It is understandable that many IT leaders are solid fans of the centralized approach to cybersecurity, arguing that it allows companies to better assess and manage their risks by being able to control every application, device and access privilege, by user.
Especially for organizations who handle a massive amount of sensitive information (consumer data, health data, credit cards, social security numbers, payments, cash management and more) alignment across business units is important and centralized models have been the best option.
Using “command and control” thinking, the IT team can direct and manage all security matters within a central governance body, where all business units would be forced to abide by the same policy set. Fans of centralized IT and security (by extension) also argue that centralized governance is far more efficient, as resources can be leveraged across the enterprise, limiting duplication, and controlling cost.
A growing number of proponents of decentralization argue, however, that highly centralized solutions are more fragile, as an attack can reverberate more broadly. A virtue of decentralized cybersecurity, some experts say, is that it increases the number of points of failure which sounds counter-intuitive, but means that in such an environment an attacker is forced to compromise more components and functions in order to penetrate a system.
Michael Fritzlo, Executive Chairman of Ironsphere, makes the case for the “best of both worlds,” where IT and security can co-exist, empowering business units to choose and use their applications, while also protecting the most critical infrastructure, devices, data, applications, and information in a centralized fashion, as appropriate.
“CIOs and CISOs today are embracing a hybrid cybersecurity model, which makes sense given the natural decentralized nature of the cloud and as-a-service cloud-based applications,” Fritzlo said. “The choice between a centralized and decentralized approach to cybersecurity isn’t binary, and we are seeing with our customers in government agencies, large financial institutions, communications service providers and other industries that it only makes sense to get the mix right for optimizing productivity and profitability, but with proper governance.”
Michael Fritzlo said that the transformation to a hybrid centralized/decentralized environment starts with a hard look at the business and the security threats it faces, an analysis of regulatory requirements and auditing practices, and a review of the business applications in question. For example, a team which does not work with highly confidential or sensitive information may be able to subscribe to collaboration services like Slack, without the IT team requiring extreme oversight into what is happening on that platform.
On the other hand, teams which work continuously with records that include social security numbers, payment information, private health information and other sensitive and valuable content need a more sophisticated and centralized approach including Privileged Access Management – fully monitored and managed.
“The advantages of the decentralized IT model are clear,” Fritzlo said. “The main advantage is speed and flexibility. If a user in sales operations needs a new app to support a new sales opportunity, the user can get permission from their local manager and can purchase and configure the cloud-based app in minutes and start working. Not much of a risk there, right? The challenge comes when this is multiplied by tens of thousands of users, without a clear policy in place, which is why IT leaders are moving to a hybrid approach and apply modern cloud-ready access management software to observe and control risk in the background.”
Fritzlo explained that quality security is a “team sport” in organizations. “Everybody has a role to play in supporting adequate IT security, so it is always important to set policies, communicate those policies, explain why those policies are important, and provide tools to make it easy and safe for users to take advantage of as-a-service applications. With the rapid growth of work-from-home scenarios, communications and solutions for cyber security given decentralized workforces have become even more important.”
Automation, including access managers, are evolving to support multi-cloud, multi-application, multi-regional organizations, addressing a “moving target” when it comes to securing the perimeter at the edge and sessions from edge to cloud. “There is simply no way to secure the amount of computing and collaboration underway in enterprises manually,” Michael Fritzlo said. “With technologies like session management, single-sign-on or SSO interfaces, adoption of two-factor and multi-factor authentication, key stroke recording, and real time analytical monitoring of activities, it is possible to give employees, contractors and partners the productivity tools they need, without leaving infrastructure and assets at risk.”