What are some of the cleverest (riskiest) workarounds you’ve heard of from employees simply going around IT policies and technology? Have they been addressed? How?
Many sales and marketing departments think nothing of storing corporate, confidential documents in the cloud. The productivity and portability gains are understandable, but employees who have not been properly trained in IT security awareness do not understand the risks they are exposing the company to. A common example is using Google Docs to store documents and collaborate with co-workers. Apart from the storing of sensitive information in an unknown location and uncontrolled by corporate IT, employees are exposing the organisation to additional risks.
Let’s take the use of passwords as an example. Studies have shown that people typically re-use passwords within the domain they are working in. That is, if they deem the use of Google Docs to be related to work, they will more than likely use their corporate username and password. This means that corporate passwords are now stored in the cloud. IT departments have addressed this by saying “yes” more often, to offset the possibility of business users going around them.
In addition, Identity Management and Identity Federation can be used to ensure sensitive information such as user passwords remain within the confines of the organisation through the use of automated account provisioning, access control and single sign-on from the corporate network into cloud applications. User activity monitoring through the use of tools such as Security Information and Event Management (SIEM) solutions can provide further visibility into ensuring that if employees move documents or sensitive information outside of the corporate network, these are flagged and that relevant individuals or teams are notified of the risk exposure. Additional processes can be layered on top to ensure the risk is removed, mitigated or accepted.
Are any mobile platforms ready for the enterprise? If not, when? What are the common/fundamental shortfalls?
If we take the simplistic view of comparing mobile platform operating systems, it’s largely an Android versus iOS debate. There are countless exploits available on the Android operating system; far more than any other mobile operating system.
iOS however, has had no known exploits to date. If we take it on this basic premise, then one has to say iOS is ready while Android is not.But this argument is flawed. Based on this argument, Linux and Windows are not enterprise-ready. But if we use Windows and Linux as the basis of the argument, then Android is ready for the enterprise today.
This question should really be more about whether the enterprise is ready for mobile platforms. Like it or not, they are here to stay, irrespective of their “enterprise-readiness”. The main issue is the loss of control from the enterprise’s point of view.
Enterprises need to get themselves into a position where they are ready for the increasingly mobile workforce. They need a mobility strategy across all devices, not just around Bring Your Own Device (BYOD). Identity needs to be the foundation. Access controls need to be in place and managed through centralised policies. Above all else, enterprises need to have visibility of everything that occurs in the environment, whether it is within the corporate firewall or in the Cloud. The ability to know what is happening and be able to action anomalous events is more important than trying to manage the ever-changing landscape of devices and external applications employees may be using.
For organisations trying to manage BYOD, is it (or should it be) a policy issue or a technical challenge—or both? Is this the root of the problem?
It’s both. Policies need to catch up to what is really happening. Organisations need to be more agile in dealing with change and understand the security implications that come with this agility. They also need to practise agile security. This means being able to manage and enforce security policies dynamically, on-board systems and applications into the security infrastructure quickly, and be able to audit and react to potential security risks in near-real time. They need to be more services oriented.
Every system and application should expose a set of Application Programming Interfaces (APIs) for management and visibility as well as leverage common services via APIs. Technology needs to be there to support the policies. In some cases, technology can be used in isolation to address a pressing issue in a tactical, reactive manner while the policies catch up.
Technology can sometimes be used to mitigate risks quickly before organisations have time to lay the security foundation.However, policies and technology need to work together to achieve the best outcomes.
Are linkages between the cloud and consumer technology manifesting the challenges for IT security? How?
The combination of consumer technology and cloud would seem at first to complicate matters. But they are one and the same if IT security takes the right approach. That is, to accept that they have lost the level of control they previously enjoyed and now they have to deal with it by ensuring they have visibility across all employee activities when accessing corporate resources.
Will the consumerisation of IT and the growth of cloud services change the role of the CSO and IT security in the next few years? Where are the pain points now, and where are they going to be?
