Layer up for best protection
Joseph Souren says the stormier cyber-threat landscape requires yet another layer of IT security
It is clear from the number of high-profile breaches we are seeing day in, day out, that the traditional approach to security is failing to keep rapidly evolving and increasingly sophisticated threats in check.
We have recently witnessed sophisticated cyber attacks on a water plant in the US, a Fujitsu-run government system in Japan, and an attack on oil and defence industries in Norway that has been described as the worst instance of data espionage in the country’s history. This is just the latest salvo in a spate of cyber attacks that is on the increase.
It is now obvious this is no longer the preserve of a few troubled or anarchistic individuals, but represents sustained, organised, sophisticated attacks on business and governments.
The targets may be financial institutions, corporations or state organisations. They may steal money, or appropriate ideas, blueprints, plans or strategies. Intellectual property is the lifeblood of any organisation and the future of its operation.
I have heard that foreign secretary William Hague believes there has been an “alarming” rise in the levels of cyber crime. I have read estimates that it costs the global economy $1tn (£636bn) a year. That is almost 1.75 per cent of global GDP.
Alongside an ever-increasing number of internet-enabled and mobile devices, current governance and compliance models are also failing to provide true security against the sophisticated threat from cyber criminals. When you take into account the amount of IT complexity, it is easy to see why the security landscape is facing a torrent of cyber threats.
It has taken the industry almost 15 years to face up to the truth that layered security, the security infrastructure that currently represents the global norm, is not working. Layering security simply does not provide adequate protection. It offers partial compliance, not true security.
We need to devise new ways to protect ourselves and our customers from growing security threats.
Until now, many organisations have accepted data breaches and subsequent financial loss as a cost of being in business. As a result, they have been reluctant to explore and adopt any new security standard.
However, threat levels have risen sharply, as has the cost both in financial terms and in intellectual property terms. The cost is becoming unsustainable. It is only a matter of time before serious action is taken. Very soon, I believe, governments will be demanding a compliance offering that works and is proven.
In fact, the EU has already been looking at data regulation and compliance, and is expected to issue much more stringent legislation.
Begin with trust
I believe the answer lies in the devices being used by IT infrastructures. A crucial starting point for any security offering is to have a strong foundation of trust in all end-point devices. That starts by knowing that the PC has not been tampered with by a third party, and extends to verifying the identity of the device itself.
Organisations should seriously consider adding yet another layer - an independently managed layer of device identity.
Such device-based security offers unmatched protection, particularly for modern organisations where workers and their devices are frequently mobile and move beyond the safety of the corporate firewall.
A security chip can be installed on a computer’s motherboard that establishes automatic and transparent authentication of known network devices and users. A trusted platform module chip is physically part of the device, uniquely suited for creating and verifying strong device identities and ensuring only authorised access to networks.
And I believe there is still a lack of awareness about device-based security, even though many enterprise PCs and laptops have already been shipped with the technology.
Joseph Souren is EMEA general manager of Wave Systems