Access security gaps are still deep, wide and plentiful, but IT professionals are less confident that they can plug them.
Pulse Secure and IDG found this out in a recent survey of 300 senior security decision makers and influencers across midsize and large organizations in the US, the UK, Germany, Austria and Switzerland, to better understand enterprise problems around access.
Only 35% of respondents registered significant confidence in their ability to stop access threats, and 61% said that they have little to modest confidence in the ability to do just that.
They felt least confident in three areas: defining app, data and resources access and protection requirements; enforcing user and device access policy; and provisioning, monitoring and enforcing BYoD and IoT device access.
While it’s not good enough, it is understandable as the survey showed the scope of the problems these IT professionals are dealing with. It seems as though they’re now dealing with more threats of this type, which now have more opportunities than ever to breach their organization.
Access threats are deeper
The impact from access threats has gone north. Respondents said they were feeling an increased impact from access security incidents in comparison with a year ago. Drilling down, around half of respondents pointed to malware, unauthorized use of endpoints, vulnerabilities in those endpoints and mobile or web exposures causing the majority of significant access security incidents.
Access authorization and resource access protection also loomed large for respondents, with nearly half saying that these problems lead to security incidents with significant to high impact.
….and more plentiful
Meanwhile the opportunities for criminal exploitation are still booming. Most respondents – 81% - pointed to application availability as a key access security gap.
The tension between availability and security is often a burden for IT professionals and in a certain sense, security is always going to mean some form of restriction on access.
A similar number labelled inconsistent access compliance and enforcement as a big access gap. Cyber-criminals will always use the path of least resistance and will likely use that inconsistent access compliance and enforcement to move further into their target’s network and closer to its critical systems and data.
Also, 79% identified uncoordinated authorization, poor user device discovery and mobile computing exposure as key gaps in their environment. In an age where enterprise computing extends to phones and home IoT devices, managing the threats to those individual devices, which are often undiscovered or unacceptably insecure, is a difficult task.
Now anyone can work from home, from a coffee shop, from an insecure public web portal or an insecure device. That kind of freedom represents a problem for IT teams, who need to be able to map the devices that are connecting to their networks, make sure those connections and authentications are secure and all the while ensuring a streamlined channel of access.
Plugging the gaps
Enterprises have plenty of security tools to help with these problems. In fact, they may have too many.
Companies use about three tools in each secure access category - VPNs, firewalls, CASBs, NACs and MDM. Added all together, that’s a lot of tools to handle secure access. Many enterprises now have a whole variety of tools which effectively do the same thing.
From there, overburdened enterprises are left to patch together a secure access strategy which is often inconsistent across their environment and things get unnecessarily complex for everyone.
In the face of a chaotic network, ridden with undiscovered devices, opaque connections and data flows, uneven access policies and endpoint compliance and juggling multiple security tools - the solutions are clearer than they seem.
As with so many things, users have to be educated as to what is and isn't safe: but in many areas it makes sense to take vitally important resources out of the direct control of users, however well educated they are.
Automation can make a big difference here. In over-sprawling and complex modern networks, automation can help contain and prevent threats and better police access than an overworked analyst can.
Where undiscovered devices, rogue users and insecure mobiles pose a security threat, enterprises should consider selecting solutions which allow automated granular visibility.
Creating consistent access controls across an organization is key. Cutting down on the tool smorgasbord by considering a secure access platform may well help. Nearly half of the respondents are already considering them.
Enterprises are looking towards Zero Trust to fix these kinds of problems. The Zero Trust model authenticates users, devices, applications and resources wherever they are and does so before and during the transaction, verifying identities as well as device and security states before permitting a connection. While an older model of security might build a fence around a network, Zero Trust builds fences around the individual resources.
Enterprises are looking at technologies which can help them build towards a Zero Trust environment. Nearly three quarters – 70% - will be increasing their secure access spend by five to 25%. Furthermore, 56% are planning software defined perimeter projects some time in the next 18 months.
It’s easy to see why IT professionals don’t feel confident. They are dealing with a chaotic clutter of a network - inconsistently policed and secured - which they can’t even see the edges of. To plug the many access security gaps they face, they need to enable consistent secure access across their network - wherever the borders of that network lie.