The New Corporate Perimeter: It's About Data, not Devices
It appears there are still companies that create software that assumes and even requires a “perimeter” where the software can be installed, or requires a company “agent” to be installed on all mobile devices.
These kinds of companies need to rethink their strategies. Today's mobile-first digital world has driven huge changes in how enterprises connect and engage with their customers. It's also changed the nature of the software we build and the way IT needs to work. The massive amount of data that drives today's businesses exists in multiple places: some resides in the core enterprise (in legacy systems of record); an increasing amount of data comes from outside the enterprise; and, most importantly, it resides at the edge of the enterprise (mostly from mobile apps). In as much as businesses in every sector are tasked with using it all, IT security experts are tasked with securing it all.
The corporate perimeter isn't dead, but it has changed. It’s no longer something you can rely on while planning to keep all of your users inside where your services and devices protect them from the bad guys outside. Today’s perimeter is around your data, not around your devices. You’ve lost control of the devices, whether you know it or not.
Employees are using their own personal computers and mobile devices to get their jobs done. They just don’t tell you because you might ask them to stop, or worse, point out that they are violating some company policy they’ve never actually read (they just clicked “I agree” on the page so that they could get to work on their actual problems).
If you think your employees are going to install agents on their own personal mobile devices, you don’t understand today’s world. I don’t even want to install any corporate agents on my personal devices, and I’m in security and know all of the risks and problems that arise from corporate data mixing on personal mobile devices.
Today’s employees are mixing personal and business time, data, and devices all day long. People no longer work from eight to five and then stop all thoughts of corporate activities. Rather, they work in spurts all day long, from the time they wake up and check their email from their phone while still warm and cozy in bed, through the middle of the day when they squeeze in a quick workout after lunch, until evening time when they pull into the garage and do another quick email check before heading inside to see the spouse and kids. Then there’s that one last email check at night, as they set their alarm clock on their phone.
The point is, you can no longer control what devices, places, and times employees use to accomplish their tasks. If you try to, you'll turn into a roadblock for the company. You need to find ways to support your users, not hinder them. Modern security and operations teams need to assist users in accessing their data from any location at any time and on any device in a secure manner and help them accomplish their business objectives. Anything less than this is a nail in your own coffin.
To maintain a consistent data security posture, it is important to have an API strategy that enables data security as well as app security across digital channels. Rather than trying to control your users, find ways to secure the data that your users need. How to start? Check out my colleague Subra Kumaraswamy's post about enabling a business strategy while protecting information exposed to internal and third-party developers by way of APIs: Security in Digital Transformation: an API-Centric Approach.
Developing an app and API strategy allows people to access your data securely—wherever, however, and whenever it’s possible. I’m not suggesting you support access to your secret recipe from internet kiosks in the mall. But if users wants to use their Android phones in the morning to process mail and attach documents to responses, their corporate laptops during the day, their personal tablets in the evening while they wait for the kids’ soccer practice to end or their buddies to show up at the restaurant, you need to support this, and even actively encourage it.
So what does this mean for the information security professional? It means finding ways to become an app champion and an API evangelist at your company. It means leading the shift from the traditional corporate perimeter to the new data-centric perimeter. It means becoming the security expert who enables today's digital business strategy while honoring the primary mandate of IT: to protect the enterprise's and the user's data and information.
image: Diego Torres Silvestre/Flickr