What is it all about?

For me, the trend really started to take off with the smartphones. Most companies tried to standardize the models but at the end of the day it was a lost battle for different reasons:

• The standardization process was always slower than the development of new devices.
• These devices were cool. Therefore the CEO bought a new one in the store around the corner and then came back to IT to enable it to read mails etc. If the CEO wants it, who pushes back?
• Different people have different needs. Do they all need the same device?

Based on this, a few companies tried a different approach: They gave selected people money instead of hardware and let them choose themselves. The idea behind it is fairly simple: We typically publish a “one-size-fits-all” image and do not take into consideration that IT-literate people might be more productive if they are able to customize their environment the way they want – as long as they follow certain policies.

Over the course of the last few years, the problem became much bigger as a lot of different form factors hit the streets: from iPhone to iPads, from netbooks to developer notebooks to slates etc.

The challenge

Once we accept that there are different needs and that this might (or better: will) help some users to be more productive, the next question then is: How do we enable access to our company data without compromising security, privacy and compliance? And what do we do if somebody leaves the company? How can we delete our company data/contacts/mails and keep the user’s private environment in place? … and a lot more.

And, by the way, the user wants access anytime and anywhere.

Unfortunately there are no silver bullets but some ideas and approaches. We just published the Consumerization of IT Test Lab Guides, which can help do address some of your challenges or at least give you some food for thought. Here is the description of the papers:

While Consumerization of IT (CoIT) has remarkable potential for improving collaboration and productivity, many companies are grappling with the potentially enormous security risks of introducing consumer technologies in their IT environment. Therefore, IT needs to strike a balance between user expectations and enterprise requirements for security, privacy, control, and compliance.

The Consumerization of IT (CoIT) series of documents comprises the following documents :

• A white paper entitled Consumerization of IT (CoIT), A Trend To Be Considered that introduces as its name indicates the topic;
• Test Lab Guides (TLGs) that allow you to get hands-on experience using a pre-defined and tested methodology that results in a working configuration for the most frequent and relevant CoIT scenarios. Each of these guides also covers how to test and demo each capability.

Different scenarios are covered:

1. Base Configuration – Provide secure corporate network access
2. Internet Proxy – Provide Internet access
3. Exchange Messaging – Provide email access and manage non-corporate devices security policies
4. Data Protection – Manage email security
5. Data Classification and Server Isolation – Manage sensitive server and application security
6. Remote Desktop Services Desktop Virtualization – Deliver applications to any devices
7. Remote Access Gateway – Secure remote access

I think that this is something you definitely should look into as it gives you approaches and guidance, how to align your architecture.

However, to start with: Know your data and know your data classification. There is a good chance that there are data sets, you want to give access only to users on machines you manage

Roger

• Even though a lot of people are talking about the Cloud, there is still not too much knowledge about it. What is a private Cloud versus a public Cloud? What is Infrastructure as a Service, Platform as a Service, Application as a Service? And where are the key differences when it comes to risks?
• A lot of businesses look at it as an all or nothing. This is simply a massive mistake. There are workloads (like your identity management) you will wait a really long time until you move it to the Cloud and keep on premise. There are others, you might want to move immediately to the public Cloud and some of it will stay in a private Cloud.
• There is a lot of fear out there and not a lot of frameworks, which can help with to bring the whole discussion to rational level. Actually, there is a lot of material out there but not a lot, which is simple to read and consume.

That’s the reason, why Doug Cavit and me wrote the Cloud Computing Security Considerations about an year ago. We came up with 5 points to be considered, when looking at the Cloud from a security perspective:

• Compliance and Risk Management: Organisations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.
• Identity and Access Management: Identities may come from different providers, and providers must be able to federate from on-premise to the cloud, as well as to enable collaboration across organisation and country borders.
• Service Integrity: Cloud-based services should be engineered and operated with security in mind, and the operational processes should be integrated into the organisation’s security management.
• Endpoint Integrity: As cloud-based services originate–and are then consumed–on-premise, the security, compliance, and integrity of the endpoint have to be part of any security consideration.
• Information Protection: Cloud services require reliable processes for protecting information before, during, and after the transaction.

These five considerations are very well received and seem to work well for the customers to address part of the points above. The number 1 question I got, however, was: How can apply this to the different scenarios?

Therefore I am happy to announce, that we just released a paper to the web called: Addressing Cloud Computing Security Considerations with a Partner Private Cloud.

We show you how to split responsibilities between the partner and the customer and what the considerations mean for both sides – as always, your feedback is more than welcome!

Finally, stay tuned: In a few days, we will do the same with the public Cloud. This time, however focused on Office365. As soon as we go live with Office365, we will publish it.

Roger

Then outsourcing came and everything was getting better – not really. A lot of companies outsourced a problem – they used the same people with the same attitude and outsourced everything to the outsourcing provider. But now they had a contract – and so did the outsourcer. There were (and still are) numerous meetings I have been in, where the customer and the outsourcer were fighting, whether applying a patch is part of the contract or not and whether patch management should be done more than every six months. Finally, the customer had to learn to become a customer as well and specify their needs.

Why do I write this? Because I see similar discussions today with the Cloud. Business is not satisfied with how internal IT delivers. They are too slow, too expensive and too unreliable – therefore the business is looking at the promises of the Cloud: Fast, reliable, inexpensive. What does it really mean for the business? For IT?

• To me the business has to understand that if they move to the public cloud, there is a good chance that they have to adapt their business processes. Remember the huge ERP projects? It is not that different. This might be good as it forces the organization to clean up – but it shall be a conscious decision. Even for the part you are moving to the cloud, you still have to keep part of your responsibilities: You are still ultimately responsible for your compliance. You should keep your identity management in house and risk management for your business cannot be outsourced. You have to have a data classification, which is applied and lived – this is, how we described it in our Cloud Computing Security Considerations. Last but not least: You are the customer of a standardized service. Make sure you understand this as this will be a long-term partnership you are going for, with very, very limited flexibility of the final solution.
• If you move to the private cloud, the situation is slightly different as you might have more influence on how your solution looks like but even the private cloud is not an outsourcing as you knew it – e.g. most probably you will not be able to tell the cloud provider how they will run their datacenters. You will run on your own OS-instances (does not necessarily mean your own hardware as the solution will most probably be virtualized) but even the question of the data location might have to be negotiated. And: It definitely costs more.
• If you are an IT organization: Become a Cloud provider. Become the partner for your business in the Cloud. You business will want to have part of it in a private cloud – offer this in a way you can compete with third-parties as you will not be able to compete in the public cloud.

This decision has to be a strategic decision and not a decision taken because business does not like their own IT. For the internal IT it might be a threat (if you decide to sit and wait) or an opportunity if you take the strategic decision and opportunity.

Now, the reason for this post was actually in an article, which was sent to me: Why businesses move to the cloud: They hate IT

Roger

and the scariest part is that I never looked at it that way but he is right

Roger

• Industry vulnerability disclosure trends continue an overall trend of moderate declines since 2006. This trend is likely because of better development practices and quality control throughout the industry, which result in more secure software and fewer vulnerabilities.
• Vulnerability disclosures for Microsoft products increased slightly in 2010 but have generally remained stable over the past several periods.

[…]

• The exploitation of Java vulnerabilities sharply increased in the second quarter of 2010 and surpassed every other exploitation category that the MMPC tracks, including generic HTML/scripting exploits, operating system exploits, and document exploits.
• The number of Adobe Acrobat and Adobe Reader exploits dropped by more than half after the first quarter, and remained near this reduced level throughout the remainder of the year.

[…]

• Exploits that affected Adobe Acrobat and Adobe Reader accounted for most document format exploits detected throughout 2010. Almost all of these exploits involved the generic exploit family Win32/Pdfjsc

[…]

• Microsoft Office file format exploits accounted for between 0.5 and 2.8 percent of the document format exploits that were detected each quarter in 2010.

[…]

• As in previous periods, infection rates for more recently released Microsoft operating systems and service packs are consistently lower than older ones, for both client and server platforms. Windows 7 and Windows Server 2008 R2, the most recently released Windows client and server versions, respectively, have the lowest infection rates.
• Infection rates for the 64-bit versions of Windows Vista® and Windows 7 are lower than for the corresponding 32-bit versions of those operating systems. One reason may be that 64-bit versions of Windows still appeal to a more technically savvy audience than their 32-bit counterparts, despite increasing sales of 64-bit Windows versions among the general computing population. Kernel Patch Protection (KPP), a feature of 64-bit versions of Windows that protects the kernel from unauthorized modification, may also contribute to the difference by preventing certain types of malware from operating.

[…]

• In the first half of 2010, phishers showed signs of targeting online gaming sites with increasing frequency, although this push appeared to have dwindled as social networks came under increased attack. Impressions that targeted gaming sites reached a high of 16.7 percent of all impressions in June before dropping to a more typical 2.1 percent in December.
• Phishing sites that target social networks routinely receive the highest number of impressions per active phishing site. The percentage of active phishing sites that targeted social networks increased during the final months of the year, but still only accounted for 4.2 percent of active sites in December, despite receiving 84.5 percent of impressions that month. Nevertheless, the number of active sites targeting gaming sites remained relatively high during the second half of the year, which suggests that more campaigns may be coming.

You should read the whole report, which you can find here as it is probably the best piece of intelligence out there.

And, by the way: Keep updating your systems and stay on the most current version for all your software. Probably the best protection you can get.

Roger