Information Technology is radically changing. We can wrap it in terms and buzzwords like cloud, mobility, BYOD, Web 3.0, but the reality is both the sum of and more complex than the names we give it. IT is no longer in the hands of the professionals. It’s not just the devices but all aspects: the networks, the software, the services, and the infrastructure have become so ubiquitous and cost effective that any individual can own and manage their own IT.
As information security professionals how can we bring any safety or security to this explosion of IT? It’s not as bleak as it sounds. Just as the current environment is the acceleration and combination of directions and trends from the past so our existing tools and controls provide a basis to manage this new world. Don’t go looking for one technology or process to solve the problem, because there isn’t one. We must be as flexible and agile as the industry.
I was securing mobility back when it was called remote access and none of the fundamentals have changed since then. It’s still a determination of which services to provide, how to manage authentication and authorization, and how to monitor the subsequent access. The complexity comes as we can’t simply rely on a single aspect of the IT infrastructure to provide all the control. There are too many use cases to rely on one, we must understand them all.
Don’t limit your thinking to how you control the corporate environment. Look beyond device control and go back to the network. How can modern gateway devices protect the services you’re pushing to your users as well as protect those publically facing services from attack? Who knows, even Network Access Control may come back from the dead. Look beyond device control and look forward to the applications and data. Why try to control the whole tablet when all you care about is that one application that connects to your proprietary information?
The points of control still exist even if the infrastructure is contracted out to another company. Authentication is common across all services worth protecting. Logging is also common to all services. How does your contracted provider allow you to understand the accountability of authentication? Who looks at the logs and what is done with that information?
The fundamentals of security are sound. We can use our mastery to implement these tools in innovative ways to continue to secure Information Technology no matter how it changes. Take a breath and break down that new business methodolgy into its component parts and you may find out that you've secured those pieces in the past.