Security pros should forget about addressing constant changes in their environment and instead work on ways to embrace cloud-based services, Web-based tools and consumer devices by reducing the risks they pose to the workplace.
To get security news and tips delivered to your inbox,
That's the central theme of next month's Forrester Security Forum, which will focus on "shifts" rather than changes that have transformed enterprises and are creating uncertainties among many security pros over how to secure the nuggets of data moving beyond company walls. The issue is more complicated than setting the right Web security policy or addressing cloud data security with a service provider.
"We understand that everything has changed -- that's a given," said Rob Whiteley, vice president and research director at Forrester Research Inc. "The point at which the conversation starts is no longer what we're tackling, but what we're doing differently to protect intellectual property and help mitigate risks that are being undertaken."
Whiteley said security professionals can't control the various Web-based technologies being used by employees and instead need to look at the issue through a risk-oriented approach as opposed to a security-oriented approach.
Cloud-based tools, services pose risks:
advises cautious approach to cloud computing services: While it could save money, many firms
should understand the security, privacy and legal issues when using cloud-based services.
Cloud computing security group releases report outlining trouble areas: The non-profit Cloud Security Alliance says its comprehensive report serves as the starting point for a broader discussion on cloud computing security issues.
Data has become too distributed to be protected at the same level, Whiteley said. For example, if data residing on employee BlackBerrys and iPhones or with Web-based service providers is not mission critical, then security may be able to relax some of its controls, Whiteley said. Security pros need to figure out what needs to be protected at all costs, and at the very least monitor the flow of data to understand what is moving beyond the company's walls.
"A security person would say we would protect the data at all costs," Whiteley said. "A risk-oriented person would say let's try to quantify the business impact of this data and then protect the data that is absolutely critical to our operations."
Ultimately what cloud computing does is begin to shift the company data around. IT security professionals have to consider more than just data encryption, Whiteley said. Data retention policies, data retrieval, data classification and traffic monitoring has all been transformed by the use of Web-based services. Data may sit in multiple service providers that have their own security policies. That point is only the back end of the problem, Whiteley said. On the front end, employees are running around with laptops and PDAs and dealing with multiple partners and contractors all amassing data on their devices as well, he said.
"Before you had a single stack from top to bottom with everything tightly coupled," Whiteley said. "Now in the cloud era, you've decoupled the application from its platform and its underlying infrastructure and you've sourced those all independently."
Times have changed, Whiteley said. In the past security teams had a lot of veto power when it came to allowing the use of consumer devices and social media websites. A younger workforce has translated into a demand for these new technologies that enable employees to become more efficient and productive. Today, security can't get in the way of innovation.
"We see that a lot of these social media and networking tools have a lot of value," Whiteley said. "The technology is evolving so quickly that it doesn't always make sense for companies to have a completely centralized procurement process. There's no way for them to keep up with the pace of innovation in the consumer space."
There are security controls that should be put in place to monitor the flow of data, to put virtualization technologies and email and content security tools to address the use of consumer devices, such as netbooks and iPhones. Companies are investing in these security technologies more aggressively, Whiteley said. But even more importantly, according to Whiteley, companies are starting to completely rework their acceptable use policy, he said. Acceptable use policies were fairly static in the past, but today there has to be much more modernization of those policies and much more awareness and user training.
"Mature organizations, especially in financial services, have been dealing with this forever; they just had very restrictive policies but they get how to go about this process," Whiteley said. "Now we see that all companies, regardless of industry and almost regardless of size, are having to revisit this, but at least we have a lot of best practices out there that companies can lean on."
Forrester is offering SearchSecurity.com readers a $405 discount off the standard conference rate for Forrester's Security Forum 2009. To register, call Forrester Events at 1-888-343-6786 and reference VIP Code SF9SSC.