IT security needs to be adaptive
HUMANS, DEVICES, APPS, DATA AND PHYSICAL LOCATION SHOULD PLAY A ROLE IN DETERMINING ACCESS
T here is a need for a new IT security architecture as the current security practices and policies need to evolve in order to deal with the persistent threats from hackers, a security expert said.
Ann Johnson, Vice-President for Strategic Enterprise and Cybersecurity at Microsoft Corporation, in an exclusive interview told Gulf News, that organisations are reliant highly on technology to conduct business-related tasks with their personal devices but they should also think how to strengthen their critical IT infrastructure to stay resilient if a human error or a breach occurs.
She said the legacy architecture is firewall, routers and some people are using encryption, double-factor authentication and anti-virus tools. That was good enough when the world was contained.
“Now people are moving around the world with their own devices for work and want access to email, data and collaboration tools. The security architecture needs to change for that. It needs to become more conditional as we believe that the human, the device, apps, data and one’s physical location should play a role in determining what you should have access to. That is a very different paradigm than the legacy security infrastructure,” she said.
It should be dynamic, she said.
For example, she said if she is in Dubai, her device will have a different threat level than in some other country. The current IT security architecture needs to be “adaptive and predictive”.
“We are no longer a stationary workforce and are always carrying devices, so you have to ensure those devices are secured and yet enable work on them — thus balance security with productivity. Once we build an intelligent pattern that the security architecture knows, think about linking it to the calendar, once it knows that where I am supposed to be and where I am — it will definitely help in securing the device,” she said.
“The worst part of the security is the user. We don’t have to make decisions anymore and the decisions have to be made for you, and that is when it becomes more secure. AI will help in this process and we are getting close,” she said.
She added that just because you put security cameras in your house does not mean that you don’t need to lock the front door. You still need to lock the front door and have security cameras in your home.
“You need to have the fundamental controls at the very bottom. People are great at buying a tool, but they are not as great at the fundamentals because there’s a lot of technical depth involved. 85 per cent of breaches can be avoided if they [entities] did the fundamentals,” she said.
There is no silver bullet to address the rapidly increasing threats but it all depends on “how you build your cyber resilience strategy against attacks”.
A regional Microsoft survey, in October last year, found that just over 80 per cent of large Gulf enterprises still use usernames and passwords as the exclusive means of log-in. Only around 11 per cent of large enterprises in the Gulf use a double-factor SMS notification to support username-password authentication and around 7 per cent reported using fingerprint-scanning and just under one per cent had adopted facial recognition.
“Attacks are becoming more sophisticated. We are seeing an increase in the number of breaches in this region. We are getting better at defence, but attackers are becoming sophisticated and they are innovating. The threat landscape is becoming interesting and it will always be,” she said.
She said that a cyber resilience strategy is as important as a natural disaster. It depends on how quickly you can bring it to normality.
The worst part of the security is the user. We don’t have to make decisions anymore and the decisions have to be made for you, and that is when it becomes more secure. AI will help in this process and we are getting close.” Ann Johnson | Vice President Enterprise Cyber Security Group at Microsoft Corporation