Outside-In security starts with realizing that your company or organization doesn't have all the answers. The Internet is a big place, and the World Wide Web is just one part of it. Connected mobile devices and appliances are expanding their reach every day, and with it, the complexity of a security assessment.
Importance of Security Assessments
Your people rely on personal devices and professional networks, which complicates any effort to protect your company or customers. And the trails of browser histories and email or message exchanges tell you that access controls and passwords only solve a limited set of problems.
Consumer credit and account thefts at Target Corp. in the winter of 2013 displayed Outside-In weaknesses and provided a good reason for companies to dive more deeply into deterring innovative data thieves. It is now a good time to go back to basics and ask some questions about protecting your good name and critical data. Looking at your security assessment process from an outsider's perspective is a fresh way to spot potential gaps.
The Three W's
First, have a look at "What" your content looks like as a way of testing the Internet. Start by looking at search tools you don't normally use (say, Technorati.com for searching blogs or duckduckgo. com for fresh results and a site that doesn't track users). Go deep—look at page 8, 9, or beyond of search results to find obscure hits.
Automated online "spiders" are always crawling public websites to check for updates. You should do the same kind of checkup as part of a security assessment. Is your content appearing on unauthorized sites? Stolen comments, photos, and other details can be used to boost search results for OTHER sites. And they can misuse your name or hurt your company reputation if they don't accurately reflect the way the words, pictures, or videos were originally intended. Another way to check your trail is to use a new computer, or one with a freshly wiped hard drive and browser. You might find unusual cookies that track your history.
"Where" can be a powerful form of identification. Cloudlock, of Waltham, MA, is using geofencing—identifying IP addresses or locations where clients have no business—and blocking access from those sites. Even cloud-based data in Google Apps or Salesforce can be protected from intruders who try logging in from the wrong places.
"When" is another test to determine if a person's timestamp for access is limited in time—servers track how often a user logs in and the duration of sessions to test for suspicious activity.
Customers live outside a corporate firewall but are doing increasing amounts of self-service, so it's important to view your security from their point-of-view. Mobile devices, multiple user profiles and social data streams only complicate things.
JP Rangaswami, chief scientist at Salesforce.com, talked about moving IT decisions to where customers and partners engage during a CXOTalk in December 2013. "People now live in the (data) feed, and that's how the customer of today wants to engage with information," he says. He also predicted that within five years, memorized passwords will be obsolete.
What Can Organizations Do?
Mark Orlando of Foreground Security in Washington, DC, has worked with federal agencies and private companies. He recently shared an example of real-time assessment at RSA Conference
Tradeoffs are constantly being made as people make decisions about access, security, bandwidth, or convenience of their mobile-first—or social network-driven—connections. Their corporate IT department has to put themselves in the place of remote users during a security assessment. Hits from remote sites, at peculiar times or from suspicious users, can be a tip-off to future actions.
These days, you can monitor your home's security in real-time using Web-based cameras and sensors. Why not take a real-time view of network and data security?