The trend towards bring-your-own computing is being driven by executives who not only insist on connecting their personal devices to the company network – but refuse to hand over control of those devices to security managers despite exhortations that it's necessary to ensure data integrity. Faced with an explosion in mobile devices and already hurtling towards the cloud, what's a humble IT security specialist to do?
It's a difficult challenge made even more complex because so many consumers are already linking their mobiles to mainstream cloud services like Google's Gmail, Apple's iCloud and various social-media services. The net result: consumerisation is bringing with it all the dangers of cloud environments as well as all the traditional security issues associated with mobile devices. Yet with those devices now comprising part of the cloud itself, the old issues are taking on a whole new meaning.
"The bottom line is that the people who have control over your budget are now insisting on consumerisation," Dave Asprey, vice president for cloud security with Trend Micro, told attendees at the recent Evolve.Cloud conference in Melbourne.
"We have these mobile devices, and they just keep evolving and getting better. So companies are no longer going out and saying 'I'd like to buy a laptop for everyone in my company'; they're going out to say 'I'd like to manage a laptop for everyone in the company'. And this is how consumerisation is happening."
Despite user enthusiasm about using mobile devices, he added, many users are blind to the companion risk that they introduce. Since so many consumers are already using mainstream cloud services like Google's Gmail, Apple's iCloud and various social-media services, the introduction of mobiles into the enterprise is an ipso facto introduction to the risks and exposures of public cloud services – and that's a completely different risk profile.
"Cloud and mobile are already completely mixed up in the minds of the people who use these devices," Asprey explained. "When you hear about consumerisation and BYO device strategies, it includes cloud as an integral part of that. And as mobile continues to penetrate throughout the population at large, 'cloud' stops meaning 'in a data centre' and it starts meaning 'elsewhere'."
This presents a completely new challenge for security practitioners, for whom the shift away from tightly-managed internal devices represents a major change in security posture. And in this new world, Asprey said, malware authors have the most experience – as evidenced by their successful establishment of self-managing global networks that tap into millions of mobile and fixed computers around the world.
Such networks represent the future of cloud environments as the proliferation of mobile devices is taken to its natural conclusion: the cloud of the future will be made of nodes everywhere and anywhere, connected through common links and reallocating computing and storage capacity on the fly.
As this model takes over, Asprey warned, security practitioners must modulate their expectations: in a globally distributed model, the key to performance security cannot by definition be "to know everything" that's going on inside your network.
"Since you're managing the devices that connect all over the place, it makes more sense to host the management of the cloud in the cloud itself," he explains. "Your traditional performance monitoring is not going to work: when you're managing a cloud of distributed devices, some of them aren't going to answer your performance monitoring queries. You'll end up using statistics way more than you do now, and job scheduling will become more ad-hoc."
Cloud-based storage will complicate things further, since increasingly distributed models of data storage mean data will end up being distributed far and wide across internal networks and external public-cloud services. This presents technical, security and – particularly importantly – regulatory challenges as governments increasingly reconcile their privacy and policy objectives with the increasingly distributed nature of the cloud.
Asprey calls this future model of the cloud an 'ambient cloud', and said the key to keeping it under control is to focus on securing the myriad devices coming into the business. "If you want to secure the cloud, you need to secure your mobile devices," he explained. "They are the access points to the cloud – and from an end-user perspective, the difference between the cloud and the mobile phone is lost."
"If someone loses their phone and it has all their cloud credentials, your cloud is penetrated unless the phone is protected," he continued. "Even though it's so much cheaper to move things into a decentralised model, and it's more available than it is in a decentralised model, you'll be making budgetary decisions over the next few years that drive you to decentralise when you can – but to still maintain visibility and control like you have today."