Mobile

security BYO watershed from SOAP to SUDS

Rob Bamforth, Principal Analyst

Quocirca Comment
The technology landscape is changing quite dramatically. What was once carefully chosen, constrained and controlled by central IT diktat is now overwhelmed by consumerisation and hyper connectivity. It is hard to say when it all really started, but the availability of home PCs in the 1980s pushed a trend of affordable computing and the emergence of widespread internet use in the 1990s accelerated the trend towards affordable connectivity. Although organisations embraced this open connectivity, admittedly quite slowly at first, there was always a nagging fear surrounding the security risk. Such fears are frequently prevalent when new technologies appear. So much so, that in pretty much any research Quocirca has conducted, when security is mentioned as an option among other reasons for not adopting or slowing the adoption of a new idea, it generally stands out as the top reason selected. So it should be no surprise that the typical approach to security has been one of closing doors or blocking access as close to the perimeter as possible; erect a demilitarised zone, configure a firewall, deploy a secure gateway at the edge. This is pretty much in line with the attitude taken to physical security; build a fence, lock the gates and fit an alarm or patrol with dogs. When it comes to the extra security for deploying mobile devices, essentially a similar approach is initially taken. Apply a passcode to the device at the edge of the network, lock down its configuration tightly, remotely kill and wipe it when it becomes compromised, lost or stolen. The challenge is that not only have mobile technologies punctured the physical perimeter, they have also ushered in a BYO/bring your own mentality where everyone one expects to have their own choice of anything IT device, apps, social networks etc which dissolves away the virtual perimeter. The old model possibly described as Secure Organisation At Perimeter (SOAP) is looking like it is washed up. Traditional IT i.e. oriented to the technology tools hardware, software and networks and not the uses to which technology is put. To do this, the emphasis needs to switch to what people do, and the information they use users and data and to apply a bubble of protection where it is needed, or perhaps to put it another way, Secure Users and Data Specifically (SUDS)? This is a much more business-oriented approach, in that it requires an understanding of the value and vulnerability of the soft assets of the organisation. Rather than a one-size-fits-no-one blanket perimeter, it requires discrimination so that different levels of protection are applied based on value and risk, independent of what tools are used, but aware of the context of use i.e. what, why, when, how, where and who. It means that security policies, while heavily relying on the IT department for guidance, implementation and support will need input from the business to glean which and how different business processes pose risks and to which data. This might initially be challenging for some lines of business, but anything that makes an organisation and those in it more aware of the value of its commercial secrets is good practice. It also removes some of the responsibility for security from the user, which many in IT think would be a good thing, as again, past Quocirca research into mobile security indicates that users are thought of as the weakest links, even when issued corporate specified and locked down devices. Given that many employees may be bringing their own devices, installing their own apps and data, and lending the devices to family members, this is unlikely to improve much. Tackling this issue with simplistic mobile device management (MDM) is no longer sufficient. Devices have to be assumed to be compromised or easily compromise-able and so the attention

Mobile security BYO watershed from http://www.quocirca.com SOAP to SUDS

2013 Quocirca Ltd

naturally shifts to the objects of interest data and the actions performed on them. Most of the vendors of products aimed at managing the emerging mobile enterprise seem to have recognised this and that MDM was merely a stepping-stone, but many organisations seem to be slow to pick up on this and think that applying MDM is sufficient.

Given the speed at which their employees are adopting mobile technologies that span the work/life divide, this would be a mistake. No organisation wants its laundry dirty or otherwise aired in public. This article first appeared http://www.computerweekly.com on

Mobile security BYO watershed from http://www.quocirca.com SOAP to SUDS

2013 Quocirca Ltd

About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of realworld practitioners with first-hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets. Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption the personal and political aspects of an organisations environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to advise on the realities of technology adoption, not the promises. Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocircas mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time. Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community. Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocircas clients include Oracle, IBM, CA, O2, T-Mobile, HP, Xerox, Ricoh and Symantec, along with other large and medium sized vendors, service providers and more specialist firms.

Full access to all of Quocircas public output (reports, articles, presentations, blogs and videos) can be made at http://www.quocirca.com

Mobile security BYO watershed from http://www.quocirca.com SOAP to SUDS

2013 Quocirca Ltd