One\u00a0of the challenges we face when talking to clients about\u00a0achieving\u00a0a\u00a0secure workplace is being able to define the components at a level which makes sense.\u00a0All\u00a0the pieces\u00a0need to\u00a0connect in a\u00a0way which is easy to understand and relate to.<\/p>\n
To address this and provide some context,\u00a0we should think about the secure workplace as the following areas:<\/p>\n
Before you can\u00a0begin to secure the workplace, the people who interact with it\u00a0must\u00a0be considered,\u00a0understood,\u00a0measured, and secured.\u00a0The starting point for any individual is\u00a0their identity,\u00a0followed naturally by\u00a0the locations they use to interact\u00a0with the\u00a0workplace,\u00a0and\u00a0how they\u00a0manage their critical credentials like passwords and or tokens etc.\u00a0and access to business information, applications,\u00a0and collaboration platforms.\u00a0Once\u00a0there is an understanding of the people, then\u00a0behaviours\u00a0are learnt, from which personas can be defined making it easy to\u00a0create groups or teams for which security policy can be applied.<\/p>\n
It is important to take the learnings and invest the time to educate individuals and groups within the business to drive security, governance, and risk awareness. Often, individuals understand risk as applied to their personal life, however, do not always\u00a0apply the\u00a0same constraint when in a business environment.\u00a0Ask a random group of individuals across the business\u00a0\u201cWhat\u00a0in\u00a0your opinion, constitutes a breach\u201d and you will get a very diverse set of answers. Cyber\u00a0Education is critical\u00a0to get commitment and understanding\u00a0across the business.<\/p>\n
People Secured!\u00a0<\/strong><\/p>\n With\u00a0people secured and\u00a0personas understood we can\u00a0now\u00a0ensure the\u00a0relevant level of security controls\u00a0exist\u00a0for\u00a0each persona\u00a0on\u00a0assigned devices.\u00a0For example,\u00a0in the case of\u00a0high-risk personas,\u00a0the device type\u00a0may\u00a0include biometrics\u00a0and have enforced encryption and full policy management\u00a0with\u00a0centralised control.\u00a0Information Protection rules\u00a0would\u00a0prevent accidental sharing of\u00a0sensitive information\u00a0or the use of external devices to move data, or even the use of software as\u00a0Service (SaaS) platforms like\u00a0DropBox,\u00a0OneDrive\u00a0or\u00a0GoogleDrive\u00a0etc.\u00a0For another persona type, maybe\u00a0low risk\u00a0there\u00a0would be a different device type with different rules, however,\u00a0maintaining control over where data can reside\u00a0is still crucial.<\/p>\n At the base level, ensuring devices are secured against\u00a0next-generation malware and advanced threats is critical, so each endpoint\u00a0should leverage\u00a0Endpoint\u00a0Detection and\u00a0Response\u00a0(EDR)\u00a0capabilities allowing\u00a0automatic\u00a0investigation of\u202falerts and remediate\u202foptions for\u00a0complex threats in minutes\u00a0with\u00a0industry best practices and intelligent decision-making algorithms to determine whether a threat\u00a0is\u202factive\u202fand\u00a0more importantly,\u00a0what action to take.<\/p>\n Devices Secured!<\/strong><\/p>\n With\u00a0people<\/strong>\u00a0and\u00a0devices<\/strong>\u00a0secured,\u00a0it is now crucial to understand any areas outside of the workplace which present\u00a0a\u00a0potential risk. Some of these areas\u00a0will be in use by people in the business right now and you will have heard of (and\u00a0most likely use)\u00a0most of them. Services like\u00a0Box, for example,\u00a0present avenues for individuals to willingly, or unwillingly\u00a0share\u00a0information\u00a0(sensitive or otherwise) to be efficient, or access later from another location.\u00a0This is commonly referred to as\u00a0ShadowIT\u00a0or Shadow Data.<\/p>\n Knowing which of these services are being used by which\u00a0individuals\u00a0allow\u00a0for\u00a0validation of\u00a0the persona groups created earlier,\u00a0risk-based\u00a0policies can then be applied\u00a0to control which groups can\u00a0leverage these services and\u00a0more importantly, what types of information can be stored there if\u00a0the service is\u00a0sanctioned\u00a0(allowed).\u00a0It is\u00a0astounding\u00a0how many of these services are being used\u00a0in\u00a0businesses\u00a0right now!\u00a0\u00a0Understanding this\u00a0risk\u00a0is\u00a0one of the\u00a0most important steps required in\u00a0building\u00a0a\u00a0business case for Information protection\u00a0and data loss prevention.<\/p>\n Cloud\u00a0Data Secured!<\/strong><\/p>\n Once you\u00a0understand\u00a0how information is moving outside of\u00a0the\u00a0organisation, new behaviours\u00a0are\u00a0learnt\u00a0(good or bad), from which\u00a0the\u00a0learnings\u00a0can be applied\u00a0to the underlying policies behind each persona.\u00a0For example, if during the\u00a0cloud\u00a0services\u00a0discovery\u00a0individuals were\u00a0found to be\u00a0sharing information\u00a0through an external service,\u00a0let\u2019s\u00a0assume Google Drive, and they were doing so to collaborate, and\u00a0the information being collaborated on is\u00a0sensitive\u00a0and\u00a0introduces\u00a0potential\u00a0risk, you are now\u00a0aware of this,\u00a0and as a result, there is the ability to remove the risk by blocking, or marking Google Drive as \u201cunsanctioned\u201d.