Barn Doors

by Brian Katz on March 5, 2013 · 2 comments

Security, no matter where you look everyone is talking about it these days. Especially when you start looking at the mobile world. It has become one of the many buzzwords that handset makers are throwing out there in order to make it kosher for you to bring your device to work. It’s no longer okay to just sell you a phone or tablet, they want to incentivize you to buy it so you can participate in a BYOD program. They throw around words like secure containers, containerization (hmm…somebody went to marketing class and turned it into a verb), encryption, VPN, Secure Communication, EMM (Enterprise Mobile Management) and a whole host of other terms that of course make it okay to bring your device into work. They hit the IT and business groups in enterprises as well. They will send them whole white papers why this technology or the next are the best thing since sliced bread. The problem is that’s a just another whiff of the unicorn farts that we have dealt with in the past. It becomes awfully hard to avoid the giant unicorn pies that are laying in your path as you look at the next shiny thing.

Barn DoorsYou see, everyone likes to trumpet that mobile is insecure. Now that people are using their phones for work enterprises are in trouble. The apps that people are using are going to let out all of the confidential data that everyone has been storing for decades. It won’t be long until we all have the secret formula for Coke, the recipe for Kentucky Fried Chicken, or even worse the way that McDonald’s special sauce is made. These manufacturers and third party vendors need to throw this FUD (Fear out there so that they can then sell you on their wares. The dirty secret that nobody wants you to find out, mobile has nothing to do with it.

Mobile is just an amplification of all the insecure practices you and your company have been using for decades. Long before we even had computers, people used to use carbon paper so they could make copies of files as they were typed and they could take the home to edit. Along came copy machines and data became even easier to take home. People didn’t buy briefcases just to carry their lunch to work. They used them to make their work easier and carry it around so they could work on it when they needed to. Before it became passé, people use to lose their briefcases all the time.

We went from briefcases to desktop computers and floppy disks. If you had a computer at home you would just carry the floppy disks back and forth each night so you could work on it. Those gave way to zip disks (who remembers carrying a 100mb zip disk that was the size of 2 or 3 3-½ in disks) and then, of course, laptops became popular. You could take your work with you anywhere you went. The funny thing, laptops became popular long before whole disk encryption was even possible. What happened when you lost one of those? It all became moot a bunch of years ago when anyone and everyone had a flash drive. They started at 64mb and today you can get a flash drive that has a terabyte of storage on it.

You see, all these different ways of moving data around have existed forever and yet we still focus on the endpoint. We care about that app or that device that the app runs on. Mobile devices are insecure every vendor screams from the rooftops. App vendors start talking about encryption at rest, they encrypt the data while it’s on your device. If you are really lucky, some talk about encryption while in motion (let’s not get started on SSL, please, that’s not data encryption). These people all miss the point.

We have loads of technical debt that we have built up in our legacy apps that drive our organizations and enterprises. We spend all this time focusing on the endpoint that we never take the time to look at the data as it resides at the start point. We should be taking care of our data through its whole life cycle, you never really know where it’s going to end up or how it’s going to get there. Let’s start with the basics like encrypting our data while it sits in the data center. Let’s build identification and authentication frameworks on which we can then base access to that data. Let’s develop a system of encryption keys that are based upon identity that we can hand off to apps and devices as needed.

I know, it sounds really difficult. It used to be expensive too. There wasn’t enough bandwidth or people couldn’t afford the CPUs they needed to do things like encryption. In this day and age, where everyone is using virtualization and can spin up a new instance in seconds, can we really say we can’t do what’s necessary?

It’s much easier to worry about that endpoint. It’s also easier to sell endpoint solutions.  That works really well until that endpoint is a Dropbox folder that someone placed a critical document in, or a USB Flash drive they copied it to. There is no doubt I am over simplifying things here but if we aren’t willing to look at the basics how can we really sit here and worry about whether the device you are using is FIPS certified or whether it uses 128 bit or 256 bit AES encryption when you just emailed that data to your Gmail. You know, once the animals are already out, it seems awfully silly to close the barn doors.

{ 2 comments… read them below or add one }

benontech March 6, 2013 at 3:07 pm

Brian, You make some good points, but you fundamentally miss
the point about security and mobile. The mobility of the end point itself
changes the calculus when it comes to security.

Greater mobility requires greater security. We rarely had to
worry about desktop PCs being lost or stolen, so how we secured that device
focused much less on securing the data at rest on it or the device itself. When
Laptops became prevalent the increased mobility meant we need new security
tools and we saw the emergence of full disk and folder encryption. Now that we
have devices that fit in our pocket which have the processing power of laptops
but the mobility of a cell phone security is obviously a greater concern then
it was with laptops. Furthermore, IT departments have been locking down and
controlling Windows for two decades. The new mobile platforms are newer and
don’t have the same comprehensive toolset. Also, the windows operating system
itself has been “enterprised” over the last decade and a half, while mobile
platforms are by design “consumerized” all this adds up to real, genuine
security concerns.

I agree completely that vendors shouldn’t participate in spreading FUD, but
I think it is irresponsible to dismiss mobile security concerns as FUD (you are
also out of your depth saying that SSL isn’t data encryption). Yes, there will
always be new ways for data to exfiltrate the enterprise, but that does not
relieve corporate IT of the responsibility to secure it. Trivializing the new security
threats that come with a new era of mobility is done at your own peril.

Reply

Brian Katz March 6, 2013 at 3:29 pm

Ben –

Thanks for reading and your comment. I wouldn’t dispute that an endpoint should have basic controls that enabling securing it. The point you are missing is that just securing the endpoint without doing it from the start, when the data, your main asset, lies at rest in the company means you have already lost the battle.

Endpoint security should integrate the security that exists in the enterprise. If you wait until the data reaches the endpoint you have already failed. It is why people use Dropbox and flashdrives to do the exact same thing every day.

We spend way too much time worry about singular endpoints (types not individual devices) and we don’t spend enough time securing the whole system end to end. If you start from the beginning, where your data is located in the enterprise and build you security from there, it doesn’t negate endpoint security but give you the ability to securely manage your assets end to end and build a more comprehensive program.

This doesn’t mean the securing the endpoint should be trivialized. I have always been an evangelist for having the basic controls you need to secure your data on a mobile device and then you use the right tool to do that, what ever it may be.

Reply

Leave a Comment

Previous post:

Next post: