Info Security PG: Which size or type of enterprise is most vulnerable to internal security threats? What steps can organizations take to eliminate insider threats, considering that multiple devices and multiple locations are now becoming an integral part of their operations?
Brian Anderson: Simply put, size doesn’t matter when it comes to insider threats. Rogue employees can be found at Fortune 500 companies down to small businesses with less than ten employees. If there is one thing we know, insider threats don’t discriminate based on size. They are becoming a global phenomenon. Every company in every part of the world is subject to some level of insider threat.
Insider threats are so prevalent that we felt compelled to author the book “Preventing Good People from Doing Bad Things” that helps readers establish a well-defined awareness of boundaries, which enables end users and applications to communicate freely within an IT environment without worry of intentional, accidental, or indirect misuse of privilege.
In most situations it's more often than not the case that people have way too much privilege access - admin rights on the desktop, root password on server - for the role they are required to play. So, how do you protect privileged accounts in your organization? The short answer is to eliminate all admin rights across servers, desktops, networks devices, virtual servers and cloud environments.
Having well defined awareness of boundaries enables end users and applications to communicate freely within an IT environment without worry of intentional, accidental or indirect misuse of privilege. Boundaries allow a more productive and compliant dialogue to take place between users and the IT department and proactively deters attempts of misuse.
Info Security PG: Cloud computing is becoming ubiquitous in the enterprise. What’s the biggest threat in the coming year for enterprises adopting cloud infrastructure?
Brian Anderson: It seems as if every business and IT executive that I talk to lately literally has their “head in the clouds.” Every conversation about current or impending strategies for information assets almost universally contains some mention of a public, private or hybrid cloud deployment. A more interesting observation of these conversations is that the lure of liberating ourselves from the burden of managing applications and data shouldn’t mean we stop having high expectations about how those applications and data are managed. Unfortunately, moving infrastructure and/or applications into public or private clouds doesn't necessarily make you more secure, compliant or risk-free.
We recently conducted our own survey that found 71 percent of respondents wouldn't trust a cloud vendor with highly regulated data. Some participants even scoffed at the idea and the few who marked "yes" emphasized they wish there was a “depends” option. What’s more scary is that 60 percent of respondents didn't know or weren't sure what their cloud vendors' privileged access policies were.
The human element is definitely the biggest threat facing enterprises adopting cloud infrastructure. Customers of cloud vendors need to be more proactive. They need to set requirements for privileged access, ask questions, demand reports and know their policies.