Discover PerformanceHP Software's community for IT leaders // January 2013
Next BYOD security challenges: cloud, connectivity
The former editorial director of Black Hat has a surprising take on mobile device security.
The popularity of tablet computers and other mobile devices is changing how people think about their connectedness, and this, more than anything, will make “bring your own device” a continued security headache for enterprises in 2013 and beyond, says Robert Richardson, editorial director of the Security Media Group at TechTarget.
Richardson, a former director of Black Hat and the Computer Security Institute, explains that mobile devices are inherently more secure than desktops and laptops. The real challenge ahead for enterprise security is addressing our new device-shifting usage patterns.
Q: What are the top issues that security leaders must be thinking about in 2013?
Robert Richardson: There's no question that mobile devices in the workplace are a steadily rising tide. There will be lots of device-management issues, but perhaps not as many outright security issues, insofar as the current state of smartphone operating systems offers a lot more inherent security than traditional computers do. Somewhat related to this is the general shift toward BYOD in some organizations. At present, I think the potential effects of this are overstated, but on the other hand, I've always tended to prefer my own equipment, rogue that I am, so I'm glad if CISOs are thinking about how to accommodate BYOD.
Q: How will BYOD protection be different this year compared to last?
RR: One large change that's lurking behind things like BYOD and big data is the number of devices that people use to implement their presence on the Internet. The number of things that talk to the net and that can be monitored because they talk on the net is rocketing upward exponentially. That's nothing new this year, to be sure, but it feels like the sudden ubiquity of tablet computers has shifted how people feel about their own connectedness. There's a new presumption that the tasks you carry out on the Internet will move fluidly from one device to another, based on which device is best for what you're doing right now. This creates a lot of complexity when it comes to thinking about use cases and how to secure them.
Q: Sounds like security is catering more to user trends, becoming service oriented. Can that work?
RR: Effective security has always catered to users, though obviously there are some tradeoffs that have to be made. If you ignore what people are trying to get done when they use computers and networks, you'll find yourself locking down processes while users find detours that you're not aware of and aren't protecting.
What's different now is the way cloud applications separate what you're doing from the device you're using to do it—more service oriented in that sense. Whether this is harder or easier to keep secure remains to be seen, but my gut tells me it's going to be harder, just because there are a lot more moving pieces and lots more exposed attack surfaces now that each user's data and the state of all their processes is stored in the cloud.
Q: So many workers are already bringing their own devices to work. Is it OK to limit the devices/operating systems you will support in the enterprise, or do you need to be prepared to support anything?
RR: For the foreseeable future, it seems inevitable that there will be limitations on the devices that enterprises will be able to support, at least where direct access to internal business applications and data stores is involved. I suspect there will be a sort of tiered arrangement where you can't do much if you've got a device that isn't readily locked down, can do more if you're on a standard platform like Apple's iOS and are willing to cede some kinds of control over what you run, and perhaps there will even be a higher-privilege tier if you're willing to let the organization run a security and management app on your device. There are mountains of details to be worked out in this scheme, though, so life will be interesting for a while.
Q: What else do you need to change to limit risk in a BYOD world?
RR: I rather suspect we'll wind up using something akin to the trusted computing scheme that Microsoft tried to introduce with the Vista OS. In that scheme, you could use a hardware root-of-trust to gain control and trust over every layer of the OS from BIOS right on up through specific applications, with that entire stack completely separated from normal, insecure operations. That's what we need for BYOD: I as a consumer do what I want with my consumer device, but I allow my employer to cordon off a "segment" of the device that essentially runs its own completely separate environment.
Curiously, the physical trust root is already present on most of the new gadgets; it's just everything above it that we're a long way from deploying. And it's interesting to note that the trusted computing component of Vista was roundly rejected by corporate customers at the time.
Q: If it failed on Vista, why will it work on tablets and phones?
RR: It was rejected on Vista not so much by consumers but, pre-release, by developers of shrinkwrapped software, as well as enterprise IT departments. The problem was that it, of necessity, stopped running processes that broke the ground rules of the operating system. Software vendors didn't want to do rewrites; IT departments didn't want to support an OS that suddenly made go-to programs look buggy. The thing is, the programs really were buggy—they cheated to make certain bits of code run faster, but that sort of cheating really did make the systems more vulnerable.
In the interim, a greater percentage of business applications have been updated along the way, and one suspects that there would be less disruption. More to the point: both iOS and Android have enforced some of the same restrictions from the beginning. Apps running on an iPad can't share data with other apps in memory—great for security and already the de facto norm. There's not a hardware root-of-trust running beneath the apps, but it's a lot easier to imagine slipping that in beneath iOS than it was to do so beneath Windows XP.
Q: So device manufacturers are smoothing the path a bit?
RR: Assuming you mean physically based roots-of-trust, yes, manufacturers are on the right page there. Additionally, Apple in particular has made some smart design decisions about iOS that have given its devices an admirable security track record. At the end of the day, though, it's almost more about how the operating systems of these devices are designed and whether the creators of "app stores" are aggressive enough in squelching malware—less a function of the hardware design itself.
Q: It sounds like you expect BYOD-related security issues to resolve relatively easily and won’t be of particular concern beyond, say, this year?
RR: I wouldn't go that far. I think mobile devices have better security—in some cases, markedly better security—than do desktop and laptop computers. This is in some measure a result of the fact that so many of these devices are tied to wireless carrier networks. The carriers don't want devices that they’re responsible for making work to suddenly turn into attack zombies. You can quibble about their tactics, but the fact is, botnets run on PCs, not iPhones.
So the devices that BYOD contemplates at present are less likely to produce outright security disasters as things stand. That said, current security threats are already migrating to some of these devices from the desktop world, so there will be issues over the longer haul and, of course, now there will be lots of different kinds of devices to keep locked down at the same time.
For more, read an outtake from this interview on our blog, where Richardson talks about CISOs’ recruiting challenges in the year ahead. For more on securing the enterprise in 2013, visit HP Enterprise Security.