<\/p>\n This stops the\u00a0external\u00a0problem\u00a0immediately, however,\u00a0the sensitivity of the information which\u00a0was\u00a0available to be shared should be understood\u00a0to ensure data inside the organisation is protected,\u00a0and classifications put in place with labels\u00a0to prevent any such breach in policy moving forward.\u00a0With classification and labelling in place,\u00a0information protection policies are applied as information flows\u00a0through the organisation, once\u00a0the\u00a0policy is in place, and the same sharing scenario is attempted, access to google drive is denied, and\u00a0alerts are created back to the user letting them know they are in breach of a\u00a0classification\u00a0policy\u00a0which in itself will drive a shift in behaviour from individuals\u00a0and help\u00a0the\u00a0business achieve\u00a0and maintain\u00a0compliance\u00a0requirements or standards.<\/p>\n Information Secured!<\/strong><\/p>\n Achieving effective information protection policy\u00a0goes a long way to meeting\u00a0compliance standards and with people, devices, cloud data, and information secured,\u00a0it is often assumed\u00a0all bases are covered.\u00a0However,\u00a0not quite yet, to retain compliance, you must pass through an Audit, which could be planned or random. One of the biggest challenges with being\u00a0\u201cAudit Ready\u201d is being able to get access to the information requested by the auditor in a timely fashion, or worst case, not being able to get the information requested at all.<\/p>\n One of the hottest areas for auditors is information governance, or who has access to what information\u00a0and\u00a0why.\u00a0In most cases, file access is granted based on membership to certain security groups and is an action performed by individuals in IT. The challenge with this approach is\u00a0the individuals involved are making decisions based on the request from the business, and the security groups available to them.\u00a0IT individuals are not across the business functions and processes or more importantly the information created within each business unit, its sensitivity, and who \u201cshould<\/strong>\u201d have access to it.<\/p>\n To satisfy an auditor,\u00a0the key is to\u00a0exhibit the ability\u00a0to quickly show who has access to certain\u00a0information, and\u00a0the reason \u201cwhy<\/strong>\u201d they have access.\u00a0Typically,\u00a0IT attempts to respond to these requests with lists of\u00a0Active Directory\u00a0security groups and memberships, or with metadata tools which an auditor must trawl through.\u00a0Information governance\u00a0needs to be\u00a0delivered in a manner where\u00a0the \u201creason<\/strong>\u201d and \u201cduration<\/strong>\u201d for access is captured at the time\u00a0the information is shared. More importantly,\u00a0the\u00a0power to manage access needs to be back in the hands of the information owners who know best the sensitivity\u00a0required and\u00a0can apply classifications\u00a0or\u00a0labels and know exactly who has access to what and why.<\/p>\n Now when an auditor request comes in, it is easy to provide a report showing the data owner, location, individuals who have access, the reason why,\u00a0and the duration for which access has been granted.<\/p>\n Secure workplace achieved!<\/strong><\/p>\n In part two, I explore Why and How to implement a secure workplace<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" One\u00a0of the challenges we face when talking to clients about\u00a0achieving\u00a0a\u00a0secure workplace is being able to define the components at a level which makes sense.\u00a0All\u00a0the pieces\u00a0need to\u00a0connect in a\u00a0way which is easy to understand and relate to. To address this and provide some context,\u00a0we should think about the secure workplace as the following areas: People\u2013\u00a0Identity, user… Continue reading The Secure Workplace Story Part 1: What is a Secure Workplace?<\/span><\/a><\/p>\n","protected":false},"author":55,"featured_media":1690,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[20],"tags":[],"class_list":["post-1689","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-workplace","entry"],"_links":{"self":[{"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/posts\/1689","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/users\/55"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/comments?post=1689"}],"version-history":[{"count":1,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/posts\/1689\/revisions"}],"predecessor-version":[{"id":10570,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/posts\/1689\/revisions\/10570"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/media\/1690"}],"wp:attachment":[{"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/media?parent=1689"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/categories?post=1689"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/tags?post=1689"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}DEVICES<\/h3>\n
CLOUD SERVICES<\/h3>\n
INFORMATION PROTECTION<\/h3>\n
GOVERNANCE<\/h3>\n