In-depth: Taking the fear out of the security sell

When it comes to security, in whatever form it takes, fear is the key.

When it comes to security, in whatever form it takes, fear is the key. Whether it's protecting your house against the threat of burglars or a country's borders against a projected invasion by a potentially bellicose neighbouring state, there's nothing like a dose of anxiety, alarm, worry or paranoia to open the purse strings and get the funds pouring into "security".

The fact that all this money is being expended to protect against a potential rather than definitive threat is the subject of its own anxiety. Security is a form of insurance and we all know what people think about insurance. It's fair to say that paying for car insurance, house insurance or life insurance does not place highly on the list of things people like to spend their money on.

The same is true for IT security. Our overwhelming perception of IT security is framed by constant reference to the consequences of not having it rather than of having it. The stories we see about IT security are always in the context of massive data leakages, hacks or data loss incidents. It's not often that we hear of an attack being thwarted or a data loss being minimised to the point of irrelevance by good IT security policy.

Why is this? Because as newspaper people have known for years (and the IT security industry has been quick to learn), fear sells. Which is not say that security isn't necessary. When you look at the headlines, it's fairly obvious that IT security is very important, vital, to the continued well-being of most organisations in the modern world.

But when the overwhelming frame of reference for a product area is 'fear', the desire for protection can also blur into something with the potential to inhibit a company's operations.  This is especially true of the current well-publicised trend towards consumerisation of devices, sparked by the growth in usage of smart phones and tablets, which could well create a collision between user expectation and corporate defensiveness in many businesses.

In a recent paper concerning Smartphones, security and the enterprise, SonicWALL agreed that the proliferation of smartphones and the demand from employees to incorporate them into the company network was creating a serious dilemma for IT departments. There is no doubt that businesses cannot ignore smartphones and their ability to help employees work more flexibly and productively. But it's equally clear they are also difficult to deploy securely and bring extra pressure to technology budgets and resources.

"Getting this balance between reward and risk right is a familiar problem for IT managers," SonicWALL states. "Security must be seen to be enabling the business, rather than holding it back from the rewards many of these new devices offer." This leads to an interesting new tack on the security front. Instead of promoting security in terms of what might happen to the business if it's not in place, vendors and resellers should also start to frame the discussion around IT security as an enabler for the business to exploit new developments such as mobile working using mobile devices and the ability to incorporate social networking where it suits them.

David Caughtry, director of Core Technology at ComputerLINKS, agrees that business enablement is a "key message" but says it's also down to risk. People need to see the business benefits security can bring but also be aware of the risks and be able to make a decision on what level of risk they are prepared to accept. Certain organisations will have a much higher threshold of risk and others will demand something much lower.

"Do the gains and pains security devices bring outweigh the risks? One individual's view of risk is completely different from another," he argues, adding that there's a danger organisations can end up with a "very disparate policy" if the thinking behind it isn't joined up.

He believes IT security providers need to take the lessons learned from getting protection onto desktops and laptops and transposing them to a more mobile and flexible environment provided by the proliferation of mobile devices. It's not new, the industry has been through it before, but the dynamics have changed and it's unlikely to take the ten years required to get a decent level of protection accepted and adopted for desktops and laptops.

Ian Kilpatrick, chairman of Wick Hill Group, says one of the problems is many company boards don't really understand the full concept of risk analysis and because the technology is continually evolving, they can get "security fatigue". There is no coherent list of things to go through and things to protect against.

He also argues that while the idea of promoting security as a business enabler is "philosophically correct, the reality is exactly the reverse". The drive for deploying mobile devices has come from users not IT, so there is no plan built in around it and it's not part of the project.

Worse still is the fundamental lack of security at the smart phone level. Many people use them at a personal level and want to use them for work but the majority of them don't even have a PIN on their device to protect their personal information. Kilpatrick describes this state of affairs as "shocking". Given these lax attitudes, it's hardly surprising that security on these devices for business use would be such an issue.

"It's all the wrong way around," he says. "You have a completely uncontrolled environment where the majority of users don't even recognised the device they've got is actually [as powerful as] a PC/laptop." People have migrated to smart phones with the power of a laptop but that transition hasn't taken place in their heads. Which is not a happy state of affairs when you consider that it's "a hell of a lot easier to lose a phone than a laptop". If you walk into a bar, you won't see many laptops lying out on tables but there will be quite a few mobile phones out.

Additionally, with the level of security which is now accepted as a given on a laptop, such as password protection and data encryption, someone stealing a laptop would have to make an effort to get into it to access any data. With smart phones, often the data is not secured in any way and, as a result, corporate data can become more vulnerable.

It's also potentially a much more complex environment to manage where it's harder to get visibility of devices. "How can you manage an estate where you're giving users AV, anti phishing to run on their own personal phones?," Kilpatrick asks. At what stage does the employer take responsibility and where does it fall on the user? He believes that at the moment, "consumerisation is more aspiration than reality".

He also feels that it will take a series of very public data breaches and incidents to change attitudes, as happened with laptops. "Protecting mobile phones is not going to take off until there are high profile incidents. This is going to run and run and present a lot of strategic challenges for organisations."

An added complication is that the encroachment of smartphones into the corporate environment is adding the convergence channel to the mix. For the most part, the data channel doesn't recognise or sell mobile phones and the people in the organisation who supply and manage smartphones are getting them through the telecoms channel which, as Kilpatrick points out, is "completely separate to the guy selling security". If it's a device an employee has bought his or herself things get even more complicated.

