A few days ago I had the pleasure of being involved in a pretty interesting security discussion on Twitter. If you tuned into the middle of the conversation it appeared to be one that pertained to VPNs (Virtual Private Network) and whether they were a valid way of connecting to the enterprise with a mobile app. The vagaries of the 140-character limit on twitter as well as having quite a few people in on the conversation meant it took a lot of tweets to get the point across. What was interesting though, was that on one side of the argument you had a few security guys who insisted that a VPN was the only way to drive a secure network connection to the enterprise whilst on the other side you had at least one security guy and a couple of mobile guys stating that it wasn’t the only way and certainly not always the best way. Once you got past the “are you crazy?” and “what have you been smoking?” comments, you could see that there was an age old conversation going on here. The crux of it is fought in enterprises every day, whether dealing with mobile apps or any type of apps or computing, where does security belong in the conversation?
Let’s start out with my belief, that everyone has some responsibility for security and needs to have awareness and wants to be part of the solution. That being said, I still need to be able to get my work done. I have dealt with security people in the past that have looked at me and said no means no, even after I explain what I am doing is a requirement of my work and needed for the company. More often than not, when those situations arose, business trumped security and an exception was granted. The cost was a delay to me getting my work done and a grumbling security person for being over-ruled. It’s not that I necessarily disagreed with the stance, but that the stance didn’t take in all of the business objectives, just the one that said all data and computers must be wrapped in the same plastic shells that electronics come in, you know, the ones you can’t get open unless you have a machete. The problem with this approach is that when you wrap the emergency supplies and the machete in these hardened cases, you can’t get them out of the package when you need to. The good news is you kept the data safe; the bad news is that no work got done. This is an experience that the business relates all of the time.
The opposite view point on this is that of the security professional who lives through the malware and attempted intrusions every day and just wants to do their best to keep the company’s assets safe and secure. They look at the users as the offenders. They know someone is going to click on the phishing attempt or choose the malware infested link. It’s not even a probability to them but a certainty. When it comes to mobile it is 10 times worse. People lose their phones, leave them on tables, use public WiFi and basically do every thing they can to compromise the organization, albeit, unwittingly.
So what’s the solution to a user on a mobile device connecting back to the mother ship with an app to be productive? According to most security professionals, end users must only use secure communications and the only way to do that is with a VPN connection. You can’t trust the developers to develop a secure app, and you can’t expect the app to connect back without a VPN in a secure method because how would a developer know how to do that in the first place. VPNs are tested by other security people all the time as well as the public. We know developers don’t do any of that with their apps so why should we trust them?
The security people believe they know security better than anyone else and why are you even bothering to argue with them? You know what, they’re right! They do know security better than everyone, but part of their job has to be to educate all those other people. They have to be willing to step up in this new world of the IT-ization of the user and impart their knowledge, not just to the end users, but to take that extra step and be willing to share with developers. You see, the developers look at the security guys and assume they want to create hoops and roadblocks that the developers must jump through, while breaking their app, so that they can be secure, without even caring how the app works.
What the enterprise needs is a culture where the bickering stops. People need to stop with the red lights to progress and productivity while learning to enable end users. Everyone throwing their hands up and building insecure apps and using non-secure devices doesn’t accomplish this. This happens through the Business partnering with IT, Development and Security to make things happen, You move from a culture of bolt on to baked in security. The Security team partners with the Development to build secure frameworks for apps that any developer in the company can use. Security is there in the requirements phase of the project and from the beginning of the development phase. They help the developers understand what the security aspects are present due to the business need and the required app and work with them to building that security into the app. They take the lessons learned from each app built and work with the developers to codify it into a framework that they both can use moving forward. It creates a common language and library that everyone can work from.
When a user’s app needs to connect back to the enterprise, VPN connections are one part of the framework that can be used to secure the communications, if it is the right solution. On the other hand, if it is too heavy handed and exacts a toll on the User Experience, that makes it a less than optimal solution and, there are other secure methods of having that same communication. By partnering with IT and Development, Security will have built a toolkit where, based upon the app scenario, the right tool can be brought to bear on the problem producing the best solution for all around, with minimal fuss.
It’s always nice to look at our world in black and white…but it only takes one pair of rose-colored glasses to realize that we truly live in a Technicolor world.