These three simple rules help to make sense of the thousands of different security solutions available. Products and practices that conflict with these three simple rules might not be the best solution.
1. A secure network assumes the host is hostile
It has been years since a firewall that enforces policies based only on source-destination-service has been sufficient. Trusted end points harbor malware, are controlled by attackers, and are launching points for attacks. Network security solutions must be in-line and inspect all the traffic that passes through them. They must look for viruses, worms, exploit traffic, and even unusual behavior. IDC dubs these solutions "complete content inspection" firewalls. Many vendors refer to them as UTM, Unified Threat Management. I will be publishing more on the products available to do this.
One aspect of a secure network that is often overlooked is that the computers on the inside of the network are often the danger. It could be an infected computer brought in by an employee or contractor, it could be a poorly patched server that has been compromised by an outside attacker. Even the smallest organizations have to invest in network security solutions to block attacks from devices on the inside of the network. This is accomplished through network segmentation and deploying content inspection capabilities internally. As threats multiply watch for solutions that either sit on top of the access switch or incorporate the switch in their configuration.
2. A secure host assumes the network is hostile
This is another way of stating the requirement for a layered defense model. A laptop, desktop, or server cannot rely on the network to keep it safe. AV, firewalls, and anti-spyware solutions have to be installed and up-to-date. Patches for critical applications and OS have to be installed as quickly as possible. Browsing shields should be turned on and Microsoft IE should not be used if at all possible.
3. Secure applications assume the user is hostile
This is where authentication and authorization come in to play. One of the best deterrents of malicious behavior is the end user's awareness that their actions are associated with them (strong authentication) and logged (behavior monitoring). Many online services have failed to protect themselves from their customers. This applies to internal file sharing and community services as well.
Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more
For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more
In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more
With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more