Mobile security watershed - from SOAP to SUDS

The technology landscape is changing quite dramatically. What was once carefully chosen, constrained and controlled by central IT diktat is now overwhelmed by consumerisation and hyper connectivity. It is hard to say when it all really started, but the availability of home PCs in the 1980s pushed a trend of affordable computing and the emergence of widespread internet use in the 1990s accelerated the trend towards affordable connectivity.

Although organisations embraced this open connectivity, admittedly quite slowly at first, there was always a nagging fear surrounding the security risk. Such fears are frequently prevalent when new technologies appear. So much so, that in pretty much any research Quocirca has conducted, when security is mentioned as an option among other reasons for not adopting or slowing the adoption of a new idea, it generally stands out as the top reason selected.

So it should be no surprise that the typical approach to security has been one of closing doors or blocking access as close to the perimeter as possible; erect a demilitarised zone, configure a firewall, deploy a secure gateway at the edge. This is pretty much in line with the attitude taken to physical security; build a fence, lock the gates and fit an alarm or patrol with dogs.

When it comes to the extra security for deploying mobile devices, essentially a similar approach is initially taken. Apply a passcode to the device at the edge of the network, lock down its configuration tightly, remotely kill and wipe it when it becomes compromised, lost or stolen.

The challenge is that not only have mobile technologies punctured the physical perimeter, they have also ushered in a BYO/bring your own mentality where everyone one expects to have their own choice of anything IT device, apps, social networks etc which dissolves away the virtual perimeter.  The old model possibly described as Secure Organisation At Perimeter (SOAP) is looking like it is washed up.

Traditional IT i.e. oriented to the technology tools hardware, software and networks and not the uses to which technology is put. To do this, the emphasis needs to switch to what people do, and the information they use users and data and to apply a bubble of protection where it is needed, or perhaps to put it another way, Secure Users and Data Specifically (SUDS)?

This is a much more business-oriented approach, in that it requires an understanding of the value and vulnerability of the soft assets of the organisation. Rather than a one-size-fits-no-one blanket perimeter, it requires discrimination so that different levels of protection are applied based on value and risk, independent of what tools are used, but aware of the context of use i.e. what, why, when, how, where and who.

It means that security policies, while heavily relying on the IT department for guidance, implementation and support will need input from the business to glean which and how different business processes pose risks and to which data. This might initially be challenging for some lines of business, but anything that makes an organisation and those in it more aware of the value of its commercial secrets is good practice.

It also removes some of the responsibility for security from the user, which many in IT think would be a good thing, as again, past Quocirca research into mobile security indicates that users are thought of as the weakest links, even when issued corporate specified and locked down devices. Given that many employees may be bringing their own devices, installing their own apps and data, and lending the devices to family members, this is unlikely to improve much.

Tackling this issue with simplistic mobile device management (MDM) is no longer sufficient. Devices have to be assumed to be compromised or easily compromise-able and so the attention naturally shifts to the objects of interest data and the actions performed on them. Most of the vendors of products aimed at managing the emerging mobile enterprise seem to have recognised this and that MDM was merely a stepping-stone, but many organisations seem to be slow to pick up on this and think that applying MDM is sufficient.

Given the speed at which their employees are adopting mobile technologies that span the work/life divide, this would be a mistake. No organisation wants its laundry dirty or otherwise aired in public.