What is it all about?

For me, the trend really started to take off with the smartphones. Most companies tried to standardize the models but at the end of the day it was a lost battle for different reasons:

• The standardization process was always slower than the development of new devices.
• These devices were cool. Therefore the CEO bought a new one in the store around the corner and then came back to IT to enable it to read mails etc. If the CEO wants it, who pushes back?
• Different people have different needs. Do they all need the same device?

Based on this, a few companies tried a different approach: They gave selected people money instead of hardware and let them choose themselves. The idea behind it is fairly simple: We typically publish a “one-size-fits-all” image and do not take into consideration that IT-literate people might be more productive if they are able to customize their environment the way they want – as long as they follow certain policies.

Over the course of the last few years, the problem became much bigger as a lot of different form factors hit the streets: from iPhone to iPads, from netbooks to developer notebooks to slates etc.

The challenge

Once we accept that there are different needs and that this might (or better: will) help some users to be more productive, the next question then is: How do we enable access to our company data without compromising security, privacy and compliance? And what do we do if somebody leaves the company? How can we delete our company data/contacts/mails and keep the user’s private environment in place? … and a lot more.

And, by the way, the user wants access anytime and anywhere.

Unfortunately there are no silver bullets but some ideas and approaches. We just published the Consumerization of IT Test Lab Guides, which can help do address some of your challenges or at least give you some food for thought. Here is the description of the papers:

While Consumerization of IT (CoIT) has remarkable potential for improving collaboration and productivity, many companies are grappling with the potentially enormous security risks of introducing consumer technologies in their IT environment. Therefore, IT needs to strike a balance between user expectations and enterprise requirements for security, privacy, control, and compliance.

The Consumerization of IT (CoIT) series of documents comprises the following documents :

• A white paper entitled Consumerization of IT (CoIT), A Trend To Be Considered that introduces as its name indicates the topic;
• Test Lab Guides (TLGs) that allow you to get hands-on experience using a pre-defined and tested methodology that results in a working configuration for the most frequent and relevant CoIT scenarios. Each of these guides also covers how to test and demo each capability.

Different scenarios are covered:

1. Base Configuration – Provide secure corporate network access
2. Internet Proxy – Provide Internet access
3. Exchange Messaging – Provide email access and manage non-corporate devices security policies
4. Data Protection – Manage email security
5. Data Classification and Server Isolation – Manage sensitive server and application security
6. Remote Desktop Services Desktop Virtualization – Deliver applications to any devices
7. Remote Access Gateway – Secure remote access

I think that this is something you definitely should look into as it gives you approaches and guidance, how to align your architecture.

However, to start with: Know your data and know your data classification. There is a good chance that there are data sets, you want to give access only to users on machines you manage

Roger

He just posted on his blog: 5 Common Types of Security Professionals

I really like this post. The way he categorizes them is:

• The NO-MASTER
• The By-The-Book Preacher
• The Dinosaur
• The Technology-Solves-It-All
• The paranoid

The reason, why I like it so much is that I am deeply convinced that security can only be successful if it is aligned to business needs and not necessarily to policies and to fear. So, thinking about where security can become a business enabler would often be worthwhile. Additionally, we probably should think about our risks as well. It might well be that the we think that the world might end if a certain risk materializes but it might not even make it in the Top-100 risks of your company…

So, maybe we should change our approach or at least be honest and look in which of the 5 buckets we fit…

Thanks Shoaib

Roger

Anyway, if you look at the article, it says:

Apple reported 91 vulnerabilities during the period, making it number one among the top 10 technology vendors in the industry, said the report, "Security in the age of Mobility."
Trailing Apple were Oracle (78 vulnerabilities), Google (73), Microsoft (43), IBM (42), Cisco (36), Mozilla (30), MySQL (28), Adobe (27) and Apache (24).
In addition, Trend Micro reported that Apple issued a record number of patches to its Safari browser in March during the period. A year earlier, March was also a mammoth month for patches, with Apple addressing 93 vulnerabilities, a third of them characterized as "critical," in its Leopard and Snow Leopard operating system.

If you set this into proportion to the size of the portfolio, it would look even better for us. However, this does by no means say that we feel good about 43 vulnerabilities but it shows that our Security Development Lifecycle pays off.

This is more or less consistent as well with what we see with customers: Typically they know today how to roll security updates out to their Microsoft environment but they are often challenged with the rest of their applications. However, if you look where the majority of vulnerabilities are, it is typically third-party code (and not “only” from the vendors stated above but in custom-written code).

Therefore I am still calling for customers to ask for a secure development lifecycle from their vendors

Roger

The reason for this post is, that I still see a lot of customers who developed a really good practice for handling Microsoft updates but not for the rest. I just read these two articles this morning:

• Security Updates Available for Adobe Reader and Acrobat
• Google Patches Chrome 18 for Flash Flaws

So, make sure you cover all your software including third-party apps and open source.

Roger

Today, life is different. If I look at the public space, a lot of people want to talk about cybersecurity in one way or another, a lot of governments across the globe started cybersecurity initiatives etc. This is a really good development as societies will run into huge challenges if technology fails but it poses some new challenges as well:

• As security professionals, we are not used to simplify our messages and the work we do. We are not really used to explain cybersecurity to people who are already challenged with technology in general.
• This leads from my point of view to government elites, politicians and a lot of private sector organizations using military terminology. All of a sudden we get caught in talking about “weaponizing technology” – which leads politicians thinking about applying similar rules and laws that regulate the distribution of weapons to technology. For us it is fairly clear that this does not work that way in most cases but the terminology implies this. The same thing happens, when it comes to defense. Military is used to “shoot back”. I had this discussion with a lot of people in different governments and non-IT people have a challenge understanding that it might be really, really hard to even figure out who is (technically) behind an attack – worse to figure out who is politically behind an attack. Or do we really for sure know who stood behind Stuxnet? There are public speculations but that’s it.
• Trends like “Bring your own device” or social networks challenge our approach to security and our approach to defending our networks.

So, what needs to change? In my opinion, different things:

• I do quite some roundtables and sessions with people who do not know technology too well and security not at all. The typical approach (not mine) mainly by security product vendors is to use a lot of data to scare people, tell them what is wrong and how bad the world is – just to tell them in the next steps that their products addresses all the issues. To me, it is rather about education than about scare. It is about showing the people the world on the Internet is not that different to the real world – criminals mainly use the new technologies to commit “old” crimes with some exceptions like that the criminal does not have to show up at your store anymore. But we as a community need to change the way we talk. We need to simplify the message and help non-security people get a better feeling for the real risks.
• We need to push back heavily when people use military terminology. I do not want to get into the discussion of “militarization of the cyberspace” but I want to make it clear that the analogies of the military world do not work. I love analogies but only if they work – here they fail. It is even worse, they lead to wrong conclusions. I heard politicians talking about regulating cyber weapons. How do you want to regulate lines of code?

Therefore, we mainly need to change the way we communicate outside the core set of security people. We need to leave the bubble and make our knowledge accessible to business people in a pragmatic way and understandable…

Roger

This discussion is over since a long time and most people probably accepted the fact that the world changed – the cheese moved. BYOD, Consumerization of IT or however you want to call it at the end of the day is a reality. They might have different forms: In our case at Microsoft it might be officially a pre-stage as internally we get the hardware but we can set it up the way we want as long as we are following the policies. But even this is not the complete truth as there are a lot of people buying their own hardware and using it to work. I am currently not only running my notebook with Windows 7, I am using Windows 8 Developer Preview on a slate as well – and as I want to understand how we can make it happen – I did not join it to the domain as I want to run the Consumerization of IT scenario. This immediately raises questions on security.

We most probably need mail (Outlook in my case), Lync and some documents on a slate. So, I need to have Outlook installed and connected to Exchange (including RMS-protected mail), Lync as well as OneNote and some documents I want to have with me while I am travelling. What does this mean for IT? What about me connecting to the corporate network? Let’s look at some of the scenarios and functionalities. I know that there are answers to some of the problems but lets look at the questions first:

• Authentication: As it is not a device IT controls, how is the user authenticated? So we might want to require a PIN or a password to unlock the device. This makes sense anyway but there needs to be more than a “only” a paper policy. For those of you who have seen the build presentations on Windows 8 might have seen a new way to authenticate: A user can have a picture and store three gestures to unlock. A great way to authenticate to a slate but does the policy allow for that? Even if it is not a domain authentication, it is the authentication to the holy grail – the mail.
• Lost devices: Typically these devices are cool – that’s the reason why our users buy them – no? So, the risk of them getting stolen – or lost as they are small – is fairly high. How is the data and how are the credentials on the PC protected? So, we talk of disk encryption first, remote wipe second.
• Disk Encryption: There are devices like Windows Phone 7, which have a very sound security model and a very good device security but unfortunately no encryption, yet. There are others with “encryption” built in, which is broken in minutes as the device can be jail broken easily. What is the policy there? On the slate there will be a need for disk encryption as well. Which user will use something like this without being told? Yes, I know. You will but you are definitely not a representative sample as security people. On Windows we can switch Bitlocker on and will have at least the ability to securely protect the disk.
• Wipe: I would want my device to be wiped after a few unsuccessful authentication attempt or – if I lose it – I want to be able to remote-wipe the business data if I am IT.
• Network Access: Now the device comes on our network. What happens if the devices does not have any anti-malware protection? It might spread all the dirt on your network. Not something we typically enjoy. There are solutions to that – since a long time we talk about Server and Domain Isolation Using IPsec and Group Policy which at least separated the trusted and the untrusted devices. But we basically want the devices on the network and have them accessing the data – if they follow certain policies. Therefore we need a way to do policy enforcement and health checks with the ability to quarantine.
• VPN Access: This might be easier as we can enforce the policies as mentioned above much easier as the machines come through a well-defined channel where we can check them but are we allowed to? Think about privacy implications as well.
• Mail: Finally talking of mail. Access to e-mail is probably one of the crucial areas to enable and manage as a lot of confidential information is buried somewhere in mail. Additionally, to access mail, the keys will be needed if the mail is encrypted. Thus a lot of critical information is on such a device.
• Data: As a user I want my data (or at least key part of my data) synced between my devices. In my case between the business notebook and my slate. This should be done in a secure and safe way. Do we as IT want to allow the use of technologies like Live Mesh, which can either do a peer-to-peer synchronization or a peer-to-peer-to-Skydrive sync. In other words, a copy of the data can be hosted in the public cloud secured with a LiveID password.

So, a lot of different problems/questions. However, they are only partly new as I have seen a lot of people taking data home to their own private PC – the one the kids are gaming on – to do their work. Taking home means USB or even sending the data to the private mail account.

Protecting such an environment can have different approaches and I would be interested in what you think and what you need:

• First and foremost we need policies clarifying what can be done and what not. For severe violations, there needs to be disciplinary action.
• We want to have some policy enforcement. Basically, the key functionality the user is interested in is often e-mail and therefore Exchange might be one of your key management point for this. Exchange is basically able to enforce the following policy options to your device (from Understanding Exchange ActiveSync): Remote Wipe, Device Password Policies (minimum length, characters, alphanumeric, inactivity time, enforce history, enable recovery, wipe device after failed attempts), device encryption. Therefore, it can be expected that the key requirements can be met. But there is a fair chance as well that not all devices fulfill all the requirements. Or even worse: The active sync client could simply lie to the server.
• Would it be an option for an IT organization to require a client installation? Would the policy “if you want to use your own device, you have to let us install a piece of software” something which can be implemented? I am not completely sure are the user will look at the device as his/her own and will refuse interference. On the other hand it is the company’s data. A fairly interesting conflict. If we are allowed to install a client, all of a sudden technologies like Network Access Protection become feasible as we have a trusted piece of software being able to check the health of a computer

But what else is needed? Do you need management? Inventory? What else would you expect in such a scenario from your technology? Let me know – I am interested in this debate.

Roger

I quote:

Yet Android costs Google billions, without drawing revenue. Microsoft is making half a billion a year from Android. The settlement with Oracle, when it eventually comes, will add even more costs to working with Android – for anyone who dabbled with it.

Google executives must be wondering – in the words of David Byrne – “how did I get here?”

The company is going to have to spend very big to settle a clutch of outstanding IP issues, and almost certainly have to restructure Android governance to restore confidence in its stewardship of the systems. But even after all the smoke has cleared, things at Mountain View will have irrevocably changed. No amount of public relations or lobbying, or invite-only conferences, are going to return Google to the golden status it enjoyed only a few years ago.

Imagine you’re a public policy person, or a business strategist. Why would you think Google can give you a glimpse of the future, when it can’t even understand the present?

Roger

• Part 1: Introduction to Consistently Low Malware Infection Rates
• Part 2: Lessons from Austria
• Part 3: Lessons from Finland
• Part 4: Lessons from Germany
• Part 5: Lessons from Japan
• Part 6: Finale – Key Findings

Roger