We have a problem with new disruptive technology and we need to treat all endpoint systems as hostile. New consumer technology that's brought into the workplace (a trend known as consumerization of IT), the consumer use of free or low-cost cloud services for the connected online life, and the enterprise shift towards the cloud for vertical business applications are rapidly affecting the way workers access decentralized information for personal and business use and the way important information needs to be protected.
Despite corporate firewalls and other existing controls, some employees are using their mobile devices to access services with unauthorized and insecure devices. In other cases, companies are enabling employees' mobile lifestyles with fewer restraints, perhaps in recognition that consumer technology innovation will continue to outpace business adoption of certain devices.
Altogether, we are seeing a significant increase in the blending of personal and corporate computing, access to personal and corporate clouds, and the blending of data through personal and enterprise cloud services and consumer technology.
Rightfully, the debate over the security protocols used by the burgeoning personal and enterprise cloud industries continues. Data protection and privacy control issues stem from external parties outside of a company having physical control of corporate data. It is imperative for vendors to provide basic assurances of data protection and privacy for their customers' data and it is also important for employees to understand the need for security when they use their personal devices to access and store corporate data (if they are allowed to do so).
New security standards are needed to address the wave of disruptive technology and practices that are converging to decentralize and consumerize IT, and mix corporate and personal data. Employees must also be engaged to support awareness and practices that include an understanding of security expectations and how to implement basic security and data protection controls on the devices they manage (and on cloud-based services they access). The best advice historically -- and the consistent message in regulations such as PCI, SOX, HIPAA, and Safe Harbor -- continues to be not to store or transmit sensitive information at all. My advice also is to treat everything accessing the data centers as hostile. Control and security of the endpoint is under siege, so start there because the countermeasures change when all endpoints are considered hostile.
New standards in remote access will include client virtualization technology that has adapted to gesture-based technology (e.g. iPhone, iPad, and Android). We should expect to see this technology coupled with protection measures that provide virtualized data center and application access. Data leak prevention and monitoring should continue to serve as a bastion defense in detecting inappropriate data comingling. Security teams also need to implement controls that enforce security standards on enterprise-activated devices and industry standards also need to be developed to ensure corporate data remains safe despite these trends.
Additionally, companies should identify which information is most valuable and assess the balance between protecting custodial data and secret data. According to a 2010 Forrester Research study, security teams need to focus more on protecting secret data that provides long-term competitive advantage such as mergers and acquisitions, product plans, earnings forecasts, and trade secrets and then protect custodial data that they are "compelled to protect" such as customer, medical, and payment card information that becomes "toxic" when stolen or exposed.
Furthermore, companies and cloud providers need common standards to attest for online security practices and to evaluate third-party relationships. There is an urgent need for customers of cloud computing and third-party technology services to be able to make an objective comparison between providers on the basis of their security measures. Existing mechanisms to measure and provide security assurances are often subjective and in many cases unique. This makes quantifiable measurement of security practices difficult, which impacts time and cost.
We are at the crossroads. Security needs to continue to evolve with disruptive technologies and to support employee mobile lifestyles. However, we must look for standards and common technology, and we must provide continual, evolving awareness to our user communities. We should set expectations and controls -- where we can -- to help transparently integrate new security measures to minimize these new risks. We must prepare for this now and educate ourselves and our users.
Cross-posted from Information Security Magazine