Threat modeling identifies resources of interest to hackers and thieves and brainstorms the feasible threats, vulnerabilities, and available security controls.
TechTarget defines it as a procedure for optimising network security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system. In this context, a threat is a potential or actual adverse event that may be malicious (such as a denial of service) or incidental (such as the failure of a storage device), and that can compromise the assets of an enterprise.
“Yes, assume there will be attacks, because you need to make data available for use, and that one or more attacks will be successful,” highlights Jacobsz.
He further points out that if you look at security as a process, it becomes a series of battles where you will win some, lose some, and hope you don’t lose a lot. “Otherwise, you will be out of data and out of business in a short period of time,” states Jacobsz.
Some guidelines for managing and securing mobile devices in the enterprise are for IT to restrict access to hardware and software; manage wireless interfaces, monitor and report exceptions; require authentication to access company resources; and restrict app installation.
To meet the above goals, it is recommended to first identify the devices that an organisation intends to support in terms of their features, such as: network services including cellular, wireless, Bluetooth and Near Field Communication; and built-in vs. non-removable storage. Also consider external, removable storage (Flash memory, USB) and digital cameras.
Then, build a threat model for worst-case scenarios, followed by a compliance policy to combat these, such as: use of untrusted networks, interaction with untrusted systems, use of untrusted content over the network, and use of global positioning system and location services.
“We have realised that organisations across Africa are faced with the challenge of developing a WiFi compliance policy. NETSCOUT’s AirMagnet solutions in the region can however play an active role by enabling detection, planning, compliance monitoring and troubleshooting of all smart devices, thereby successfully harmonising BYODs into an organisation’s IT, governance and security infrastructure,” concludes Jacobsz.