Securing Hyperextended Enterprises In an article for Wired magazine, Mat Honan detailed how security flaws allowed a hacker to remotely erase all of his data on his iPhone, iPad, and MacBook.21 The hacker was also able to delete his Google account and post offensive comments using his Twitter account. Unfortunately, he did not back up his data. The hacker used social engineering to trick Apple’s tech support into providing access to Honan’s iCloud account with a partial credit card number from Amazon. It appeared that Honan used similar credentials for his Google and Twitter accounts. Crosspollination of user credentials across multiple organizations and system can be problematic for the user and the organizations that provide the service. Apple has subsequently implemented an optional two-factor verification service in some countries.22 Apple’s two-factor authentication works by associating an account with a mobile phone number. “A one-time passcode will be sent to this number via an SMS message, and users will be required to enter this code in addition to their regular password before being allowed to log into their accounts.” Apple tech support cannot reset a user’s password if they choose to use the two-factor authentication service. Users will be responsible for their own recovery keys. The implementation of two-factor authentication is an effort to provide more security for users. In a broader sense, it is a step toward addressing a set of issues facing most companies. Companies are facing a rapidly changing tech environment that they have not faced in the past. Companies are trying to grapple with a broad array of new communication mediums, the use of social networking, integration of third-party application vendors, a highly integrated supply chain, the use of cloud computing services, unprecedented capabilities in mobile devices, and a rapidly changing threat environment. A report by RSA23 defines these hyperextended enterprises as having “extreme levels of connectivity and information exchange, as the enterprise assimilates a range of new web and communication technologies and distributes more business processes to even more providers.” They note that these new forces create new business opportunities, but also create unique security threats that must be addressed. Below are four (of seven) recommendations for hyperextended enterprises from the report:
1. Rein in the protection environment—In the current economic climate, information security programs are resource- constrained. Figure out ways to use resources more efficiently. For example, curtail the use of security resources for protecting extraneous information assets, stored data, and devices. If you can reduce your protection environment, you will not only reduce risk but also free up resources that can be reallocated to high-priority projects and/or achieve operational cost savings that can be used for strategic investments.
2. Get competitive—For many enterprises, it makes sense to move away from silos of security to centralized shared services which are provided by the information security department to business customers across the enterprise. The degree of centralization and type of services offered by the central department depends on enterprise needs and organizational structure but the idea is that by delivering at least some components of information security as a set of centralized services, it can achieve not only increased efficiencies but also better risk management.
3. Proactively embrace new technology on your terms—Information security departments must accept that it is not feasible to simply say “no” to new and emerging web and communications technologies; rather they have to figure out a way to enable their secure use. Develop a road map and set realistic expectations for the business. Understand the risks and devise a plan to mitigate the risks. Also, keep an eye on emerging technologies that are being implemented for other reasons, but may actually help decrease security risks.
4. Shift from protecting the container to protecting the data—More and more, enterprise data is processed and stored in containers not controlled by the enterprise. For instance, the data may be processed by service provider facilities or held in a PDA used by an individual employee or in a laptop used by a contractor with multiple enterprise clients. Therefore, security needs to shift the focus from protecting the container to protecting the data.
Case Discussion Questions
1. How can cross-pollination of user credentials be harmful to users and businesses?
2. How can businesses mitigate the negative effects of cross-pollination between organizations?
3. Why did Apple feel the need to implement two-step verification service?
4. Suggest some other devices and websites which can benefit from two-step verification.
5. What measures can an organization adopt to enhance the protection of user accounts?
6. What are some new risks facing “hyperextended” organizations?
7. How could an organization become more secure by reining in their protection environment?
8. What are the benefits of competitive centrally provided security services?
9. How could a business proactively embrace new technology in a secure manner?
10. Why should businesses shift their focus from protecting their containers to protecting their data?