Remember the good ol’ days – when users all carried the same corporate-issued device, apps were carefully vetted and distributed via well-defined procedures, and remote access meant using a VPN client with two-factor authentication and a physical RSA token generator? Merriam-Webster’s online dictionary defines nostalgia as “sadness that is caused by remembering something from the past and wishing that you could experience it again.” IT professionals responsible for securing today’s mobile enterprise networks and data must feel a tinge of this every time Apple or Samsung announce a new product or operating system update.
Why nostalgia? Because IT has lost control. The transformation from a static, wired environment to a dynamic mobile environment is to blame. Employees emboldened by the ability to always stay connected have forced the hand of corporate IT departments to boldly go where networks have never gone before – everywhere and anywhere. What’s worse, IT
typically becomes aware of new products or services on their network only after they’re widely in use, forcing them to openly welcome unwanted technology without properly vetting it or fully understanding the risks.
As a result, IT ends up performing a delicate balancing act; on the one hand there is a need to enable employees but on the other the daunting challenge of mitigating risks. Thus IT must ensure sufficient security measures are in place without overly affecting employee productivity. This presents some rather unique challenges due to security and management inconsistencies:
- Devices and operating systems differ across platforms and manufacturers
- User preferences and habits differ
- Security components may or may not work the same when it comes to performing basic functions like user authentication
Mobile security by and large hasn’t been able to keep pace. IT spend remains largely focused on perimeter defenses to weather the storm of external denial-of-service (DoS) attacks and zero-day exploits that generate headlines but pay little attention to mobile devices and users gaining access to network resources and data. And while solutions like mobile device management (MDM) or enterprise mobility management (EMM) make their way into the enterprise to address mobile access, implementations lag due to end user rejection of big-brother controls or cumbersome / non-intuitive workflows.
In keeping with the times, IT must evolve security to address the risks introduced by enterprise mobility – specifically as it pertains to trust. In the past, physical security measures satisfied most trust requirements; if an employee provided proper credentials at the front door or perimeter, then trust would be established and access grated. But what about users who don’t go through the front door and aren’t asked to produce identification to validate their need to be there? If that same user comes through a back door, do we let them connect and give them the same level of trust?
Conventional wisdom would suggest that we don’t. In fact, everyone and everything should be interrogated and an informed policy decision made. The ideal model would be to make a decision based on relevant context. Useful context can include;
- User identity and role
- Type of device and ownership
- Has this device been seen before
- Does the device meet security standards
By gathering and using context, IT is in a better position to handle the unknowns that pop up on their network. Instead of treating everyone and everything as an un-trusted entity, IT can create adaptive policies based on business needs and associated risks. What’s more, IT can also mitigate many of the risks associated with anywhere, anytime and any device access without impacting productivity.
Adaptive Trust provides IT visibility and control while drastically reducing risk. And more importantly, it can strengthen existing systems without introducing unnecessary or complicated procedures. A trust model that adapts to how people work delivers a better user experience while drastically improving security.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.