by Geoff Webb of Credant Technologies
If you were the CISO of a large enterprise you'd already know that an IT security earthquake may well be on the way because there is a fault line that runs beneath most of the assumptions upon which we have built the last decade of security progress. That fault line can be described using just four letters: BYOD.
Bring your own device (BYOD) or the growing practice of employees using their own devices: laptops, smartphones and tablets, blurs the line between enterprise and personal computing, and as a result, complicates the job of governance, risk and compliance management significantly.
As a trend, the consumerization of end-point devices is still in its early stages. However, as more and more employees start to routinely use their own laptops and tablets to access corporate information and services, so the potential security impact of BYOD, like stress in a fault line, continues to build.
For the enterprise security team trying to both enable end users and maintain compliance and BYOD security best practices, there are a number of problems that must be dealt with in short order.
For example, simply defining security policy can be a tortuous task (let alone getting everyone to follow it). While end users may want to use their own devices, the business must provide clear guidance on acceptable and safe usage. Opinions (and options) on what is and is not acceptable may vary dramatically. Worse, users will almost certainly regard BYOD security policies restricting what they do with their own device as, at the very least, somewhat unwelcome; precisely the sort of response that IT security teams want to avoid.
Even if BYOD security policies can be agreed upon, enforcing them is often even more arduous. In highly decentralized businesses, such as in many healthcare organizations, enforcing BYOD security policies when the device accessing the information is employee owned can be difficult at the best of times. Yet a failure to enforce security policies, even unpopular ones, can leave an organization open to an audit finding or worse, a breach. For while many BYOD devices may have the capability to be properly secured, ensuring that those security capabilities are correctly enabled, and documenting that they are, can require both additional management software and new processes to be put in place.
In the event that a device is lost, or the employee leaves the businesses, the security team must navigate the potential minefield of ensuring that corporate data on the device is removed while trying to minimize impact to the end user for their own information.
However, all the above challenges may rapidly pale in significance when compared to the looming specter of the combination of employee owned devices utilizing corporate information connected to third party cloud services. This is especially the case when the cloud services are brought into the enterprise by the employee themselves, as is often the case with such things as cloud storage.
This "bring your own cloud" (BYOC) phenomenon will add even more pressure on existing security processes by further complicating the task of tracking, security and documenting where data is being stored. Imagine, for example, the problems facing a security team who discover that a former employee had been accessing protected healthcare information on a smartphone owned by the employee, but stored on a cloud server outside of corporate controls.
In fact, both BYOD and BYOC will continue to force a re-evaluation of the basic principles of information security practices. Ultimately, the only way to meet the demands of an increasingly independent user population and yet continue to operate within a framework of escalating regulatory requirements is to move away from a mindset that focuses on the "where" of information security and instead focuses on the "what."
As "data-centric" becomes the mantra for information security, so the concerns over the platform for accessing that data diminish. Once the data itself becomes self protecting through the use of technologies such as tokenization, encryption, and so on, so the need to manage every endpoint or service upon which it resides. Indeed, as the data becomes the target for our security thinking, we can provide not only better security for the critical information but more easily adapt to the evolving needs of business users- both of why, as Winnie the Pooh would say, are a "Very good thing."
Geoff Webb has over 20 years of experience in the tech industry and is a senior member of the product marketing team at Credant Technologies. Geoff provides commentary on security and compliance trends for such journals and websites as: eSecurityPlanet, CIO Update, The Tech Herald, Compliance Authority, Virtual Strategy Magazine, and many others. Prior to Credant, Geoff held management positions at NetIQ, FutureSoft, SurfControl and JSB. Geoff holds a combined bachelor of science degree in computer science and prehistoric archaeology from the University of Liverpool.