Analysis: Security endpoint access concerns are misplaced

Shifting the security gateway is inevitable, says Galen Gruman

I've been talking to many IT executives in recent weeks at various conferences, and I'm finding a curious bifurcation among them when it comes to how they handle mobile devices such a iPhones, iPads, and Android smartphones and tablets. Some have the attitude "people can bring whatever they want, so long as the devices support our security policies," while others take the "I'm very leery of how these will compromise my organisation's security if I let them in" position. Yes, people in IT – many of them, in fact – still register the fear reaction to the new smartphone and tablets whose usage has exploded in recent years. I'm shocked at one level, but not at another. I'm shocked because any organisation that truly has its security threatened because there are iPhones in the building have much bigger problems than any single device: They have fundamentally insecure IT operations that haven't acknowledged the idea of a physical perimeter is long gone in this era of wireless communications and high usage of outsourced services and contract employees. No device should have unchallenged access to sensitive information just because it is in the building, and the notion that security measures would let new devices right in is an absurd one. I don't believe most of these companies have any basis for their fears. After all, they use virtual LANs, VPNs, permissions-based access, and the like already, and iOS and Android devices have no secret ways to blast through those. If a file server or database requires a password or other credential to gain access, that applies to mobile devices just as it does to PCs and remote computers. The outdated basis for IT's fear of mobile devices

The fear is typically based on another belief: People will be able to put information on their mobile devices and spirit it out of their organisations. Well, duh – employees have always been able to do that, using handwritten notes on paper, photocopiers, recordable CDs, email forwarding, USB thumb drives, remote access, FTP sites, laptops, and the like. The fact that an iPhone too can act as a storage device is just more of the same. The fear centres on endpoints, and it misses the purpose of security. IT should be securing systems and data, not trying to control endpoints. There are simply too many endpoints, and trying to confine this expanding universe will only lead to hugely wasteful and ultimately ineffective efforts. Think of the hullabaloo five years ago over the need to secure laptops; now ask yourself if you actually spent all the time and money required to do so as recommended by security vendors or if you quietly stopped. If people shouldn't have access to data or shouldn't be able to store it locally, that control should reside at the data level. If IT has to essentially retroactively control the data once it gets to an endpoint (a PC, a smartphone, an email message, a piece of paper), it is already too late. But IT grew up with an endpoint mentality, starting with its roots in mainframes more than 50 years ago. Those computers were hugely expensive and fragile, so only a few benighted people had any access to them. Their data was also confined to a handful of people, and the number of endpoints was limited and thus controllable. That ingrained mentality is why I am not shocked that the endpoint control impulse persists. That number, though, began to expand in the 1980s when the first PCs were placed in businesses. Suddenly, there were computers that IT (then called MIS or data processing) didn't control. I remember the fears of IT back in those days, but also the liberation that businesspeople experienced when they no longer had to beg at the altar of IT to get the information needed to do their jobs. Guess who won? The endpoint control mentality should have died then, but it did not. IT latched on to the client/server notion as a way to convert PCs back into dumb terminals. It sort of worked, at least enough for the endpoint control mentality to stick around. In the early days of PCs, they were expensive, so they could be justified only for a limited number of staff, and the notion of email outside of universities and defence agencies didn't begin to take hold until the late 1980s. By the mid-1990s, pretty much all white-collar workers had PCs and email, but the notion of endpoint control remained, because these computers were in offices with limited connectivity beyond their business. In the late 1990s, however, laptops had became common and the internet was nearly universally available. That's when IT notions of endpoint control should have died. Instead, it remained, despite the obvious disconnect and all the stories of laptops and CDs containing sensitive information being lost or stolen from someone's car – showing the futility of IT's approach. Then the iPhone debuted in 2007, doing to cellphones and BlackBerrys what PCs did to mainframes: making them obsolete. In terms of control, the cat was already out of the bag on the desktop, and now it was freed up in mobile. Changing the control mind-set to be data-based

It has only been in the past year or two this endpoint control mentality has begun to change. I know CIOs at several large, conservative, security-minded organisations that have stopped trying to fight the unwinnable war at the endpoints. They have moved back to controlling data at the source, using well-established technology such as certificates, encryption, permissions policies, and in some cases thin clients to manage the access. They've stopped worrying about this device or that device. If a device meets the policy requirements, and the user has the right permissions, the appropriate data access and usage are allowed; if it doesn't, the access isn't permitted. That device could be a home PC, a terminal at an internet café, an iPhone, a Xoom, or whatever. This necessary change in security thinking doesn't mean allowing a free-for-all. What it does mean is focusing on what you are really trying to protect – the data – instead of the endpoint. However, there are some features on mobile devices that can't be controlled via policies, or at least can't be guaranteed to be controlled. For example, most mobile devices come with cameras, which means they could photograph sensitive information and never be detected doing so. (Ironically, although IT can shut off cameras in iPhones and BlackBerrys, it applies to only the devices that have registered with IT on the network; IT could conceivably turn off employees' cameras but not visitors'.) In a case like that, telling people to leave their devices at the door while in sensitive areas remains a legitimate "endpoint control" strategy, though it also is a data control strategy. Part of the permissions to access that physical location includes not having devices with you, just as it usually requires being accompanied by a chaperone or having the appropriate keycard to enter. When you turn the fear into love

Those organisations that have abandoned endpoint control all tell me a similar story: IT is freed from a lot of busywork, costs go down, and employees are happier. When IT allows device heterogeneity, it enters into a different compact with employees. Usually it works like this: The company issues Windows PCs as standard equipment and, for certain positions, BlackBerrys, iPads, and/or iPhones. Employees can bring their own PCs, including Macs, and their own smartphones and tablets. They can run their own software, as well as get reimbursement for company-preferred or standard software. But they're responsible for their own tech support and for ensuring whatever they bring in supports the IT security policies. As long as those policies aren't secretly designed to force the use of certain products; but instead address legitimate security requirements, this works. Even with thousands of users, IT finds itself doing a lot less endpoint troubleshooting. Employees whose jobs don't require specific equipment get a sense of personal empowerment and enablement, creating or augmenting a culture that says outcomes matter more than process. Naturally, some processes matter in and of themselves, but think about how few processes actually depend on specific equipment being used and often don't require specific software. Costs go down at several levels. IT has less to manage at the endpoint, where service delivery is the most expensive. You can't get rid of all management costs – after all, the network and datacentre and databases need to be managed so that the endpoints can appropriately access them – but you can get rid of a lot, especially related to support. Many companies have also found they get big cost reductions by not issuing smartphones or paying for data plans. Instead, they give employees a stipend based on their role (and thus need for mobile data access). Many don't even pay for the device, figuring people would buy one for personal use anyhow, so the device is becoming like broadband access at home: a required personal investment. All of this means employees are now policing their own use, and the company is no longer in the "check on the carriers" game. All in all, the shift to heterogeneity is easy to embrace, once you get past the endpoint control mentality. Companies have successfully embraced diversity in people, in geography, and in work processes. Now it is time for hetereogeneity in work devices. Galen is executive editor for features at InfoWorld

Join the newsletter!

Error: Please check your email address.

Tags Security IDsecurity endpoint access

Show Comments

Market Place

[]