Andreas M. Antonopoulos

The torrent of smartphones and tablets entering companies has created some interesting challenges for security managers. The new devices introduce new operating systems, new development environments and new security risks, but no new control. The scariest acronym in security might well be "BYOD," or "bring your own device." As companies develop security and mobility strategies to deal with these devices, it is worth bearing in mind the lessons learned from managing laptops. But it is also worth applying some of the new lessons from smartphones on the laptops, too!

To get a better understanding of the state of security in the mobile world, we (at Nemertes Research) asked IT executives to tell us about how they secure mobile devices and laptops. To make things interesting, we first asked about "mobile device" security and then followed up by asking about laptops. Now, you may be thinking that laptops are mobile devices and therefore we simply wasted a couple of questions asking the same thing again. Turns out that companies treat laptops very differently than the way they treat mobile devices (i.e. smartphones and tablets).

In previous columns I have repeatedly emphasized the importance of interoperability and the danger of security fragmentation. Security is so fragmented that it is often hard to discern between hype and reality. Large security vendors try to draw you into a single-vendor closed integration package. Small vendors try to sell you the latest magic bullet, presenting what should be a feature as a whole new industry. Inevitably, you are left to cobble together disparate systems in order to get the depth of defense and layering of controls that you need.

MORE ON SECURITY: The Sony PlayStation breach notification letter that broke 77 million hearts

Whenever the topic of security is mentioned in the context of cloud computing, it is usually discussed as the "big barrier" to adoption. The perceived or actual lack of security in the cloud makes it impossible for businesses to make the leap into this new computing paradigm. I propose a different perspective: Security will rescue cloud computing.

[ROUNDUP: 20 hot IT security issues]

This past year has been a doozy in the security world. We kicked off the year by discovering operation Aurora, saw the first national-industrial sabotage attack with Stuxnet and are closing the year with Wikileaks about to become a constitutional crisis between the First amendment and a 1917 espionage law. Reality has well and truly become weirder than fiction.

Let me dive in and make some predictions for security in 2011:

Cloud computing, especially public cloud infrastructure-as-a-service is not yet a reality for the vast majority of companies. Recent announcements however, from VMware, Citrix and Oracle clearly show that enterprise cloud computing is gaining momentum.

Security absurdity: U.S. in sensitive information quagmire

A few days ago, 10 privacy commissioners from Canada, the United Kingdom, France, Germany, Italy, Spain, Israel, Ireland, The Netherlands and New Zealand wrote an open letter to Google's CEO Eric Schmidt asking for more proactive privacy protections in new applications. The commissioners are not objecting to Google's overall privacy policies, but to the way Google launches new services.

Security bug opens Google Buzz to hackers

Looking forward to 2010 while trying to erase the memory of 2009 -- here are my security predictions for the new year.

* Security funding increases by more than 10% to recover from a year of cuts. Our research shows that security is one of the areas least likely to suffer severe funding cuts. However, given escalating threats, a flat security budget in 2009 may have been a step back for companies. Expect an attempt to make up for 2009.

Security is as much about choices as it is about policies. Which software solution you pick is as important as how you configure and use it. With the vast majority of threats today coming from the Web, the choice of browser is critical. With few exceptions, most Web sites are cross-browser compatible. Choosing a browser is less about compatibility and more about usability and security.

Like many companies, Nemertes Research standardizes on the Firefox browser. There are many reasons for this choice, but a major one is security. Once properly configured and with the assistance of add-ons such as No-Script, which applies a default-deny towards scripts on unapproved sites, Firefox becomes extremely robust and secure. It's also cross-platform, which helps in a company where we run and support multiple operating systems. Lately, however, I've become increasingly concerned about Firefox's add-ons. Add-ons are plugins than extend the browser features. They can be used to enhance security (NoScript is a great example) or to extend features (FireBug is an indispensable Web development tool). Used sparingly, they add great value. Of course, like any piece of code they come with bugs, memory leaks and possible security issues. So it is important to limit them to the essentials and carefully control them. But increasingly I am seeing add-ons installed that I didn't ask for.

My predictions for information security in 2009 are just predictions, not recommendations. I am trying to guess what will happen, not suggesting what should. As always, take these with a grain of salt.

Though these predictions are based on primary research and many, many discussions with CSOs, they concern information security only and can be affected by external factors that are unpredictable (at least by me). Case in point: My predictions for 2008 did not take into account a severe downturn in the economy that was underway already at the beginning of the year. Let's hope that my 2009 predictions also miss the mark by assuming a continuation of economic difficulties that turn out to be less severe than predicted. Here goes:

At a recent IT Roadmap show -- a travelling road show that brings Network World columnists "to life" -- I met two security professionals who lamented their company's security policy choices. I know that discussing the policy at a show won't change it, but it's therapeutic to commiserate about poor security policy decisions. Of course, I only have part of the picture, so it's unfair to judge those policy choices. I go for therapeutic and interesting over fair in this particular instance.

The company in questions (nameless of course) has chosen to ban all forms of instant messaging. This is a pet peeve of mine because our research shows that IM has a compelling ROI, both in hard dollars in areas such as sales, and even more so in soft productivity dollars. I am a firm believer in security that enables business risk where the risk brings a compelling ROI or competitive differentiation. After all, if we're not willing to accept some risk we should probably disconnect from the Internet and shut down the business. This argument is over IM but it is exactly the same argument that I had 15 years ago over "connecting to this Internet thing" at financial services firms. I'm guessing that in the earlier part of the previous century there was a security professional arguing against the use of this "telephone" device that was in fashion among the younger generation.

Whom can you trust? In security, many of us nurture a healthy sense of paranoia and tend to be distrustful. But as human beings, as social beings, we form bonds of trust with those around us.

Behavioral psychology and sociology show that we have tribal behaviors that lead us to associate and trust those in our "tribe." These behaviors may even have biological underpinning -- we're wired to trust our group. In a modern corporate environment, our co-workers are part of our tribe, and we extend a high level of trust to them. We might want to fight our instincts on this one, however.

Whether you believe we are in or about to enter a recession, IT budgets are certainly tightening up for 2009.

In a climate of uncertainty, CIOs are asking for across the board budget "constraint" until the uncertainty clears. Perhaps spending on operations is not being cut, but capital projects are being postponed unless they have clear and short-term return on investment. Even then it may be difficult to get the initial investment approved. So in this environment, what happens to security budgets?