Granite Properties is not the sort of business that one usually thinks of as a prime target for hackers. The Plano, Texas-based commercial real estate firm doesn’t store or manage much personally identifiable information. But it does manage more than 30 buildings, and the data it protects helps keep people safe.
“We worry about hacking and we constantly look for potential vulnerabilities to protect against it,” explains Clint Osteen, Granite’s senior director of IT, who leads an IT team of seven.
It’s common for nonemployees to need access to its network, Osteen says, so Granite uses multifactor authentication to make sure anyone who gets onto the network is supposed to be there. It also put itself through a thorough, independent security audit during the first half of 2018, which gave Osteen’s team a comprehensive view of its entire network and equipment. The assessment, which reviewed everything down to the physical layer, showed him where the company’s defenses were weak, and what he could do to strengthen the entire network and infrastructure.
“The assessment included 30 to 40 sites. They plugged equipment into every single port to see what they could get to,” explains Osteen. “You’re never going to keep everyone out, so the best thing you can do when someone gets in is be aware of them and immediately lock them down.”
None of the results of the audit were surprising, and many of the problems it uncovered were simple to solve, such as updating firewalls and locking down ports to switches. But it underscored the importance of getting those easily overlooked items done, and deepened Granite’s understanding of its strengths and vulnerabilities.
“They were all things we put off because they were things that did not seem like a likely security vulnerability,” Osteen says. “They just kept dropping on the priority list, but over time it all accumulates.”
DOWNLOAD: When it comes to security, data informs effective action. Learn how to get it.
Zero-Trust Authentication Keeps Systems Safe
It’s common for security to get short shrift within busy IT departments, says Garrett Bekker, a principal security analyst at 451 Research. But the approach Granite took, especially its adoption of multifactor authentication, is one that more companies would be wise to consider, he argues.
“We’re moving to the concept of zero trust — assuming no one should be trusted,” Bekker says. “This means using authentication more broadly and authenticating users and machines more frequently.”
Bekker also suggests setting more limits on users and devices — for example, restricting user-owned devices to read-only access. Networks also should be running scans to make sure devices have up-to-date operating systems and sanctioned software and services.
“You might be scanning to see if a device is jailbroken or rooted. There is a whole class of companies that are offering services based on zero trust that can take security to the next level,” he says.
For Optimizely, a San Francisco–based company that helps its customers to optimize its digital experiences, keeping data safe requires a multipronged approach.
Optimizely’s customers use its platform to do A/B testing, personalization, optimization and customization for e-commerce sites. The resulting customer data is proprietary and valuable — which is why Optimizely takes its security controls so seriously.
The company runs its servers in the cloud, so it trusts its cloud providers to handle the physical and network security. However, the business logic security for its 400 employees, as well as the security for customers, falls under Randolph’s domain.
His work starts with plenty of automated tools and a security-first focus. Randolph and his team don’t overlook the basics, such as keeping software patched and updated, using firewalls and tapping security standards. But controlling the sign-on process is just as important, he says. “Here at Optimizely, we use dozens of cloud-based services. So, for us and for our customers, passwords are a big focus. Humans are bad at choosing passwords and at password hygiene. We use Okta single sign-on, so we can remove those worries across the board.”
JBG Smith Taps Security at the Edge
When it comes to protecting data, IT should know what’s going on with the network, where company data resides and how well its current infrastructure and strategies are working.
JBG Smith, a real estate investment company based in Chevy Chase, Md., looked to this strategy to shore up its infrastructure. It needed a way to secure its properties and its tenants while allowing its many contractors and employees to access everything remotely. “Our issue was how to deliver a strong business experience while still delivering security,” says David Shanker, the company’s senior vice president of IT. “And that security had to be easy to use so it didn’t impact the user’s overall experience.”
JBG Smith implemented what Shanker calls a “consolidated security platform,” focusing on using interoperable products and services. It uses Office 365 as well as Microsoft’s Intune for mobile device management, and multiple products from Palo Alto Networks. Cisco’s two-factor authentication offering, from newly acquired Duo Security, rounds out the security platform.
“We run Palo Alto Networks products at the edge,” Shanker says. “We run all their cloud services: WildFire malware analysis, GlobalProtect and Traps, which is their endpoint threat prevention user behavior machine learning model. We also moved workloads to the cloud and are starting to leverage cloud security too.”
Automation Proves Key to Security
While all of these strategies are good ones going forward, data protection will require more than just updated products and services. It will also require IT departments to ensure they have detailed knowledge of what data they’re protecting.
At Optimizely, the IT team is developing detailed data maps, so they know exactly what they need to protect and where everything is stored. The project began as part of its response to the European Union’s new General Data Protection Regulation, Randolph says, but he has found the benefits go far beyond regulatory compliance.
“With GDPR, we need to know where the data is and where it’s being stored. But you also need to know so you can focus security resources and configure data management,” he says.
With that information, Optimizely can more effectively use tools like Palo Alto Network’s Evident to monitor access to the data and remediate issues that pop up immediately. If a port is accidentally opened, exposing data to the wrong eyes, for example, the service catches it and creates a security incident. This gives IT the ability to give the user who made that mistake real-time feedback, he says. Fast turnaround for detection and remediation is exactly what every organization should strive for, says 451 Research’s Bekker.
“Innovation creates more security challenges,” he says. “We’ve got to stop chasing our tails and rely more on artificial intelligence and machine learning and security delivered as managed services. Automation is very helpful.”