As I said in “The Seismic Shift in Security: Part 1 – The Increasing Value of Information”, we often fail to notice how our dependencies are moving from the real world to the digitally networked world. The next step in this evolution is the way that we are moving from a society where work is tied to a geography to one where geography has no meaning. It’s an evolution similar to how mobile phone networks transformed telephony.
The global network has moved from being geographically based to being mobile. Office workers no longer need to chain themselves to a desk in order to connect to their network, or jump through hoops to establish a poky remote connection. A speedy network is available to them wherever they are.
Data flow has also changed. We used to have to click our way through to the appropriate website, portal, or page to access or update information. Now the data comes to us whenever it’s been updated or when we need to pay attention to it. And we can act on it in real time, without having to navigate back to its point of origin.
These changes in how data flows raise three significant vulnerabilities that need to be addressed:
Mobile devices need both strong “end point” security and “identity authentication.” The devices should be monitored remotely by the organization. The information should be encrypted. Authentication should involve multiple factors, including biometrics (such as face, iris, fingerprint, or voice). Expect to see device and software vendors start to work on the biometric as an encryption key; e.g., identity cryptography.
Apps that “push” information require a different approach to information assurance. This is where identity authentication plays a crucial role. Organizations need to be confident that the mobile device is in the hands of a person who has the authorization to see the information being pushed. This will take time to develop, but the principles of information assurance still hold strong (confidentiality, integrity, availability, non-repudiation, authentication, and now privacy).
Changes in work behavior and work location will demand more attention to securing information, no matter the location. This is not something that we in the IT security field can ignore or prevent. The economics are making these changes unstoppable. There are savings to organizations from not having to house so many workers in so many places. There are savings to workers in terms of travel costs (vehicles, fuel, insurance, expenses, commuting). And there are environmental savings to society from the decline in commuting, national, and global travel. Organizations must understand that they need to secure information at rest and in motion by encrypting it, monitoring its use, and locking down their increasingly dispersed infrastructure.
Part 3, the final chapter of this series, will focus on “Information Security and the Butterfly Effect”.