Feeds

The eroding enterprise boundary

Lock Down and Open Up

  • alert
  • submit to reddit

Security for virtualized datacentres

Businesses today function effectively only when the organisation supports effective collaboration between its staff and external parties, wherever they may be situated. Such is the nature of routine operations that they depend on complex interactions between people and their supporting IT systems that spread far beyond the IT firewall and, indeed, the business itself. Clearly this nature of working has profound implications for those charged with securing the operations of the business and the IT systems they use.

It is also undeniable that the pressures inherent in modern business, especially the demand to respond rapidly to quickly fluctuating market conditions and customer expectations along with the need to work closely with third parties, are stressing IT security – this can manifest itself in individuals looking to circumvent security mechanisms just to get the job done. However, this is symptomatic of an increasingly visible factor that is placing further tension on securing systems, which can be summed up as the ‘expectations of people’. It took me many years of interpersonal training to use the noun ‘people’ or ‘customer’ instead of the, perhaps more pejorative ‘user’.

As has already been mentioned in an earlier article in this series, people are far more mobile than ever before and unlike in the distant past, say two or three years ago, now people expect to be able to access all IT services on which they depend from almost any location, be it the home office, hotel bedroom, airport lounge, train bus and coffee shop. With the continued existence of security threats, and indeed the active growth of economic threats, IT increasingly requires to manage all devices utilised by users, especially those who are mobile or who are working from outside of the enterprise firewalls.

The need to manage the security of devices coupled with the inherent expectation that people have that the device ‘belongs to them’ creates challenges. This becomes very apparent when one looks at some of the results from a Register reader study we conducted last year, outlined in the figure above. Even amongst IT staff, security is by no means taken ‘seriously’ by everyone, and when we look at the general workforce it is evident that both IT security awareness and overall attitudes leave a lot to be desired. Perhaps most worryingly of all it is evident that the availability of IT security related training, usually regarded as the most effective means of raising security, is not readily available in four organisations out of five. If we are expecting the people in our organisations to become their own security administrators, can we honestly say we are giving them the knowledge and tools they need for the job?

The same can be said of how to balance opening the corporate boundary for remote/mobile staff and partners alike, whilst ensuring the security of service provision. Such efforts have seen only limited success, despite the work of more progressive industry consortia such as the Jericho Forum . It is no easy challenge of course – the current thinking is to treat the security of internal systems and networks as if they were connected directly to the Internet, which is good theory particularly given that threats are just as likely to be propagated from infected personal equipment. However, this can be very difficult to carry out in practice.

So just how can the balance between ‘locking down’ and ‘opening up’ be safely achieved? Well the first step is to ensure that the organisation has a policy in place that states, very clearly, that all corporate IT equipment will be managed by the IT department (or whosoever is providing the device management service). It should also explain why and exactly how the management of the devices will be achieved along with stating the responsibilities of the user of the device in the process.

Corporate IT security policy should also scope precisely what, if any, ‘freedom’ the user shall have to personalise a device and how this can be achieved without negatively impacting security. Such policies can work closely with procurement, to ensure maximum flexibility without increasing risk; they can also specify what minimum necessary security requirements and policies are to be imposed on corporate and employee-procured equipment, whether they are connected directly to the LAN or onto the Internet.

For routine security to be effective our research has shown that formally training the users of systems, especially those making use of mobile devices, in how to operate securely is the most effective measure that can be taken. Clearly machines need to be patched in line with the software providers’ directions and all necessary end-point security tools need to be installed and kept up to date. But it is also important that behavioural patterns be taught that reduce the potential for the machines to become compromised or for data to be lost or stolen. ‘Communication’ is the key.

In the longer term it is likely that new solutions, especially in the realm of virtual desktop systems and holding all data centrally or the routine encryption of locally held information will enhance security whilst adding more scope for individuality to be displayed. But until everyone treats security with the respect required there will be a need for ongoing education of every business user of IT systems to raise awareness of security concerns and how easily security can be compromised, either by accident or design.

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.