Wednesday, February 29, 2012

One Size Fits None

One of the trendy topics of current security discussions is the BYOD (or the less sexy “IT consumerization” term) thing. It’s good to see the topic being discussed, but the way those discussions flow is what really makes me concerned. How come that we’re still asking questions such as “should we allow it?”, “how to protect those devices”, and so on? It’s the same thing for cloud services or any other new IT thing, we’re always asking if we should allow it and how we’ll protect it. I see those questions basically as:

-          Will we give a sample of our infinite power to deny the users requests?

-          How will we manage to make this thing useless through death-by-a-thousand-controls?

These situations always remind me of our dear Mordac. No wonder our actions inspired such nice Scott Adams character.

What I would love to see ourselves doing with all this new stuff coming to our environments is getting rid of the One Size Fits All approach. We keep doing this allow/deny thing to everyone, without considering the different needs from the different types of users (ok, the label is almost derogatory nowadays, but whatever) we deal with. Even worse, not considering the different data those users have access to.

What I mean is that security must be a bit more ADAPTIVE. There’s no point in applying the same level of control to a someone without access to sensitive information  who wants to read on his/her iPhone to the CEO’s iPhone during a big M&A process. Can’t you see how context changes everything?

It wouldn’t be a matter of applying or not controls anymore, but how much of it, based on several context variables. For that our controls should be designed to take those variables in consideration; Several classification labels for people, data, applications, locations, networks and hosts should be considered by enforcement points and controls to provide an adaptive set of security measures that are aligned to each situation.

Don’t think I’m dreaming too high and being unrealistic. There are tools available for that now and many more increasingly becoming available. You can buy Adaptive Authentication systems right now and a lot of the SIEM tools already allows you to use different data sources to apply context to your security monitoring processes. Policy based remote access controls (apply restrictions when connected to the corporate network, for example), different personal firewall profiles based on locations are standard features from lots of security products. We just need to keep expanding on that, considering new technologies that enable us to do it, such as IF-MAP, OpenFlow and RMS, when designing our security architecture.

Some other cool products and Technologies that allow organizations to apply context based security controls:

-          Data Classification

-          Adaptive Authentication

-          Identity based security monitoring

-          Next Generation firewalls

Now, what we’re still missing is a management/orchestration layer on top of all that. Some big vendors providing solutions from multiple domains have some integration in place providing limited centralized policy definition, but there’s nothing out there capable of controlling such diverse ecosystem of applications. We still have some work ahead in order to translate “Top executives can read their email on their phones but with limitations based on the classification of data and the country where they are” into settings for stuff like firewalls, authentication systems and email servers.