Martin Ward at iManage considers how organisations need to address the security of their intellectual property by moving to the cloud and managing access
Enterprises have expanded beyond the physical offices of the organisation to accommodate remote working arrangements, blurring the boundaries between work and home in the process. This expansion into new territory means their intellectual property (IP) could potentially be at risk.
This risk is amplified by the continuing personalisation of IT, where every employee wants to use the devices and services they’re most familiar with and expects business technology to be as seamless and easy-to-use as the consumer technology they utilise in their everyday life.
Cyber criminals are already taking advantage of these conditions and searching for weak spots. Reports of successful cyber security breaches and demands for ransom from criminals routinely make the headlines.
For knowledge-centric enterprises like legal and financial services – or, for that matter, Hollywood studios or software startups – their IP isn’t an incidental part of their business: It’s the absolute lifeblood of the organisation. That makes protecting it all the more crucial.
Fortunately, there doesn’t have to a be a tradeoff between personalised IT services and the ability to protect IP. There are several practical approaches enterprises can adopt to ensure that the benefits of personalised IT services and legitimate access to information aren’t compromised by security and governance practices in the enterprise.
The Cloud Makes the Endpoint Irrelevant
To secure these environments where the organisation now extends into the home – and to make sure that their valuable IP is protected – organisations are going to need to make greater usage of cloud-based services.
When enterprises utilise modern, cloud-based platforms, the endpoint that’s accessing the service becomes much less relevant. Provided that end users have a reasonably modern, stable browser and a reasonably modern piece of hardware – nobody’s going to be accessing critical business systems using their Windows ME laptop from the turn of the millennium – they’ll be able to access the services using whatever device or interface (i.e., the web) that they like.
The advantage here is that a modern cloud platform with a containerised service built around a zero trust model – one that eliminates the concept of trust from an organisation’s network architecture – ensures that the underlying service isn’t affected by the actual endpoint that accesses it. That’s why enterprises are going to need to leverage greater usage of cloud-based services in order to consistently deliver services to their employees in a secure manner.
Not convinced? A recent massive security incident – the Accellion breach, which resulted in dozens of companies and government organisations worldwide being infiltrated and facing demands for ransom – occurred via an appliance on an on-prem instance. That type of vulnerability simply doesn’t apply to a modern cloud platform that’s using containerised services rather than appliances.
‘Modern cloud’ is the key word here. Not all clouds are created equal, and organisations should not assume that just because they’ve ‘moved to the cloud’, they’ve automatically reaped the security benefits that the cloud can provide.
Some practical advice is in order here. Organisations are advised to select a mature cloud partner and have that vendor verify that they have certifications in place that demonstrate their adherence to globally recognised security frameworks.
A few key certifications include ISO 27001 around managing information security, ISO 22301 around business continuity, and SOC 2 standards that demonstrate all of the baseline controls that a service provider has in place to ensure confidentiality availability, security, privacy, and integrity of the data that they’re handling on a client’s behalf.
With an eye on these criteria, organisations can take a first practical step towards delivering personalised IT without compromising the security of their IP.
Combining Security with Insights
If moving to the cloud is the first step, the second step revolves around identity and access. Essentially, this is knowing the who, what, when, where, and how around the network.
Who needs to access what? Where do they access it from? When do they access it? How do they access it? And so on.
This is where tools like identity and access management solutions come in. It makes sense for organisations to move those tools into a cloud-based model as well, because – as discussed earlier – enterprises are going to need to leverage more cloud-based services to deliver the systems that previously were delivered through an on-prem, traditional corporate environment.
Alongside internet access monitoring solutions, organisations should deploy cloud-based security technologies like threat monitoring and behavioural analysis. This provides real time 24/7 monitoring, allowing organisations to understand how individuals are interacting with the services.
What are the typical behavioural profiles of these individuals, and how do they access services? Maybe it’s perfectly normal for Mary to download dozens of documents at a time, whereas it’s very out of the ordinary for Steve to do so. Likewise, Mary might regularly access the network from a tablet or smartphone from international locations because she travels a lot, while Steve typically only accesses files from his desktop at home while he works remotely.
The key here is that the threat monitoring isn’t ‘one size fits all’ – it’s tailored to each user’s individual behavioural profile and work habits. This ensures that professionals can get work done the way they normally like to work and gain legitimate access to information without being hampered by false alarms – all while the organisation keeps their IP secured at the highest levels with the ability to detect and shut down suspicious activity.
As a plus: By implementing behavioural analysis, organisations are able to see which types of services are utilised at certain times, and what the demand on those services are. For example, there may be portions of a CRM system that are underutilised on weekends, or a particular module of a HR system that is very heavily utilised towards the end of the month.
Having intelligent insight into how these services are utilised allows the organisation to then tailor the user experience accordingly – scaling well-used services up and providing additional service capability and scaling down underutilised services and perhaps marking them as ‘legacy’ or planning to remove them.
In this way, professionals get exactly the personalised IT services they need, and the organisation ensures it’s making investments in the right areas to securely deliver access to the documents, data, and IP that their professionals require.
Personalisation of IT needn’t be in conflict with protection of IP. With a few practical steps around moving critical systems to the cloud – and then taking a cloud-based approach to monitoring and protecting those services – organisations can ensure their professionals have access to personalised IT resources while ensuring their valuable IP is safe and secure. For organisations who don’t want to compromise in either area, this approach ensures everyone wins.
Martin Ward is Director of Security, Governance, and Compliance at iManage
Main image courtesy of iStockPhoto.com