What’s worth protecting?
Mobility, cloud, social networking and information technology have all combined to create a new kind of computing environment. We’re always connected, wherever we are, and our data is spread between multiple mobile devices and cloud-based services. Welcome to the world of ubiquitous computing. But how do we keep it secure?
Gartner defines this merging of cloud, mobility, social networks and information as the nexus of forces. In this new computing environment, the concept of central control over a limited and well-defined IT resource is fading, and the traditional IT infrastructure is becoming less relevant, it says.
Or, as David Lacey likes to put it: “It’s already dead.” Lacey, who has managed security for organizations including the Royal Mail, Dutch/Shell and the Foreign and Commonwealth Office, also helped write the BS7799 security standard and was a founding member of the Jericho Forum.
CIOs have already seen their infrastructures becoming more permeable, says Lacey, as they are forced to open them to third-party business partners, and as mobile and cloud-based technologies make their own employees’ IT usage habits less predictable.
“For the last 10 years, all organizations have been progressively deperimeterized, whether they liked it or not,” says Lacey. “Services are now being outsourced, the clients have become mobile – so it’s really a trend that has been going on for some time.
Some more traditional organizations, particularly in heavily regulated and conservative sectors, such as finance, may be among the last adopters of this new, ubiquitous computing environment, but they, too, will succumb.
everything is connected
This has led to a mingling of traditionally separate domains, warns Paul Midian, a director in the cyber security practice at PwC. “The notion that each company has their own, separate (even logically separate) infrastructure is no longer valid. More or less everything is now connected,” he warns.
This creates some challenging problems. Just as ubiquitous computing is collapsing the barriers between companies, it is also blurring the lines between personal and work usage. Both types of information are sitting on the same physical hardware, some of which an organization may not own.
Instead of trying to control a fluid, unpredictable flow of hardware, companies must therefore focus on protecting the information that they contain. “The tangible assets need to be divorced from the intangible. At this point, the ownership of the tangible assets becomes moot,” says Midian.
independencies of multiple layers
One of the defining characteristics of the new IT ecosystem is its complexity. “It can be treated as a multi-layer model of communication, which requires security at each and every layer. Due to interdependency among different layers, one security flaw could have substantial impact on another,” says Aditya Sood, a PhD graduate from Michigan State University and a member of consulting group SecNiche, which specializes in malware.
These complexities can have devastating results, says Peter Glock, Solutions Director for Secure Infrastructure at Orange Business Services. “If you connect things together, things will go wrong,” he says, recalling Amazon’s vast cloud outage of April 2011. “Amazon’s East Coast infrastructure went down because of some low-level problem in a router somewhere,” he remembers.
Today’s intricately connected infrastructures are vulnerable to chaos theory: if a digital butterfly (or errant engineer) flutters his wings in one part of the network, it can have significant effects in other areas.
It isn’t just ubiquitous computing infrastructures that suffer from security and reliability threats; the data structures that they support can also be vulnerable. The emergence of big data – vast, previously unmanageable information sets generated by mobile devices and social networks – resides in cloud computing infrastructures. They create new security risks, warns Glock.
“There are more data points to attack,” he says, especially now that temporal factors are coming into play. Previously, data was largely static, or might be updated relatively infrequently. Now, big data sets are updated in real or near-real time. That means that data thieves can steal individuals’ information from different time periods and compare the results.
change security mindset
All of this means that our thinking about security must fundamentally change, say experts. In a hyper-connected world, where mobile and social networks dominate, the old thinking isn’t working. That’s why we’re still reading stories about LinkedIn’s password stash being stolen and then decrypted online. It’s why attackers can send the S&P 500 plunging by $136bn with a single Tweet. Three things have to change: skills, speed and focus.
September 2013 was the 20th anniversary of ISO 27002, the specification that the ISO 27001 security standard was based on, points out Lacey. The Web as we know it was barely formed. The early adopters were still using Netscape. Things need updating, he argues.
Current IT management often focuses on the Deming loop, a pattern of management whose basic tenet is “plan, do, check, and act,” an 18-24 month cycle that often requires a committee to form a policy. Instead, Lacey recommends the Boyd cycle, which is a pattern of fast reaction prescribed by the U.S. military for aerial dogfights. Its tenet is “observe, orient, decide, and act.”
This requires an entirely different set of skills than the ones CISOs have today, which have been reinforced by traditional training and auditing procedures. Relationship building is one, according to Lacey. “You need very good commercial skills, in terms of managing contracts and outsourcing relations,” he says, adding that there must be more rigor around choosing business partners and technology service providers. “It should be a quantitative risk decision, rather than a ‘tick box’ thing, which is how suppliers are dealt with at the moment by security CISOs.”
new technology emerging
There are some new technologies emerging that can help in the battle for security on a hyper-connected, ubiquitous computing landscape. MicroVPNs are one, says Glock. These virtual private networks secure connections on a per-application basis, rather than simply creating a large encrypted pipe down which all data can flow. That helps to control what mobile communications are allowed on a corporate network, for example.
Another, which is further off, is “homomorphic” encryption. This theoretically allows actions, such as searches, to be performed on data without decrypting it, making it a useful concept for secure cloud environments. However, while researchers have proven that it is possible, it is not workable at current computing speeds.
One thing that is workable today in a mobile, cloud-based environment is moving ID management and authentication to a federated identity system. It is far safer to manage authentication with multiple cloud-based services using a single point, says Glock. Again, this requires a new way of thinking about security, in which users will no longer even know their login credentials with individual cloud-based systems. “At the raw connectivity level, everything can get to everything,” he points out. “So you don’t do this at the network level anymore; you do it at the application level.”
Because people are accessing systems owned by multiple providers, from different devices, for a variety of different purposes, old methods of control will not work. More nuanced approaches, such as application-layer authentication and permissions management, enable organizations to be more agile in their security approaches, says Glock.
“If the network is going to be much bigger, you have to put soft dividing lines in it,” he says. “Have doors with locks on them inside your house. If someone is allowed to use the kitchen, that’s fine. If they need to visit the bathroom, they’ll need another key. You might give them one key, but not the others.”
However, the change in thinking goes even deeper in the world of ubiquitous computing. Assume that you have already been compromised. Concentrate on protecting data, rather than simply ring-fencing physical systems. Deploy technologies in your infrastructure that spot anomalous behavior. And above all, concentrate on required outcomes, rather than simply focusing on controls.