Why Security Needs to Catch up to Web 2.0
Security managers can keep blocking Facebook, refusing to support mobile devices and vetoing cloud-based services, but they aren't going away. And ignoring ways to make room for them in your security program is like burying your head in the sand, according to Tom Gillis, vice president and general manager of Cisco's security technology business unit, and author of the new book Securing the Borderless Network: Security for the Web 2.0 World.
Also read about what crosses the line from OK to not safe for work in today's Web 2.0 office
Gillis' main message in the book is that today's new Web 2.0, virtualization, mobility and collaborative applications offer huge potential for enhancing productivity and competitive advantage. But they also come with complicated new security issues. He spoke with CSO about the challenges that lie ahead for security professionals in a technological environment where the rules have changed.
CSO: Let's start by talking about the potential you think new technologies, such as mobile devices, offer organizations.
Tom Gillis: In the 1970s and 80s, I was an engineer and I used to write design memos on an IBM Selectric. When the personal computer came out, I was using a MAC SE/30. I was amazed at how quickly I could get my job done.
But when you rolled the productivity these machines offered up at the top level, it kind of disappointed economists, political leaders and business leaders. During that period, the 70s and 80s, we saw GDP growth on order of about 2 to 3 percent a year.
It wasn't until we figured out how to connect these devices, the introduction of the local area network and the internet, that that GDP shot up to 4 to 5 percent. That's what we saw in the late 90s and 2000s and it was driven primarily due to this new fluid exchange of information.
I believe, and many analysts believe, that the mobile internet will have that same level of impact. We're looking at another decade of 4 to 5 percent productivity enhancements. Companies that are forward thinking with their security policies will be able to adopt these technologies and better benefit from those 4 to 5 percent productivity enhancements better than others that don't.
When you say the mobile internet, you're referring to adopting technologies such as smartphones in the enterprise?
All kinds of mobile technologies. The iPhone was the first really usable web browser in a hand-held device, but now there are hundreds of other devices that are like it. And, as my son points out "This thing IS a computer." A user can do all the things they need to do using palm-based applications and a hand-held smartphone, instead of a laptop.
What are the challenges organizations will face with regard policies in this new Web 2.0 era?
It's not so much adopting new policies. Companies have security policies. And they are usually along the lines of: I'm general manager I need to get access to the financial information. Nuaf is my vice president of engineering and he needs to access source code. But I don't need to access source code and Nuaf doesn't need to have access to financial information. That's simple policy.
Expressing that as a these mobile devices come into the enterprise gets much, much harder and its more difficult to be able to enforce those policies. What we are advocating is that companies make the investment in new technologies and new infrastructure that allows them to enforce those polices that they had yesterday and will have tomorrow in this distributed, borderless, mobile enterprise that is clearly emerging.
Besides mobility, there are plenty of other new aspects in today's IT environment. There is the use of social networks, there is virtualization and cloud computing. What are some of the difficulties with these technologies?
Web 2.0, and I'll use the interpretation to include virtualization and cloud computing, is almost the evil twin of mobility. If mobility means I have more users on more devices outside of my traditional perimeter, then the Web 2.0, cloud-computing trend means my data may not reside behind the traditional perimeter in the data center.
When you combine those two, your worst case scenario from a security standpoint is when my VP of sales goes to conduct a sales force task in Salesforce.com on his smartphone, there is no traditional firewall, or traditional security solution in that transaction at all. As an IT person, how do I ensure the safety of my assets? Basic stuff; like customer lists, customer names?
How do I put controls in place to show who accesses this information and revoke those privileges if need be and provide some level of accountability of who accessed them when, where and how. We really need to rethink how we build and deploy security to address these types of use cases.
Where do you think enterprise organizations stand now with their adoption of technologies and infrastructure to handle this new environment you're describing?
At Cisco, our officially supported iPhone-user population is about 100 users. We think the actual number of iPhone users is somewhere between 6,000 and 9,000. I see this sort of scenario everywhere I go. The devices are coming into the enterprise whether we like it or not. Because they are good and they help people get their job done.
The solutions to secure these devices are fairly nescient. There are a number of use cases that customers want from us in this whole borderless, distribution enterprise that we can't properly address yet. We are working on it, and have a vision. I think a lot of this is work still to be done; both in the vendor community and IT community in rolling out and deploying some of this stuff.
You mention in the book that criminals are already taking advantage of many of these new technologies and exploiting them. What is the biggest cause for concern?
Attacks targeted specifically on mobile devices I think are quite narrow. The challenge is doing that security policy enforcement, basic access control. When a sales rep is using a mobile device to access a cloud-based application, and we terminate that employee, what is to stop them from when they get the termination to still go in (to that proprietary data) from their device, download customer lists and go to a competitor? I've had that happen in my career and there is basically nothing you can do. It's very frustrating.
So, the concerns range from malware and exploits, to basic access control and protection of your intellectual property. There is a broad array of concerns security professionals need to address.
What will play the bigger role in securing the network in a Web 2.0 world? Product or policy?
At the end of the day, it's clearly driven by policy. Policy then drives product. I can go off and give you ten examples of products I've built that are ahead of policy and people's ability to absorb the technology. So it starts with policy and a mentality.
We want to see our customers shift away from a security posture of no. Away from saying things like "Google Android? No, we can't support that. Web-based applications like Google docs? Not secure, don't use that." We want to get away from that to a posture that says "Absolutely. Use the tools that help you get your job done efficiently."
You mention the future and Web 3.0 in your book. What is Web 3.0 going to include?
If you look at the investment companies make in building data-center infrastructure to support their business, I do think ten or twenty years from now we will look back and say "Wow, that's crazy. Why were people building their own stuff?"
Imagine if every company in the world built their own hammer. Sure, they could build that hammer to fit exactly the job that needed to get done, put a pointy head on it, a special handle. But it's very inefficient for every company in the world to build their own tools.
Why can't we get to a world where there are organizations that focus on building hammers, do it well and do it effectively and deliver a better product at lower cost to the enterprise? Web 3.0 is going to take complicated enterprise infrastructure and make it more dynamic, more available and lower cost.