There's a gap that needs to be bridged between the smartphone provider and the channel which traditionally secures the data network. Until now, that's never been an issue but companies are starting to have to ask the question: "who inside the organisation has responsibility for security for a smartphone?". This means bringing together two channels that typically don't talk to each other to decide how it's delivered and managed. Who pays for the security? Can it be layered on top of the existing monthly contract for the mobile device? Does the person responsible for data security have any budget to provide security on mobile devices? Is there a recognition that a budget needs to be created for it?

Kilpatrick suggests it is probably a lot easier to address data security when it comes to tablets because whether you view them as big smartphones or small laptops "everybody in the data world understands what they are". Possibly, although given the difficulties so many IT vendors have had in creating and selling tablets successfully, you might argue a lot of them are struggling to understand the concept.

Nevertheless, he thinks it's easier with tablets to have a "meaningful conversation around securing the elements of a data device that people recognise". Even so, most people are still getting devices and then trying to back fit them into the security infrastructure. It should be noted that this has happened so many times before as new technology becomes available that it might be viewed as standard practice for the adoption of IT security measures.

Virtualisation and the cloud could present new and better ways of handling IT security in the future, but they also bring risks. As Kilpatrick points out, many businesses will use virtualisation to make big cost savings but the flip side is that if someone successfully breaks into a VMWare server, they can get access to as many as 100 virtual servers. Again, it's a question of getting security professionals involved early enough in the project process that they can make security is a "tick box" before it goes live.

Nevertheless, Caughtry believes the virtual desktop trend represents a "big step forward" in helping to improve IT security because it will deliver a "secure bubble" to the user which will not affect anything else on the device or be affected by it. The industry is "going full circle" towards centralised solutions with minimal points of infection. At the same time, with the shift to mobile working, there will be an increase in the points of access to the central network using virtual desktops on devices such as laptops, home PCs and tablets, but they will be "inherently more secure".

Kilpatrick says the cloud is the way to go. The genie is out of the bottle with more and more variations of devices hooking into the network. To accommodate them, businesses will need a central structure to manage them and the cloud will help to provide it. "It's the route the market will go down," he predicts.

One consequence of tying the mobile working phenomenon so closely with IT trends such as virtualisation and the cloud is that it begins to be viewed as part and parcel of the shift to enterprise 2.0 rather than an add-on that comes afterwards. The trick is to convince those businesses already seriously (or even half-seriously) engaged with virtualisation and the cloud to incorporate the connectivity of mobile devices into their plans. It's also in the interest of smart providers to ensure the deployment and usage of mobile devices is part and parcel of those trends.

The contradiction at the heart of IT security is that without the fear created and fuelled by high profile data loss incidents and breaches, it may not be deployed as fully as it should but, on the other hand, this means security will continue to be viewed in reactive terms rather than proactively. As Kilpatrick suggested, protecting mobile phones is unlikely to take off until there are high profile incidents but this state of affairs almost ensures it will remain an add-on or retrofit technology.

If IT security can be seen as a solution that enables the business and supports its growth, it will start to be viewed as an essential investment rather than a necessary evil. The question is whether anyone in the IT security ecosystem has the will and energy to take this (positive) argument out to the business community.

Smartphone Security tips (source: SonicWALL)

Update security policy to include smartphones

Organisations will find strategic value and tactical efficiency in setting universal policy agnostic towards specific vendor platforms. IT may find some policies difficult to enforce on personally owned devices but they should be defined and communicated.

Treat all smartphones as uncontrolled endpoints
Due to their inherent mobility and vulnerabilities, IT should treat smartphones as uncontrolled endpoints, whether or not they are company-issued. Smartphones can get lost, stolen or compromised.

Establish SSL VPN access to corporate resources
Smartphone access to business resources over the Web is like e-commerce and organisations should apply the methods of successful e-business innovators. Instead of setting up, administering and updating separate security solutions for Apple iOS, Google Android, Nokia Symbian and Microsoft Windows Mobile smartphone operating systems, IT could deploy a centralised SSL VPN portal to provide authenticated and encrypted Web-based access to network resources agnostically.

Vary level of access based on interrogation of device.
IT should use remote access technologies capable of interrogating remote devices to determine the appropriate level of access based on device and user identity.

Comprehensively scan all smartphone traffic
To protect network resources, IT should deploy a next-generation Firewall to conduct deep packet inspection that can scan all smartphone traffic.

Control data-in-flight
IT should be capable of inspecting outbound traffic for data leakage, even if that traffic is encrypted and should scan all data-in-flight for malware.

Maximise firewall throughput to eliminate latency
To minimise the impact on latency-sensitive applications, such as video conferencing and voice over IP (VoIP), the next-generation Firewall platform should be capable of comprehensively scanning smartphone traffic in real-time when smartphones are connected to the corporate network.

Establish controls over smartphone application traffic
As smartphone users can access applications such as social media and streaming video, IT should establish control over these applications to identify, categorise, control and report upon application usage over the corporate network from these devices.

Establish smartphone wireless access security
Up to 90% of smartphones will have WiFi functionality by 2014, so security for wireless networks should be at least on par with wired networks running deep packet inspection. IT should apply both WPA2 and Application Intelligence and Control to traffic from users connected to the corporate network over WiFi.

Manage smartphone traffic bandwidth
Organisations need to control converged voice-and-data communications enabled by smartphones when directly connected to the corporate network, while continuing to optimise quality of service and bandwidth management.

Read more on Data Protection Services