Total Security Advisor
Practical Security Tips, News & Advice.
Updated: Dec 2, 2022
It’s hard to imagine a workplace without Slack, Teams, and other enterprise social apps that have made remote work possible and enjoyable. Since the pandemic, we’ve relied on these apps to replace in-person conversations and collaboration. While ultimately the benefit outweighs the risk, enterprise social apps bring with them new security challenges that simply can’t be ignored.
Securing enterprise social apps is a new paradigm, but it’s representative of a security woe that IT veterans have faced since the dawn of the internet—ensuring security mechanisms are active at the location of work. Today, that’s a more ambiguous target, ranging far outside the walls of an office or an on-premises network, in many cases.
As history has taught us, with new compute models come new attack surfaces. As a result, new security tooling has emerged to address these new vulnerabilities. While this is positive in the short term, patching necessary holes as we go, it does little for long-term gains. It also introduces challenges with legacy system integrations.
But, managing multiple solutions for every possible threat is no longer possible for IT and security leaders. As it stands, enterprises use upward of 110 SaaS applications on average, and as this number grows, so do the challenges of securely governing it all. Businesses need to get realistic about how to manage a host of new apps and tools, with most operating in a remote working environment.
Fortunately, there is a bright spot: A new generation of security tooling built within the business platforms and processes enterprises already use. While specific endpoint technology will always be needed, solutions will become increasingly integrated with larger systems of action that are aligned with risk and employee workflow.
While this is a step in the right direction, looser attitudes toward enterprise social apps can make this difficult to manage. Take Slack for example: On one hand, people tend to let their guard down a little more. They’re encouraged to joke and socialize, but it’s also a place to share company information, documents, and customer information.
Enterprise social apps fill a much-needed cultural expectation and offer a quick means of communication once void from remote work. They increase productivity and help us get fast answers. But our casual attitudes, dispersed workforce, and lack of real policy around them contributes to security vulnerability. It’s a fine balance, but there are several ways to benefit from enterprise social apps while reducing the risk associated with them.
First, you must ensure that individuals who have access are governed. Whether full-time, part-time, contractor, or another employment status, anyone who is using enterprise social apps must have the appropriate level of access. For example, if someone is no longer employed, their access should be removed. If they are a contract or freelance employee, consider the timeframe of their contract, or whether it’s necessary for them to have access to social apps to complete their project.
This boils down to identity lifecycle management. To remain effective, this requires constant monitoring. While much of this can be automated, governing identity will never be a “set it and forget it” activity. The state of identity is always changing, and reevaluating what that means is crucial. Certain departments and roles have access to certain tools and systems, and certain assets should be taken away with departmental moves.
Beyond proper governance, there’s a financial component to how enterprise social apps are managed. Most social apps have licensing costs, and governance can help defray excess spending. For example, if an employee leaves your company and you don’t disable their Slack account, not only is there a security hole, but you’re burning money. Add this up across multiple accounts and applications, and depending on your organization size, it could be significant.
The siloed nature of most businesses presents another challenge. In the early days, IT was a finance function, typically reporting to the CFO. There was alignment between business and operations, but now there are different needs, budgets, and reporting structures for folks in regulatory compliance, finance, IT, and other business areas. As a result, there’s less focus—or even awareness of—expenses and operational efficiency for the overall business.
But it doesn’t have to be a trade-off between restrictive security and worker productivity. Strong identity governance practices lead to better security, efficiency, and cost savings. Enterprise social apps are not too different from other business software. Taking proper governance measures, constantly evaluating the state of identity, and acting upon these insights in a timely manner are all key to securing enterprise social apps.
Jackson Shaw is CSO at Clear Skye. Shaw began his identity management career as an early employee at Toronto-based Zoomit Corp., a pioneer in the development of meta-directory products that Microsoft acquired in 1999. While at Microsoft, he was responsible for product planning and marketing around Microsoft’s identity and access management products, including Active Directory and Microsoft Identity Manager. Shaw has held various senior product management and marketing roles since Microsoft, including at Vintela, Quest Software, Dell, One Identity, and Forcepoint. He studied computer science at the University of Ottawa, Canada.
Download this free report to learn seven steps to protect your facility from workplace violence.
This report is sponsored by the Total Security Summit, an event specifically organized for VPs, Directors, and Managers of Security who are directly concerned with their facility’s security and safety operations.
The Security Industry Association (SIA) announced a major milestone in its SIA OSDP Verified initiative – that over 100 device models have been named OSDP Verified through the comprehensive program, which validates device conformance to the SIA Open Supervised Device Protocol (OSDP) standard. SIA OSDP standard is an access control communications protocol standard maintained by SIA to improve interoperability, add […]
GXO Logistics, Inc., the world’s largest pure-play contract logistics provider, announced that it has deployed advanced air and ground security robotics at one of its major distribution centers in Clayton, Ind., and plans to significantly increase deployment of automated security systems across other sites within the next year. This would be the largest air and […]
The Security Industry Association (SIA) is pleased to announce the first members of its Utilities Advisory Board Steering Committee. SIA created the Utilities Advisory Board to offer insight and education to security practitioners, members of the security industry and other stakeholders about emerging security trends, regulatory compliance issues, and recommended practices for protecting utility infrastructure. The steering committee members, […]
SILVER SPRING, Md. – The Security Industry Association (SIA) has named Alice DiSanto the 2022 recipient of the SIA Committee Chair of the Year Award, which recognizes individuals for excellence in leading SIA committees and advancing member objectives. SIA will present DiSanto with the award at The Advance, SIA’s annual membership meeting, which will be held March 22 during […]
ISC West, in collaboration with premier sponsor Security Industry Association (SIA), continues to experience steady growth for the upcoming event, and will be taking place just less than two months away on March 22-25, 2022 at the Venetian Expo in Las Vegas (SIA Education@ISC: March 22-24 | Exhibit Hall: March 23-25). After initial reports of […]
Our world is full of threats both external and internal. This whitepaper encourages looking at life safety and security measures on your campus from another perspective. Most facilities have addressed access control and the securing of main doors, but those should be measures of last resort. There are steps you can take — some that you may not have considered — to mitigate the threat before it arrives at your front door.
The 2019 Total Security Salary Guide is here to help physical and technical security employers and employees understand where they stand in today’s security job market. This Salary Guide includes not only salary and wage data from 2017 to 2018, but also certification information as it applies to 20 benchmarked exempt and nonexempt security positions.
A proliferation of cameras has resulted in an overwhelming amount of video available to security operators, analysts and investigators. Technology that used to be prohibitively priced, is now cheap and readily accessible.
Learn how to protect your people, assets and physical spaces better with AI-powered solutions that deliver whole-building security.
