Published: 07 Sep 2010
Point: Marcus Ranum
Some companies are apparently adopting a policy of allowing employees to do their computing work on personal devices -- a trend that, I suspect, is a result of mainstream IT departments not being quite sure how to accommodate their growing user-base of Apple Computer addicts. Our industry appears to be of two minds about this topic: on one hand, we're worried about data leakage; and on the other, we take steps to make said leakage as easy as possible.
I was on a conference call last week, in which a senior technical executive asked me if I had any suggestions for what kind of data leakage system could be put between their Exchange server and their BlackBerry users to detect and block attempts to export sensitive data. As our conversation continued, he said, "Of course, these are corporate-issued BlackBerries. So at least we can do remote-wipe in case of loss." I was struck dumb for a second, trying to sort through the inherent contradiction in simultaneously giving employees a tool for exporting data from the safety of the corporate WAN, and worrying about data leakage. It seems silly -- like giving a teenage boy a BB gun and expecting nothing to get shot full of holes. And, apparently, some companies are doing the full monty and encouraging employees to bring to work whatever IT gear they want and use that.
I think that all this new technology is great -- heck, I even think all you tweeters, Facebook and MySpace users are cute. It's important to know the mundane details of your life and your important marketing messages -- but what I absolutely do not want to hear is your managers scratching their heads five years from now and saying "Why can't we keep our data from appearing in weird places?" One thing I can predict for sure is that in another five years, customers will be complaining that data leakage products don't work. From my long-term viewpoint, the trend-line looks like: 1995) install firewalls; 1996) punch big holes through them; 1997) announce "firewalls are dead"; 1998) install intrusion detection systems; 1999) turn off all the signatures; 2000) announce "intrusion detection is the pet rock of computer security"; 2001) install log aggregation systems; 2002) ignore them; 2003) complain that intrusion detection still doesn't work; 2004) worry about data leaking from the network; 2005--2010) give employees mobile devices; 2006--2010) give employees direct-from-desktop Internet publication capability via Facebook, Twitter, etc.; 2010) give employees control of their own IT -- when is it all going to sink in?
My father used to tell a joke about a married couple riding a tandem bicycle up a steep hill. They pedaled and pedaled and sweated and struggled and finally got to the top. The rider in front turned to the one in the back and said, "We made it! I wasn't sure we'd be able to do it!" And the rider in the rear said, "Yeah, I was on the brake the whole way, I was so afraid we'd roll backwards." Corporate IT's attitude toward security seems to be "Now that we've finished trying to do something smart, let's do something really stupid!" Except that, a lot of the time, we leave out the first part.
Marcus Ranum is the CSO of Tenable Network Security and is a well-known security technology innovator, teacher and speaker. For more information, visit his website at www.ranum.com.
Counterpoint: Bruce Schneier
If you're a typical wired American, you've got a bunch of tech tools you like and a bunch more you covet. You have a cell phone that can easily text. You've got a laptop configured just the way you want it. Maybe you have a Kindle for reading, or an iPad. And when the next new thing comes along, some of you will line up on the first day it's available.
So why can't work keep up? Why are you forced to use an unfamiliar, and sometimes outdated, operating system? Why do you need a second laptop, maybe an older and clunkier one? Why do you need a second cell phone with a new interface, or a BlackBerry, when your phone already does e-mail? Or a second BlackBerry tied to corporate e-mail? Why can't you use the cool stuff you already have?
More and more companies are letting you. They're giving you an allowance and allowing you to buy whatever laptop you want, and to connect into the corporate network with whatever device you choose. They're allowing you to use whatever cell phone you have, whatever portable e-mail device you have, whatever you personally need to get your job done. And the security office is freaking.
You can't blame them, really. Security is hard enough when you have control of the hardware, operating system and software. Lose control of any of those things, and the difficulty goes through the roof. How do you ensure that the employee devices are secure, and have up-to-date security patches? How do you control what goes on them? How do you deal with the tech support issues when they fail? How do you even begin to manage this logistical nightmare? Better to dig your heels in and say "no."
But security is on the losing end of this argument, and the sooner it realizes that, the better.
The meta-trend here is consumerization: cool technologies show up for the consumer market before they're available to the business market. Every corporation is under pressure from its employees to allow them to use these new technologies at work, and that pressure is only getting stronger. Younger employees simply aren't going to stand for using last year's stuff, and they're not going to carry around a second laptop. They're either going to figure out ways around the corporate security rules, or they're going to take another job with a more trendy company. Either way, senior management is going to tell security to get out of the way. It might even be the CEO, who wants to get to the company's databases from his brand new iPad, driving the change. Either way, it's going to be harder and harder to say no.
At the same time, cloud computing makes this easier. More and more, employee computing devices are nothing more than dumb terminals with a browser interface. When corporate e-mail is all webmail, corporate documents are all on GoogleDocs, and when all the specialized applications have a web interface, it's easier to allow employees to use any up-to-date browser. It's what companies are already doing with their partners, suppliers, and customers.
Also on the plus side, technology companies have woken up to this trend and -- from Microsoft and Cisco on down to the startups -- are trying to offer security solutions. Like everything else, it's a mixed bag: some of them will work and some of them won't, most of them will need careful configuration to work well, and few of them will get it right. The result is that we'll muddle through, as usual.
Security is always a tradeoff, and security decisions are often made for non-security reasons. In this case, the right decision is to sacrifice security for convenience and flexibility. Corporations want their employees to be able to work from anywhere, and they're going to have loosened control over the tools they allow in order to get it.
Bruce Schneier is chief security technology officer of BT Global Services and the author of Schneier on Security. For more information, visit his website at www.schneier.com.