We have to admit: We’ve lost the argument

This week I was invited by my friends at ISFL (Information Security for London) to give a talk to their members forum. The particular topic of interest was organisations’ loss of control over what endpoint devices are used, with a natural focus on the unstoppable use of i-devices to access corporate data. This is a natural bedfellow of the Cloud discussion to my mind. Cloud will (when it turns up) deliver applications via a browser and, given that you can access the web via any manner of things these days, this is therefore a worry. People can now access data via phones, tablets, Wiis and TVs, as well as the more traditional approaches, and the mobility argument means that this can’t (to a degree) be discouraged.

Bluntly chums, we’ve lost the argument as IA professionals. We argued for years about controlling who can access the network, and having sat and watched a CIO from a government department working on his iPad the other week (I would suggest it was not standard corporate issue) or talked to any number of security officers giving up the fight against Android and other devices accessing corporate networks, we need to recognise that we cannot stem the tide of unauthorised devices. Our American friends coined the term consumerisation – the use of user-purchased consumer devices as opposed to the crappy mobiles we get given when we start our jobs. They are here, and they are now, and they are not going away

So what are we going to do about it? If the C-level team wants to use iPhones, and the sales director likes his iPad, we’ve got to deal with them now. And oddly it requires a technology that for a long time has been the poor relation of the security vendor kit-bag: NAC (Network Access Control). For years it’s been pitched, only for people to go ‘mmm, thats nice, but I can’t see the business case/ I’ve got no money’ etc. Well guess what? Now it’s going to become key. You can’t stop people using these rather groovy devices, but you can prevent them connecting if they don’t have a secured OS, AV that’s not patched or it’s riddled with viruses.

It’s time to admit we lost the battle, but we still retain the ability to win the war. Onwards and upwards my friends!

PS And a big thank you to Matt Smith, Ben Fountain, Dave Sifleet and Bruce Thomson. Well done chaps, its a valuable thing you do, and as ever I’m 100% behind you

Advertisements

About Graeme Stewart, McAfee

I work for McAfee as Director of Public Sector Strategy and Relations, UK&I
This entry was posted in Cloud Computing, Efficiency, Security, Sophos, Spam, Viruses. Bookmark the permalink.

2 Responses to We have to admit: We’ve lost the argument

  1. Sophos, I found your article interesting as the non-business devices you mention are causing a lot of disruptive innovation and much debate inside IT organizations.

    Inside the Intel IT organization, we had to work for over 12 months with Human Resources, Legal and IT Security to put the necessary safeguards inplace to support enabling access of an increasing number of consumer devices to our network.

    We are finding some interesting employee productivity benefits by enabling consumer devices inside our enterprise. And it could be argued that by finding solutions to provide controlled access on many devices versus trying to prevent uncontrolled access on any device, that we may actually have a more secure environment by enabling IT consumerization than if we didn’t.

    So, I’m not sure who loses the argument when the real discussion should be in finding a win-win solution by “Mainatining Information Security while Allowing Personal Hand-Held Devices in the Enterprise”.

    You may find this IT@Intel whitepaper on this subject interesting. http://bit.ly/dfewQz

    Chris

    • Chris

      Thanks for the reply, and it points to the future as far as I can see. The main thrust of my argument is that as IA professionals we’ve spent years trying to stop this, but its happened anyway. It seems Intel’s approach is the next logical step, which is to go with it, but do it in a controlled fashion. One wonders how many organisations would have the same patience and resources to do the same thing though? How many will just implicitly accept it is a fait accompli by casting a blind eye on the topic, only to get into all sorts of trouble when it goes wrong?

      Graeme

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s