Powered by MOMENTUM MEDIA
cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

The role of effective IT security in achieving good corporate governance

In the current uncertain business environment, organisations need to evolve and adapt their operations at a faster rate than ever before. At the same time, many are realising this can’t be done at the expense of effective IT security and governance. Vikas Vijendra from Kong explains.

user iconVikas Vijendra
Tue, 19 Oct 2021
Vikas Vijendra
expand image

The issue is particularly relevant at the moment when large numbers of people are working from home. IT teams are faced with the challenge of ensuring the level of security surrounding them is equivalent to the protection provided in the office.

This challenge is made even more complex, however, as effective security needs to be achieved without any negative impact on user experiences. At the end of the day, IT security needs to be an enabler rather than a blocker.

Internal threats

============
============

Security teams also need to be mindful that not all security threats come from external parties. Disgruntled employees or those not following mandated security guidelines can lead to significant disruption and loss. According to the Verizon Data Breach Investigations Report, 34 per cent of data breaches involve internal actors.

Threats can also occur when staff leave an organisation, but their access rights to the IT infrastructure are not revoked. This is more likely to occur when staff are working remotely as IT teams may simply forget to check or carry out the required steps.

Security and governance

Another important issue that needs to be high on the corporate to-do list is achieving and retaining effective compliance. Here, the first step in aligning security measures with good governance is to have a clear understanding of the actual regulations under which an organisation is operating.

Once these are fully understood, the next step is to identify which security policies are needed to meet the requirements of those regulations. Any misalignment between the two will create gaps that could cause issues further down the line.

When all requirements have been identified, security policies and tools can then be strengthened where needed to ensure the needed level of governance is reached. This might require the augmentation of existing measures or investment in additional measures.

The role of automation

The next step on the road to good governance is to introduce tools that support the automation of security measures. This will allow flexibility but at the same time ensure all requirements continue to be met over time.

Automation can also help to keep costs under control. According to a report by IBM, automating security reduces the average cost of a data breach by US$3.58 million when compared to an organisation with no security automation.

Effective automation can be achieved through the deployment of an API platform that manages and secures the multitude of data streams within an organisation. Again, this helps to make security an enabler rather than a blocker for staff.

This can best be achieved by having an API gateway as a Policy Enforcement Point (PEP) working with one or more Policy Decision Points (PDPs). This also ties in well with current zero trust security principles that include collecting as much information as possible about the current state of all assets on a network.

Access control is the process of permitting or restricting access to resources (data or API) only to privileged entities based on a defined policy. PEP and PDP are part of industry best practices to create an effective system for API access control and authorisation:

  • Policy Decision Point (PDP): that evaluates access requests against authorisation policies before issuing access decisions
  • Policy Enforcement Point (PDP): that intercepts user's access request to a resource, makes a decision request to the PDP to obtain the decision (i.e., access is approved or rejected) and enforces the received decision

An evolving challenge

It should be remembered that the role of IT security in achieving good corporate governance will never be set in stone. With business conditions and operations constantly changing, security measures must constantly evolve and be enhanced.

IT teams need to schedule regular reviews and amend and extend infrastructures as required. At the same time, staff members must understand that the tools and policies that are protecting them today may need to be changed tomorrow.

Having policies in place that achieve this has never been more important. As Australia comes to terms with post-COVID business conditions, IT security teams can expect to be busier than ever.

However, by embracing developments such as automation, the goal of effective security can be reached without the measures becoming a burden for staff, customers, or partners.

Vikas Vijendra is the solutions engineering team leader, Asia Pacific and Japan at Kong.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.