Normally, I’d end the year with a top ten list of security “opps!” or a Infosec wish list for the new year. But this year I wanted to focus on a few of the issues I see as taking up more and more of your Infosec time in the coming years, if they haven’t already been. These are emerging issues that have impact all across the IT spectrum, not just Infosec. But I do see them as becoming drivers in our part of the industry, both from a customer demand and vendor offerings standpoint. They are mobile, social, and cloud computing.
Mobile has been a trending issue for a long time. It started way back in 1983 with the first Compaq luggable. Ever since then, employees have been figuring out better and better ways to break out of the physical corporate walls and take their work data with them. And by better, I don’t mean better for us in the Infosec field. The days of a secure physical network that existed only at work are long gone for most of us. But laptops are the least of your worries these days when it comes to mobile computing. Smaller and smaller removable drives with larger and larger capacity make the security risk presented by CD-ROM and DVDs seem bite-sized in comparison. These devices are the new floppy, with people tracking in "dirt" from their home networks on USB drives. And of course smartphones blur the line between what is a computer and what is a personal device. iPhones, Blackberry and Android phones have most of the functionality of a desktop these days. Many companies are starting to let employees use their personal phones for work, checking emails, logging into company intranets and even using VPNs. These all present particular challenges to the Information security department, both now and going forward.
However, physical media and infrastructure is being eclipsed more and more by the cloud and cloud storage. Companies are making use of these private/public clouds more than ever. Even big companies like Zynga have begun using these services in lieu of deploying in-house infrastructure to cut costs and shorten deployment times. And while the cloud brings great economies and conveniences to our infrastructure needs, they also present unique IT challenges. When you are using cloud resources, you abdicate much of the Infosec function to a third party. You no longer have direct physical control over your servers and OSes so you have to trust your vendors to keep them updated and physically secure. And uptime for network and servers is entirely dependent on the vendor. So SLAs and due diligence in selecting providers becomes paramount. But even selecting blue chip vendors doesn’t eliminate risk. The largest cloud provider, Amazon has had several well publicized outages and credits to your bill only go so far. When using cloud services, always remember; caveat emptor. When it comes to employees, more and more of their lives are stored online these days. This means that they can often access their photo albums, songs and movies and other media, all from a web browser inside your corporate network. What is the legal position if the employee is listening to pirated music streamed over the cloud on the company network? These are things you’ll have to deal with in the new age of computing in the cloud.
Social has invaded our Infosec lives in all kinds of ways. First of all, the social apps that everybody loves, but drive us security folks crazy. Facebook is the obvious one that comes to mind, but there’s also Twitter, Foursquare, Linkedin and other programs that allow our users to fritter away the work day checking up on their high school flames, networking for a new job or playing inane games involving virtual gardens. If they were just productivity and bandwidth drains that would be one thing but they are also now vectors for all kinds of attacks, fraud, security leaks and regulatory issues. And just like the web, we can’t always just ignore or block them. Employees can now claim the need to use these sits for marketing and other legitimate uses. Look for companies to produce specialized software and hardware to block, filter, and otherwise control these nuisances while other companies offer products and services to increase companies use of them for sales, marketing and even support. And the genre will continue to morph and become a bigger part of our personal and corporate e-lives no matter how you dealt with it.
It’s a brave new world out there in Infosec and it is no longer just about keeping viruses and hackers out and corporate data in. More and more, its about keeping the data that does go out safe and finding ways to manage data already out in the cloud. The landscape is changing rapidly, even daily and you’ll have to stay on your feet in 2012 and beyond to stay ahead of these trending issues. And if I write this same column in twelve months, I might not be writing about the same three issues. We shall see...