Cloud, mobility and bring-your-own-device (BYOD) computing are providing so many new potential ingress points to your network that it’s getting near impossible to keep up. The solution, as David Braue finds, lies in reconsidering your exposure, revisiting your IAM strategy – and picking your battles carefully.
It must have seemed like the right thing to do at the time, but it certainly didn’t end up that way.
‘It’, in this case, was a strategy for introducing a bring-your-own-device (BYOD) policy that would let employees use their own smartphones and tablets in the workplace. All employees had to do was load an agent for the corporate mobile device management (MDM) software onto their phones, which would allow the corporate IT division to track the devices and, if irretrievably lost, erase the data on them.
The company’s IT team bought 15,000 licenses of the appropriate software, advertised the program to users, and waited for the requests to come in. Eventually, however, just 400 users consented to install the software on their devices; the others, seeing no need to conform, simply ignored it and the organisation was left holding the bill for 14,600 unused MDM licenses – as well as a real challenge as to how to handle the remaining users.
Such are the trials and travails of companies seeking to adjust to the new, user-driven BYOD trend whilst maintaining critical control over the security of their corporate data. Fully 40% of workers in the Asia-Pacific region – 838.7m of them – will become mobile workers by 2015, and they will expect the flexibility to use whatever devices they want to get their job done.
Caught between conflicting pressures – users’ demand for personal freedom, and shareholders’ and corporate regulators’ demand for protection of company information – many companies are going through what Ian Yip, NetIQ’s identity, security and governance business manager, likens to the Five Stages of Grief.
“We’re up to somewhere between bargaining and acceptance,” he says. “This is a good thing, because it means we are ready to compromise and work with the business. Every organisation will get to acceptance in varying degrees, but it will mean going in with your eyes wide open.”
Australian companies are behind the curve when it comes to dealing productively with BYOD, however: IDC’s recent Continuum Survey 2012 found that Australian CIOs are struggling with incomplete BYOD frameworks lacking integrated security and IAM capabilities, among other things.
The human element. The groundswell of support for BYOD computing is disrupting existing identity and access management (IAM) frameworks and created massive security issues they never saw coming.
The devices themselves are proving incredibly adept at circumventing the obstacles put down to prevent their use: mobile operating systems with built-in Facebook and Twitter capabilities, for example, can now spread corporate secrets in milliseconds using direct APIs that won’t even be picked up by content filters judiciously patrolling Web site access.
Mobile devices can wirelessly connect to the heart of corporate networks and wreak havoc within minutes. Seemingly innocuous productivity tools like Dropbox and Evernote instantly sync content from the corporate network onto cloud services whose very existence may violate corporate obligations around data privacy and sovereignty. And well-meaning users can run up new virtual machines in Amazon EC2, then push gigabytes of corporate data into an unknown and uncontrollable cloud environment within minutes.
“Mobility is increasing the complexity of IT security, and users are relying on tools for business to remain productive in spite of the IT organisation,” says Simon Piff, associate vice president for IDC’s Asia-Pacific Enterprise Infrastructure Research group.
“A lot of the time you will find that your organisation is using a cloud service that you know nothing about. That’s why the need to secure the human is going to increase: you’ve got to think of smart ways of embedding IT security into [users’] psyches that doesn’t impede their ability to do business.”
The new IAM. Corporate raiders never had it so easy – but what can companies do to staunch the exodus of corporate data from their grasp?
With outer security perimeters now easily breached, conventional wisdom now suggests the best approach for companies is now to refocus their efforts not just on keeping the nasties out of their network, but ensuring they can’t access any data they shouldn’t be able to do when they get in – nailing shut the trap door, so to speak, to keep the soldiers from sneaking out of the Trojan horse that’s already parked in your courtyard.
“There’s only so much you can do to protect the perimeter,” Piff says. “The real question is: what are you going to do to protect your data?”
That means shifting the focus of IT investments away from building barriers, towards developing fool-proof and flexible IAM frameworks that can reconcile today’s flood of new devices and applications with the users that are using them.
If all data is encrypted at rest on the company network and in the cloud, after all, it becomes much easier to control who has access to the keys to get it. Yet transposing IAM into today’s leaky-sieve environments is tricky: many companies bought IAM suites years ago, when IAM was all about single sign-on, opening and closing user’s network accounts, and facilitating access to internal business applications.
The world has moved on, and so have the requirements for a viable IAM framework, which these days must be able to track large numbers of employees, business partners and customers across a furry of devices.
“Things change quite quickly, and what we’re seeing now is a disassembly of those big suites,” says John Havers, CEO and founder of IAM service provider First Point Global, who estimates that only 10% to 20% of Australian organisations have a broad enough IAM infrastructure in place to meet contemporary challenges.
“Auditors are asking to see what measures those organisations have to ensure only the correct people, with the right privileges and right job roles, have access. So organisations are thinking about how to keep a handle on who’s accessing what in their organisations and extended organisations. But it’s a difficult problem to solve.”
First Point Global has worked to address the problem with an IAM governance platform that aggregates data accesses and correlates users’ activities into a centralised identity and access warehouse. “That’s the starting point for knowing who’s in the zoo,” Havers says.
IAM everywhere. Ironically, the cloud may prove to be the saviour for companies struggling to implement effective IAM: to boost accessibility and usability, some vendors are now offering cloud-based IAM frameworks designed to handle the many touchpoints of the new security model.
Gartner has flagged this trend as an increasingly important aspect of the IAM market, which it has flagged as growing from $US9.9b in 2010 to be worth $US11.9 billion by the end of 2013. Gartner expects cloud-based IAM will attract market entries from unexpected quarters such as virtualisation and grid computing.
“The ability to host these platforms in the cloud will be a driver for pushing out good IAM across organisations that previously may not have been able to afford it,” says First Point Global’s Havers.
Another game-changer is privileged access management, which extends IAM frameworks by monitoring and regularly changing access credentials for accounts with strong access privileges.
This provides an extra layer of protection within IAM frameworks, minimising exposure to password breaches and reducing the chance that outdated credentials may give ex-employees access to corporate systems.
Security providers of all stripes are working to update their IAM visions, with industry leaders like Symantec and RSA peppering the market with point solutions each addressing specific new challenges; down the track, expect these solutions to be brought together into integrated application suites.
In the end, says NetIQ’s Yip, regardless of the features of the new technology the endgame remains the same: “You can’t deal with BYOD by dealing with BYOD,” he explains. “It’s about managing mobile employees, not about managing tablets or phones.”
“You need foundational pieces to do identity management and user provisioning, and to be agile – so you can give access when you want, and take it away when you don’t want people to have it.”