Security is a global issue.
The security approach has not changed much since Roman times. The idea behind defense-in-depth is to create concentric security circles around the sensitive assets to be protected. Each circle being designed to slow and potentially weaken the enemy’s attack until it is repelled or at the very least detected. We all know the structures of castles, moats, drawbridges and dungeons. Today, the defenses of equivalent modern information systems are called physical security, firewalls, authentication and logical access controls.
But today, the threats to sensitive data are massive. They happen almost daily and affect organizations that had, for the most part, traditional defensive protections up and running. While they do not definitively contest the defensive layered model to keep enemies at bay, recent examples prove that these methods are not sufficient when the attacker manages to break through the castle wall. This defense has the disadvantage of looking like a crunchy treat on the outside but smooth on the inside: once you pass the outer shell, there is no resistance on the inside.
To take the culinary metaphor a step further, security based on the defense-in-depth model is like baking: if you forget to add sugar when baking a cake, no one will notice. Until the guests taste it, but now it’s too late. A hacker is usually someone who has a high level of technical expertise and often excellent knowledge of social engineering. A hacker is often patient and has more time than his potential victims. He has many strings in his multiple arches and is therefore able to break through many defenses if they are accessible and vulnerable. And once in the house, he will move around the networks surreptitiously, leaving as few traces as possible or erasing them if necessary.
The defense-in-depth model is therefore based on two principles: preventing intrusion and slowing down the progress of attackers by setting up successive barriers. But once an attacker manages to steal valid credentials and pass all or part of these obstacles, this model considers that there is no reason to be suspicious and therefore that everything is allowed (or almost). Under these conditions, the slightest mistake or deliberate act takes on gigantic proportions that can go as far as the total destruction of the attacked organization. It is therefore time to change security methods and approaches and to complement traditional defense-in-depth strategies with more effective solutions.
Security is first and foremost a matter of mindset and methods; solutions and products are only there to implement a strategy and equip processes. On the other hand, the judicious combination of high-performance solutions allows to design and deploy reliable and robust security infrastructures that meet the security challenges of today’s information systems. The central idea is to complement defense-in-depth with modern IAM solutions in order to build contextual security platforms.
For example, access for users, partners and service providers from outside the physical perimeter of the company is normally achieved through a VPN solution. However, reducing access to the dungeon to providing a couple [username, password] that is valid is slightly optimistic for the current times. Moreover, by its design, a VPN is one of the most widely used security layers in many attacks since it is a door with a luminous sign marked “Entrance” on the company’s digital facade. The precise knowledge of the visitor’s identity will allow an identity-enhanced VPN to determine whether a connection attempt is legitimate; this user’s behavioral analysis, geolocation, and the characteristics of the workstation used are some of the aspects that can help to decide in an adaptive manner whether or not to allow a user to enter.
Similarly, single sign-on (SSO) is more than just a convenience for the user. It should be a true pillar of a modern security system. Indeed, an SSO solution integrated into a single security management platform will not only be able to automatically authenticate users but also to process each connection with adaptive security based on the user’s knowledge provided by his identity. In this way, the rights assigned to each user are adjusted according to the need and the level of risk perceived dynamically.
The traditional approach to security is no longer sufficient, even if it still allows enemies to be kept at a certain distance. Today, it is possible to move from a traditional defense-in-depth strategy to a modern approach that includes identity management and behavioral analysis. Indeed, wondering whether the information system for which we are responsible will be attacked or even compromised is no longer legitimate; the right question is “when? And how much damage will it cause?” since it is unfortunately necessary to consider that the enemy is already potentially in the company.
With solutions allowing to manage the authentication of employees (Systancia Access), their identities and authorizations (Systancia Identity), their access interfaces (Systancia Workplace) and their private network access (Systancia Gate), whether they are privileged users (Systancia Cleanroom) or not, Systancia is the only vendor on the market to offer the entire end-to-end trust chain for a modern and integrated defense.
Frédéric Pierre – Scientific Director