Yankee Group Study
Actually near future might be wrong: I am convinced that the future (with regards to the requirements) is already here. We sponsored a study with Yankee Group with the title Anywhere Access Technologies - Open Enterprise Networks. I read through it and tried to analyze the key findings in there:
- more than 70% of IT executives said that more than half of their employees today access their networks remotely with a laptop or mobile device: This is significant, isn't it? Look at me: I am in the office to have some 1:1 meetings and mainly to hand in the expense reports. The rest of my time I am on the road or in my "home office". So my laptop hardly ever gets connected to the Corporate network. I am actually writing this blog post in a hotel room. On the other hand I know of a lot of companies where security and IT wants to limit the usage of laptops as much as possible. To my opinion, they are hindering a development, which will lead to higher productivity and employee satisfaction: I love it to work from home having the possibility to spend lunch hours with my family. I am aware that not all the jobs can be done remotely but more jobs could profit more from a little bit more flexibility. The statement that mobile workforces increase productivity is underlined by an other data point:
- Our analysis shows almost 37% of all enterprises said they would expect to see a significant increase in employee productivity if workers could access data and information outside the office on any type of device. Among Connectors (companies with more than 50% mobile users), this expectation jumped to 43%: And you want to stand outside of this? I doubt it.
- Enterprise networks are opening up not just to employees, but to outside parties, too: 87% of the enterprises surveyed said that partners, customers and other users outside the company access internal network resources either frequently or every day: This is the next challenge as more and more information will have to be accessed by external companies and people. How do you authenticate them? How do you keep control over the information they access? And even worse: When I talk to certain industries, they change their partners within hours (e.g. traders) and have to have an extremely flexible network of trust and therefore authentication scheme without hampering security.
… and a lot more, you can read it yourself.
But what does that mean for your security? Let's have a look at different areas of security
This will improve the usability. I am a firm believer that if we (as an IT industry) can make this mobile access to company data transparent and easy to use, this will increase security! I have seen cases, where normal users wrote a step-by-step guide on how to open a VPN tunnel and access the mails including all the username and passwords needed. They even tucked it to the SecurID. Wow, such a stupid user? No, to me: A stupid IT (sorry for it). Our security did not fulfill the business needs and seemed to make it impossible for the user to actually understand the environment. The secure way is only secure if it is the easiest way.
This is now the time, where we have to come to proper Risk Management. If we want to be successful as security professionals we have to change our mindset from being risk avoiding to being more risk managing and business enabling! So let's do proper Risk Management and let's do it now!
We are talking of the "death of the DMZ" since a long time – or in other words, the de-perimiterization of the network. Now, when I talk about this, people often feel that I am talking about decommissioning of the firewalls at the edge of the network – which is nonsense. The firewalls and edge protection is still very important but loses importance if you look at it from an overall risk view. From a network perspective my notebook is part of Microsoft's perimeter. My notebook is more often connected to public networks (or my home network, which is ultimately secure J) than to Microsoft's network. Therefore, any protection measures have to be moved as well to my notebook. This is, where Network Access Protection comes into place! Make sure that I access corporate information only, if my PC is healthy.
With these scenarios, most companies do not too often think about authentication and the identities. There are, however, quite some challenges with authentication and identities:
How can we make sure that the user can authenticate, wherever he/she is but do it securely? Well, smartcards will probably the today's state of the art but it might well be that the future will be biometrics. With the smartcard the biggest challenge is always, what happens if I lock my smartcard somewhere away from a Microsoft office and I would need my card to log on my machine? What happens (even worse) if it is broken?
Second challenge is the management of the identities: How do I make sure users will be decommissioned again? And how can I enforce this decommissioning on the remote machine?
There, the problem is even worse. Can I trust the authentication and the identity management of my partner? Often, this is a "yes, but". You would like to limit this to a certain application (and probably to a certain credit limit as well). What about compliance in this area?
Will you manage the identities of your employees in 5 year's time? A customer of mine recently told me that he doubts that. How will this change the game? I do not know yet.
Still trying to protect the USB-port aren't you? Well, if you heard me talking about this the last few years, I always said, that the only real protection against USB-sticks is artificial resin. Close that thing! If you don't, well what about the phones? The cameras? The mice with data storage capacity? The SD-cards? The…. whatever? You will not be able to protect against all those threads. Oh, yes – and what about my private Sharepoint, my private Outlook Web Access? If you are really worried about data loss, protect the data itself! Use something like Rights Management Services to start to address this. No, it is not a silver bullet but increases security significantly in this respect. That does not mean that you should not protect your hard disk (I have Bitlocker enabled) but protect the information itself. (BTW, Windows Vista can protect the USB-port)
We could elaborate much more here, there are things like access control as well and themes around interoperability and, and, and. I do not think that I covered all the risks here but at least some you should start to think of. I am completely convinced that the mobile workforce comes much, much faster than a lot of security persons feel comfortable with. This is a user-driven scenario which will be so cool, that the management wants it. How did Smartphones come into companies? The CEO bought one and wanted to have it integrated. Most companies failed to standardize them, just because of that and the scenarios we are looking into are even cooler, trust me.
My call to action at the moment is pretty simply:
- Get back to the disciplines we once learned: Risk Management, Dependability etc. and align your strategy to the business strategy!
- Look out for these technologies that will enable the mobile (access information anywhere, anytime and on any device) in order to be ready.
I do not think that all the technical answers are already on the table and if they are, they have for sure still challenges but I am convinced that we see scenarios that will get the avalanche rolling within the next 18 months! RPC over HTTPs in Outlook was just a tiny beginning!