Actually near future might be wrong: I am convinced that the future (with regards to the requirements) is already here. We sponsored a study with Yankee Group with the title Anywhere Access Technologies - Open Enterprise Networks. I read through it and tried to analyze the key findings in there:
… and a lot more, you can read it yourself.
But what does that mean for your security? Let's have a look at different areas of security
This will improve the usability. I am a firm believer that if we (as an IT industry) can make this mobile access to company data transparent and easy to use, this will increase security! I have seen cases, where normal users wrote a step-by-step guide on how to open a VPN tunnel and access the mails including all the username and passwords needed. They even tucked it to the SecurID. Wow, such a stupid user? No, to me: A stupid IT (sorry for it). Our security did not fulfill the business needs and seemed to make it impossible for the user to actually understand the environment. The secure way is only secure if it is the easiest way.
This is now the time, where we have to come to proper Risk Management. If we want to be successful as security professionals we have to change our mindset from being risk avoiding to being more risk managing and business enabling! So let's do proper Risk Management and let's do it now!
We are talking of the "death of the DMZ" since a long time – or in other words, the de-perimiterization of the network. Now, when I talk about this, people often feel that I am talking about decommissioning of the firewalls at the edge of the network – which is nonsense. The firewalls and edge protection is still very important but loses importance if you look at it from an overall risk view. From a network perspective my notebook is part of Microsoft's perimeter. My notebook is more often connected to public networks (or my home network, which is ultimately secure J) than to Microsoft's network. Therefore, any protection measures have to be moved as well to my notebook. This is, where Network Access Protection comes into place! Make sure that I access corporate information only, if my PC is healthy.
With these scenarios, most companies do not too often think about authentication and the identities. There are, however, quite some challenges with authentication and identities:
Will you manage the identities of your employees in 5 year's time? A customer of mine recently told me that he doubts that. How will this change the game? I do not know yet.
Still trying to protect the USB-port aren't you? Well, if you heard me talking about this the last few years, I always said, that the only real protection against USB-sticks is artificial resin. Close that thing! If you don't, well what about the phones? The cameras? The mice with data storage capacity? The SD-cards? The…. whatever? You will not be able to protect against all those threads. Oh, yes – and what about my private Sharepoint, my private Outlook Web Access? If you are really worried about data loss, protect the data itself! Use something like Rights Management Services to start to address this. No, it is not a silver bullet but increases security significantly in this respect. That does not mean that you should not protect your hard disk (I have Bitlocker enabled) but protect the information itself. (BTW, Windows Vista can protect the USB-port)
We could elaborate much more here, there are things like access control as well and themes around interoperability and, and, and. I do not think that I covered all the risks here but at least some you should start to think of. I am completely convinced that the mobile workforce comes much, much faster than a lot of security persons feel comfortable with. This is a user-driven scenario which will be so cool, that the management wants it. How did Smartphones come into companies? The CEO bought one and wanted to have it integrated. Most companies failed to standardize them, just because of that and the scenarios we are looking into are even cooler, trust me.
My call to action at the moment is pretty simply:
I do not think that all the technical answers are already on the table and if they are, they have for sure still challenges but I am convinced that we see scenarios that will get the avalanche rolling within the next 18 months! RPC over HTTPs in Outlook was just a tiny beginning!
I definately agree with you on the issue of security conciousness of the enterprise and how aware every user of IT infrastructures should be relating to securing data and network access.
The three major arms I tagged PPT works hand in hand and none shouls be given priority over the other. Each aspect has to be duely addressed to ensure a rock-hard secured enterprise.
I just thought I should do a little finding on you this morning since we will be together today at the Regency Chinese Restaurant, Lagos - Nigeria.
I hope to have a fulfilling time at the CEO Security round table.
Do have a great day ahead.
Roger has posted a very good article based on the Yankee group report. I know, it's a bit long, but worthwile