Building the security bridge to the Millennials

[Audrey McNeil <audrey () riskbasedsecurity com>]

d
http://www.networkworld.com/news/2014/021014-building-the-security-bridge-to-278617.html?source=nww_rss

President Bill Clinton talked about building a bridge to the new
millennium. With that bridge now 14 years in the rear-view mirror, the
challenge for enterprises is to build a security bridge to the Millennials
who are flooding the workplace.

By now, the list of the "totally connected" generation's employment
expectations is familiar:

- Universal access to high-speed networks.
- Freedom to use multiple devices -- smartphones, tablets, eReaders and
more -- to access and share both personal and corporate data, anytime and
anywhere. Oh, and they want to use their own devices, not the company's.
- Freedom to use personal apps for work.
- Intuitive design of apps, so no training is required
- Flexible hours and locations. What's the problem with finishing the
report at home at 2 a.m., instead of in a cubicle between 9 and 5? What's
the problem with working with colleagues online or face-to-face --
whichever is most convenient?
- No significant separation between "work" and "life."
- The use of social networking to collaborate.
- A seamless user experience on their phones, without cumbersome security
limits imposed by IT.

It all sounds like a productivity dream, undercut by a potential security
nightmare. The attack surface of multiple personal devices that comingle
personal and corporate data would appear to be both wide and deep.

But experts say employers can and should -- must -- embrace the
productivity without jeopardizing security, with a combination of
technology and accountability. It's just that there are varying opinions on
what the right combination is, and what is involved.

Nick Stamos, CEO of nCrypted Cloud invokes a religious -- actually,
non-religious -- image. "The enterprise needs a network-agnostic,
device-agnostic, app-agnostic approach," he said, adding that the corporate
network that employees use, "should be considered untrusted, and open to
anyone onsite."

Stamos rejects Virtual Private Network (VPN) connections, arguing that only
SSL (Secure Sockets Layer) connections should be allowed to any corporate
systems.

"Login to all corporate systems and data should be controlled through SSO
SAML 2.0 (Single Sign On, Security Assertion Markup Language) integration.
Where possible, multi-factor authentication should be required," he said.

But Chris Moyer, global chief technologist, HP Enterprise Services, argues
that while, "VPN used to be a 'nice to have' it's now a 'have to have' for
any organization that wants to keep its employees satisfied, productive and
secure (because) many of the systems developed in the past do not have
enough data segregation or role-based access built in."

But "data segregation" appears to be a key goal for the future. Another
theme from experts is that enterprises need a mobile device strategy that,
"focuses less on the device and more on applications and data. That will
provide the enterprise with the security that it requires while giving
workers the freedom and flexibility that they want," according to Dan
Dearing, vice president of marketing, MobileSpaces.

Dearing said while there are numerous Mobile Device Management (MDM)
vendors who provide plenty of security features, they tend to, "fall short
when it comes to employee productivity and satisfaction, often changing the
user experience and limiting application use to just a few dozen apps in
their proprietary ecosystem."

The solution to that, say Dearing and others, is "containerization," which
separates work and personal apps and data and thereby prevents enterprise
data leakage and ensures employee privacy.

Done effectively, that allows employees to use any device for work and
allows the enterprise to control access to its apps and data, including the
ability to wipe them without affecting the employee's personal data or apps.

The best version of that, so far, according to Rich Mogull, analyst and CEO
of Securosis, comes from Apple's iOS7. In one of a series of blog posts
that are being combined into a research report to be released Feb. 10,
Mogull wrote that Apple's latest mobile operating system takes, "an active
role in mediating mobile device management between the user and the
enterprise, treating both as equals.

"We haven't really seen this before; even when companies, like Blackberry,
handle aspects of security and MDM while also treating the device as
something the user owns," he wrote.

What that means is that Apple is selling different models of devices,
depending on whether they are for BYOD or for the enterprise.

"In BYOD, users own their devices, enterprises own enterprise data and apps
on the devices, and the user experience will never suffer. No
dual-personas. No virtual machines," Mogull wrote, adding that this also
means users don't have to worry about exposure of their data to the
enterprise.

With enterprise-owned devices, "the enterprise controls the entire
provisioning process, from before the box is even opened," he wrote. And
when the user does open the box, "the entire experience is managed by the
enterprise, down to which setup screens display."

Others agree that iOS 7 leads the pack in this area. MobileSpaces' Dearing
said other major vendors have not yet provided that level of separation.
"Google has not provided similar support and has instead let the handset
vendors such as Samsung solve the problem," he said. "Unfortunately, that's
create a highly fragmented approach to mobile security that makes it
difficult for IT to predict the security posture of employee's Android
device even if it is a Samsung device."

"Apple BYOD gets it right," said nCrypted Cloud's Stamos. "It's about the
data, and he who owns the data controls the data. Employees are trustees of
corporate data, and when their tenure ends, they lose access. Clean and
simple."

[Resistance is futile: CISOs talk about embracing change]

The cloud is also expected to play a role in maintaining security in an
"always connected" corporate world.

"Using cloud infrastructure eliminates planning guesswork since scale is
automatic," Dearing said, "because there is no software or hardware to
install and manage in the datacenter."

He added that datacenter overhead can be eliminated through the use of
cloud-based services such as Google Apps, Salesforce and Box. "But a note
of caution -- most security containers do not permit the flexible use of
these services," he said.

Stamos calls the cloud, "the Wal-Mart of IT services. It allows companies
to specialize and bring huge saving of scale and cost to end users and
business."

And use of it is, essentially, mandatory, he said. "There is no choice.
Anyone who doesn't want to get onboard the train, will simply get run over
by it. Just remember 'ETC ETC': Embrace The Chaos, Embrace The Cloud."

But, he and others say enterprises need to manage their use of the cloud
with security in mind. "Legacy applications should be located in hardened
data centers, and isolated from employee network. No direct connection
should be allowed, apps should be published in Citrix or VDI (Virtual
Desktop Infrastructure) solutions," he said.

"All corporate data at rest on any computer or devices should be encrypted
on local device storage, classified, with full DLP (Data Loss Prevention)
instrumentation and single click revocation."

Finally, there is the "human factor" -- the risks that employees bring to
enterprise data through carelessness, lost devices or simple vulnerability
to phishing or other attacks.

HP's Moyer said it starts with training. "Keeping employees up to speed on
emerging risks helps," he said. "Since Millennials are more technology
comfortable, they tend to like having a deeper understanding of how attacks
are initiated and will gladly share their knowledge with their communities
and co-workers."

Dearing said he conducted an informal poll among some of his daughter's
friends, who fit the Millennial profile. He said they all took security
seriously, "but sometimes for personal reasons, such as the protection of
their privacy."

According to one of them, "Your employees are your #1 security risk.
Two-factor authentication is a must for remote systems access (and) online
workplaces. Social networking if encrypted. It's not my emails I'm worried
about, it's the email addresses of all my customers."

But Stamos contends that employees, rather than being the highest security
risk, "are the key to solving the problem," if enterprises train them
properly. "When IT treats people as the weakest link, they behave that
way," he said.

"The only solution is an accountability based model, where employees have
the responsibility to protect the data and the freedom to share it as
needed. It's how our society works.

"We have a duty to educate our end users, give them the responsibility, and
hold them accountable for their actions," he said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!