The role of the CSO and IT security will need to evolve. Their mindset and the way they work will change. The most fundamental change to be made is to become creative “yes” people instead of instinctive “no” people. That is, instead of constantly saying “no” to business requests because of the perceived risks, the default answer should be “yes” if the request will benefit the company’s bottom line.
The creative part comes in when teams have to develop a solution to enable the business request in an appropriately secure manner. The main pain point now is in changing the culture of IT security. Human behaviour is always the most difficult to change. However, once business users believe that IT security will not hamper them, they will actually work together with IT when they need something instead of trying to get around them.
The major pain point moving forward will be in the skills required to manage these changes. Many of the skills required to handle the rapid changes occurring do not exist in the current teams within the enterprise. Teams will need to be trained in areas that may not even exist. In addition, smaller, agile companies (e.g. start up companies) possess more skilled resources than enterprises in dealing with mobility and cloud. The trick will be convincing these types of employees to join an enterprise. This is an almost impossible task in many cases as employees of smaller companies such as start ups do not want to work for large enterprises due to the cultural difference and the perceived lack of innovation.
How has the influence of consumer IT affected the customer experience? How does this impact organisations striving to deliver good customer service?
Customers now expect more, both from the applications they use to interact with an organisation to the customer service required to keep them happy. Applications built as recently as a few years ago are no longer adequate. The rich, consumer-focused web and mobile applications we are all used to as consumers exacerbate the antiquation oftechnologies and methodologies used to build many enterprise systems. We are so used to the dynamic, consumer-centric, usable application interfaces many consumer products provide that anything less is immediately noticeable.
Organisations need to lift their game in providing the application experience expected and the high levels of customer service the market demands. An organisation that is not agile enough to do this will simply lose customers and adversely affect their brand.
What common challenges are there for IT security in heavily regulated industries from BYOD?
Many compliance and governance standards require certain levels of controls across all systems, including ones used to access corporate resources. The challenge lies in ensuring that at the very least, all accesses are audited and that non-compliant devices do not gain access to information governed by requirements that are strict about where information is allowed to reside.
Policies and technologies need to be in place to ensure that non-compliant devices that expose the organisation to financial risk and potential data loss do not gain access to sensitive information. For example, somecontrols dictate that consumer data and financial details must be encrypted, audited and can be traced back to individuals that access the information.
Devices accessing sensitive information must be able to meet these requirements, or at the very least, ensure that the information accessed remains transient and not physically stored on the device.That said, security should never be managed for compliance and governance alone. This results in “tick-box” security.
A good security programme must always be about managing organisational risk. With the right foundations in place, a good security programme will almost always meet compliance mandates.
Any good examples of organisations in Australia managing BYOD well? Why?
To our knowledge, there aren’t any organisations in Australia that are managing BYOD well. This could be due to the fact that many organisations are still in the early stages of dealing with the myriad issues associated with BYOD.
Research firm Vanson Bourne showed recently that mobility projects in Europe are commonly proceeding without the full involvement of IT (67 per cent). What sorts of controls can manage this?
This relates to the loss of control. IT needs to implement policies and technologies that allow more visibility into the activities that occur throughout the IT environment. If one cannot control what is occurring on the boundaries, the best they can do is be aware of what is happening when the uncontrolled boundary devices attempt to access corporate information. If there aren’t measures in place to maintain adequate access controls, then organisations need to be able to react quickly to potential events that may result in damage to the organisation’s bottom line and brand.
Howis transparency (or the lack of it) for organisations deploying into cloud services impacting the maturity of IT? Is it rolling back?
On the contrary, it is forcing IT forward. From a security standpoint, it is driving IT security teams to evolve and manage security as a foundational part of business instead of something that needs to be done because the auditors have requested it. The innovation in IT is happening in the cloud and in how organisations blend the existing with the new.
Ian Yip is Identity & Security Management Product & Business Manager, Asia-Pacific, NetIQ