Moving from the car with 1000 bumpers
Many of the security issues we see with desktops and laptops today can be explained by the fact that such end-point computing devices were never designed to be connected together. It was only with the arrival of affordable network cards, then operating systems such as OS/2 and Windows 3.11, that PCs could be connected to the corporate LAN.
Since then, we’ve seen wave after wave of security issues as first smart-Alec students, then malicious hackers, then commercially motivated practitioners of the dark arts devised increasingly complex attack vectors. From the earliest email-borne computer viruses to the kinds of breach we see today, each wave also caused a protective response from security companies.
While nobody would suggest switching off all the protections that are in place today, most would accept that things would happen differently if they could start from scratch today. PCs have become like a car with a thousand bumpers – while protected against every possible potential risk, they need to carry around all that extra shielding.
How could things be done differently? To continue the automobile analogy, we can look at how cars are designed today and maybe take a few leaves from their book. First of all, they are actually designed to absorb impact, not prevent it. Crumple zones on cars ensure that the physical vehicle takes the hit, rather than the people inside it.
We can see this approach being adopted more on mobile devices and with cloud-based applications – with which it’s the data that matters, not the device. With features such as access protection, cloud-based storage and remote kill, it is less of a risk if the device gets lost or stolen.
Similarly, it’s illegal to drive a car without an insurance policy. In practical terms, this means that risks have been assessed across all parties, then protection costs shared, based on understanding the consequences of an accident. In computer terms this comes back to the data – focusing on the consequences of a data breach and the cost of remediation.
These may be early days particularly for data classification, which is a fundamental element of planning for data breaches (put simply, if you don’t know how important each data type is, you won’t be able to decide what to do should it be compromised). But one thing’s for certain, a model based on prevention alone is going to be less and less appropriate as mobile devices continue to proliferate.
We might not be able to relive the past. But moving to a model that assumes things will go wrong, and acts accordingly, offers a better starting point for the future.