Can We Agree to Disagree, Part III
Welcome to the final installment in our three part point-counterpoint series. In the first two posts, Unisys executives Nick Evans and Roberto Tavano debated “how much security is enough?” and “should security be offensive or defensive?”
Today we close out the series with this question: “WHEN IT COMES TO MOBILE DEVICES, SHOULD THE IT DEPARTMENT SECURE THE DEVICE, THE USER, THE APPLICATION, OR THE DATA?”
Nick’s answer: “All of the above.”
Roberto counters with: “Forget the device. Secure the user.”
When you are done reading today’s debate, tell us how you think we should secure mobile devices? What’s your counterpoint? How is your organization dealing with the growth of mobile devices in the work place? Please share your thoughts and ideas in the comments section.
And then one extra question that we’d like to pose to you today: Did you enjoy the point-counterpoint series? Would you like to see more of these? And if so, what topics? Let us know.
NICK EVANS: All of the Above.
Nick Evans, Vice President and General Manager
Office of the CTO
The textbook approach to this is called a defense-in-depth approach, where there are multiple levels of security. And when it comes to mobility, you can definitely take the same approach. You should set multiple security levels around the user, at the application level, at the data level, and measures to secure the device – such as remote wiping, if it’s lost or stolen.
Throughout the industry, we’ve seen organizations focusing on one level, and then extending that security with controls on additional secondary areas.
User authentication, through conventional security measures or more innovative means like biometrics (think facial, voice, palm or gesture recognition), is the most definitive way for an organization to maintain proper security protocols amidst a growing wave of consumerization.
The upside is that with the ubiquity of consumer devices, intrinsic biometric authentication using the built-in capabilities on the device can provide a new level of authentication and authorization than was available previously.
Next, come the additional layers of security. For example, take application management. Businesses have begun adopting popular concepts from consumer technologies, such as the “app store” model, in order to deal with the growth of mobile applications and end-users need for business productivity.
In other words, companies are deploying their own internal app stores that feature a list of company approved apps, making it easy for users to find and install the apps they need without having to send a request to IT. This also eases the deployment of these apps for IT.
In addition to securing the user, and better managing application delivery, organizations that control their in-house application development are beginning to shift their focus to securing the applications themselves. Security has become an integral part of the overall platform that not only secures the device and the application, but also manages the application life cycle.
Lastly, you need to secure the data which is what all this security is about anyway. The cost of mobile devices continues to fall. And frankly, even if the device costs a couple of hundred dollars, that’s an inconsequential loss compared to the cost of losing the data on that device which could be proprietary or sensitive. An organization’s main focus should really be securing that data and putting systems in place to track or stop potential threats.
So at the end of the day, all of the above means: multiple layers of security providing a robust defense-in-depth approach to protect your data through strong authentication, better application management and deployment, intrinsic security within the applications, and more.
ROBERTO TAVANO: Forget the Device! Secure the User.
RobertoTavano, Vice President of Global Security Sales
Technology, Consulting & Integration Services
In a security context, the very mobile device should become irrelevant. Let me re-phrase the concept with a hyperbole: you should consider it disposable; something that will get lost or stolen. But, then, who would care about the device itself as long as you have eliminated the possibility of a security breach originating from that device? This new concept will be upsetting for some in IT who have built careers around securing devices. But essentially, the devices are worthless when you protect the data and can prevent connectivity.
So how do you secure a device that can connect to sensitive information from anywhere in the world? It comes down to balancing all elements into a comprehensive defense strategy that allows flexible, adaptive solutions. Users need to feel that their data is secure, without having to jump through hoops to get it.
You won’t create an adaptive defense strategy overnight; you’ll need to have good business processes and inherent security in place, whether it’s around data, the user’s devices, or the applications. But sticking to a piece-meal approach with your security solution will leave room for weaknesses and vulnerabilities. Every day it becomes clearer that user identity will be recognized, eventually, as the pivot around which all security architectures will yield their maximum potential.
The reality is it’s still extremely difficult to construct a proper security protocol that encompasses all of the digital avenues your employees will use to remain productive and your end-users to operate effectively to their full satisfaction. Currently, we end up using surrogate solutions like hot tokens, which provide some security, but also pave the way for new types of threats.
It’s a delicate balance of all these components, and personally, I would consider the device itself as the least important. Focus on user authentication – get that right, make it solid, and you will have achieved an optimal approach to risk mitigation.