We have a problem with new disruptive technology and we need to treat all endpoint systems as hostile. New consumer technology that's brought into the workplace (a trend known as consumerization of IT), the consumer use of free or low-cost cloud services for the connected online life, and the enterprise shift towards the cloud for vertical business applications are rapidly affecting the way workers access decentralized information for personal and business use and the way important information needs to be protected.
Despite corporate firewalls and other existing controls, some employees are using their mobile devices to access services with unauthorized and insecure devices. In other cases, companies are enabling employees' mobile lifestyles with fewer restraints, perhaps in recognition that consumer technology innovation will continue to outpace business adoption of certain devices.
Altogether, we are seeing a significant increase in the blending of personal and corporate computing, access to personal and corporate clouds, and the blending of data through personal and enterprise cloud services and consumer technology.
Rightfully, the debate over the security protocols used by the burgeoning personal and enterprise cloud industries continues. Data protection and privacy control issues stem from external parties outside of a company having physical control of corporate data. It is imperative for vendors to provide basic assurances of data protection and privacy for their customers' data and it is also important for employees to understand the need for security when they use their personal devices to access and store corporate data (if they are allowed to do so).
New security standards are needed to address the wave of disruptive technology and practices that are converging to decentralize and consumerize IT, and mix corporate and personal data. Employees must also be engaged to support awareness and practices that include an understanding of security expectations and how to implement basic security and data protection controls on the devices they manage (and on cloud-based services they access). The best advice historically -- and the consistent message in regulations such as PCI, SOX, HIPAA, and Safe Harbor -- continues to be not to store or transmit sensitive information at all. My advice also is to treat everything accessing the data centers as hostile. Control and security of the endpoint is under siege, so start there because the countermeasures change when all endpoints are considered hostile.
New standards in remote access will include client virtualization technology that has adapted to gesture-based technology (e.g. iPhone, iPad, and Android). We should expect to see this technology coupled with protection measures that provide virtualized data center and application access. Data leak prevention and monitoring should continue to serve as a bastion defense in detecting inappropriate data comingling. Security teams also need to implement controls that enforce security standards on enterprise-activated devices and industry standards also need to be developed to ensure corporate data remains safe despite these trends.
Additionally, companies should identify which information is most valuable and assess the balance between protecting custodial data and secret data. According to a 2010 Forrester Research study, security teams need to focus more on protecting secret data that provides long-term competitive advantage such as mergers and acquisitions, product plans, earnings forecasts, and trade secrets and then protect custodial data that they are "compelled to protect" such as customer, medical, and payment card information that becomes "toxic" when stolen or exposed.
Furthermore, companies and cloud providers need common standards to attest for online security practices and to evaluate third-party relationships. There is an urgent need for customers of cloud computing and third-party technology services to be able to make an objective comparison between providers on the basis of their security measures. Existing mechanisms to measure and provide security assurances are often subjective and in many cases unique. This makes quantifiable measurement of security practices difficult, which impacts time and cost.
We are at the crossroads. Security needs to continue to evolve with disruptive technologies and to support employee mobile lifestyles. However, we must look for standards and common technology, and we must provide continual, evolving awareness to our user communities. We should set expectations and controls -- where we can -- to help transparently integrate new security measures to minimize these new risks. We must prepare for this now and educate ourselves and our users.
INFORMATION SECURITY MAGAZINE'S 6TH ANNUAL SECURITY 7 AWARDS
Consumerization of IT and enterprise evolution: Consumer devices in the workplace and the shift to cloud services require new security standards.
An effective information security program requires ongoing monitoring: A successful information security program uses ongoing oversight and monitoring to manage risks.
Online banking security is a balancing act: Online banking security requires providing users with choices in order to minimize risk without becoming intrusive.
Government transformation through technological innovation: The economic crisis gives government entities the opportunity to change for the better.
Maintaining health care privacy and security: In the world of health care, the more we value privacy, the harder we work to protect it.
Implementing an information security strategy in a decentralized environment: Implementing data security in a decentralized organization requires a collaborative approach.
Fighting online fraud requires delicate balance: Countermeasures for thwarting Internet fraudsters must be balanced with customer service.
SECURITY 7 AWARDS
Title: Chief Information Security Officer
Company: Cox Communications
Credentials: CISM, CISSP
- Oversees the Security Program Office at Cox Communications, a privately owned cable operator that is classified as a critical infrastructure provider for the U.S.
- Established an information risk management program and a year one security awareness campaign (Security is Everyone's Job).
- Founding member of the Cloud Security Alliance and co-authored the CSA Controls Matrix in 2009 to help cloud providers design in security and provide a set of basic security controls for customers to gauge the security posture of their cloud providers
- Established one of the largest and most successful global Security Development Lifecycle (SDL) programs at Dell, where he previously led the company's global information security assurance and consulting organization.
- Member of ISSA, InfraGard, OWASP, Merchant Risk Council, Domestic Security Alliance Council (DSAC), co-founder and board member of the Southern CISO Security Council, and advisory council member for the CSO Breakfast Club.
- Appointed to the FCC Communications Security, Reliability and Interoperability Council (CSRIC) and has represented GE, Dell, VeriSign, Alcatel, Scientific-Atlanta, and Cox in their respective corporate security, risk, and/or privacy councils.