Technicolor

by Brian Katz on January 17, 2013 · 3 comments

A few days ago I had the pleasure of being involved in a pretty interesting security discussion on Twitter. If you tuned into the middle of the conversation it appeared to be one that pertained to VPNs (Virtual Private Network) and whether they were a valid way of connecting to the enterprise with a mobile app. The vagaries of the 140-character limit on twitter as well as having quite a few people in on the conversation meant it took a lot of tweets to get the point across. What was interesting though, was that on one side of the argument you had a few security guys who insisted that a VPN was the only way to drive a secure network connection to the enterprise whilst on the other side you had at least one security guy and a couple of mobile guys stating that it wasn’t the only way and certainly not always the best way. Once you got past the “are you crazy?” and “what have you been smoking?” comments, you could see that there was an age old conversation going on here. The crux of it is fought in enterprises every day, whether dealing with mobile apps or any type of apps or computing, where does security belong in the conversation?

rose colored glasses

Let’s start out with my belief, that everyone has some responsibility for security and needs to have awareness and wants to be part of the solution. That being said, I still need to be able to get my work done. I have dealt with security people in the past that have looked at me and said no means no, even after I explain what I am doing is a requirement of my work and needed for the company. More often than not, when those situations arose, business trumped security and an exception was granted. The cost was a delay to me getting my work done and a grumbling security person for being over-ruled. It’s not that I necessarily disagreed with the stance, but that the stance didn’t take in all of the business objectives, just the one that said all data and computers must be wrapped in the same plastic shells that electronics come in, you know, the ones you can’t get open unless you have a machete. The problem with this approach is that when you wrap the emergency supplies and the machete in these hardened cases, you can’t get them out of the package when you need to. The good news is you kept the data safe; the bad news is that no work got done. This is an experience that the business relates all of the time.

The opposite view point on this is that of the security professional who lives through the malware and attempted intrusions every day and just wants to do their best to keep the company’s assets safe and secure. They look at the users as the offenders. They know someone is going to click on the phishing attempt or choose the malware infested link. It’s not even a probability to them but a certainty. When it comes to mobile it is 10 times worse. People lose their phones, leave them on tables, use public WiFi and basically do every thing they can to compromise the organization, albeit, unwittingly.

So what’s the solution to a user on a mobile device connecting back to the mother ship with an app to be productive? According to most security professionals, end users must only use secure communications and the only way to do that is with a VPN connection. You can’t trust the developers to develop a secure app, and you can’t expect the app to connect back without a VPN in a secure method because how would a developer know how to do that in the first place. VPNs are tested by other security people all the time as well as the public.  We know developers don’t do any of that with their apps so why should we trust them?

The security people believe they know security better than anyone else and why are you even bothering to argue with them? You know what, they’re right! They do know security better than everyone, but part of their job has to be to educate all those other people. They have to be willing to step up in this new world of the IT-ization of the user and impart their knowledge, not just to the end users, but to take that extra step and be willing to share with developers. You see, the developers look at the security guys and assume they want to create hoops and roadblocks that the developers must jump through, while breaking their app, so that they can be secure, without even caring how the app works.

What the enterprise needs is a culture where the bickering stops. People need to stop with the red lights to progress and productivity while learning to enable end users. Everyone throwing their hands up and building insecure apps and using non-secure devices doesn’t accomplish this. This happens through the Business partnering with IT, Development and Security to make things happen, You move from a culture of bolt on to baked in security. The Security team partners with the Development to build secure frameworks for apps that any developer in the company can use. Security is there in the requirements phase of the project and from the beginning of the development phase. They help the developers understand what the security aspects are present due to the business need and the required app and work with them to building that security into the app. They take the lessons learned from each app built and work with the developers to codify it into a framework that they both can use moving forward. It creates a common language and library that everyone can work from.

When a user’s app needs to connect back to the enterprise, VPN connections are one part of the framework that can be used to secure the communications, if it is the right solution. On the other hand, if it is too heavy handed and exacts a toll on the User Experience, that makes it a less than optimal solution and, there are other secure methods of having that same communication. By partnering with IT and Development, Security will have built a toolkit where, based upon the app scenario, the right tool can be brought to bear on the problem producing the best solution for all around, with minimal fuss.

It’s always nice to look at our world in black and white…but it only takes one pair of rose-colored glasses to realize that we truly live in a Technicolor world.

Tagged as: Apps, Enterprise Strategy, Security, strategy

  • Bob_Egan

    Extending this thread, its critical that both biz and IT define their roles and responsibilities within and external to the partnership. In fact, I’d argue that organizations that are demonstrating leadership are bringing more business acumen into IT.

    Finally, these VPN zealots should have their head examined. In isolation VPNs do little more than create a secure tunnel for the maleficent’s to exploit through any number of h/w proximity or s/w app ports into the enterprise domain.

  • http://twitter.com/VirtualTal Tal Klein

    Agree.. Have been having this conversation internally at Bromium. It’s tough because we’re selling an enablement-focused product to a security-minded audience. “Enablement is the desktop guys’ job” — No, it’s IT’s job. You’re part of it.

  • http://twitter.com/mpyeager Matthew Yeager

    You almost had me. Almost. I was just getting ready to write about the frustrations I continually have with security people, my fingers hovering over the keys before making ad hominem attacks.

    ‘They don’t bloody get it! Arrrgh! API and VPN are both three letters … what’s so flipping difficult in understanding and EVOLVING to the 21st century with the rest of us! I have better and more efficient IT delivery from home than I do with corporate knuckle dragging systems!’

    Or so it would have gone but you got me thinking and then I stopped typing.

    Oh nelly, you hit the motherlode of just about every ‘real’ problem we have in technology these days .. or maybe the same as it ever was?

    I inverted ‘real’ as I don’t believe these are insurmountable issues but, rather, our perception and insistence that they are ‘problems’. Are they really technical issues, or are they more human behavour challenges? As my wisened grandfather always said, ‘Don’t throw a gadget at a people problem.’ Wise man, and I think you can use ‘gadget’ with ‘technology’ interchangeably and still be right.

    It’s also important to note that my grandfather wasn’t a Luddite, far from it as he loved new ‘gadgets’ and instilled in me a lifelong fascination for ‘how it works’, but he was always quick to note that unless the gadget made a task demonstrably better, you were likely just indulging in nerd knobs.

    As seemingly rational human beings tend to ask all the wrong questions in trying to drive to an answer. Although I would hasten to add that your posts and engagement in general, Mr Katz, is nothing if not thought provoking and seeking to help to find common ground in the pursuit of finding workable answers.

    One of the most pernicious issues, in my mind, over the past 30+ years of computing has been our insistence on designing everything so it never fails, is never breached, etc.

    This is a fallacy, in my mind, and leads to the internecine warfare of security versus business operability, which you so brilliantly discuss, and which I think we agree aren’t mutually exclusive.

    The mavens who designed the internet understood this ..okay, perhaps the use case DARPA had in mind was a little darker in needing to communicate from NY to LA even if large swathes of middle America had been nuked ..but you take my point. We’ve understood for quite some time that building a system designed to fail more often than not makes it a far superior system to one that is designed to ‘never go do down’.

    We must challenge, in my opinion, at every level from security to compute to app dev to data storage and mobility to have systems designed to cope and respond autonomically to failure and not continue to build ‘fortress’ systems which negate our ability to be efficient.

Previous post:

Next post: