SMT007 Magazine


Issue link:

Contents of this Issue


Page 37 of 91

38 SMT007 MAGAZINE I JUNE 2020 corporate network; for all practical purposes, that computer is inside your network. For companies that have embraced this for a long time, the move to working from home is not a big deal. But for companies for which this is new, they have challenges about how they very quickly allow access into their corporate networks. I suspect the number of companies in this situation is very low. I've seen it mostly in state agencies that have prohibited work from home policies or companies that process very sensitive data that have a reason not to have computers allowed outside their network. But for the most part, we haven't seen a big difference in how people work. They're sitting at a different desk, but from a technology point of view, there's not a big difference. Johnson: What might you consider the key pil- lars to good cybersecurity, whether it's at the manufacturing facility or how it applies to a distributed workforce? Landeck: The fundamentals hold true. You have to know what you're protecting. If you're a company, for example, that writes public announcements or anything to do with the public, your need to restrict who sees what is very small. If you're a company that writes intellectual property, and you live and die by the competitors not seeing it or not seeing it early, your need to protect that data is very high. If you're in the healthcare world, you have very specific legal penalties and require- ments on who can see people's medical infor- mation. The first pillar is knowing what you have and why you're protecting it. If you have a company where nothing you have is sensi- tive, trying to invest money to keep that pro- tected doesn't make a lot of business sense. If you're about to revolutionize an industry with a very disruptive new technology, protecting intellectual property is probably a good invest- ment. It's knowing what you have and know- ing why you're protecting it. There are two concepts in regard to access- ing your information and technology. First, there's the concept of authentication. Authen- tication is proving that you are who you say are; for your iPhone, this could be done by using your eyes, face, fingerprint, or password, for instance. The second concept behind that is called authorization, meaning, "Am I allowed to see it?" Even if I can prove I'm Mike Lan- deck, I may not have a reason to see that at your company. Knowing who's allowed to see things and maintaining an access control list is important. The mistake we've seen a lot is that these lists don't get updated. For example, if you hired me as a software developer, I work on that project, you give me full access, and then I change jobs to being a server adminis- trator, I no longer have any need to see that source code. More often than not, companies won't update that access. If I'm given access once in my career, I'll probably have it for the rest of my time there. This process is called access management. The last pillar is "detect and respond" and knowing what's happening in your world. To

Articles in this issue

Archives of this issue

view archives of SMT007 Magazine - SMT007-June2020