The big flaw in conventional thinking on information security has been exposed now that IT is losing direct control over enterprise computing.
For years, IT has made the mistake of equating ownership with security, according to analyst firm Gartner. But with staff increasingly using their own devices and non-IT functions buying cloud services, the failings of that assumption are clear.
"It's not about ownership and control. That worked in the past because we owned everything. We don't own everything and we need new models for trust and trustability that do not rely on direct ownership," VP and Gartner Fellow Neil MacDonald said.
"In fact information security was never about device lockdown, or dictating applications or building firewalls. It was always about protecting the confidentiality, the integrity, the authenticity, the availability of information. That's our job," he told an audience at last week's HP enterprise security event in London.
According to MacDonald, IT's loss of control is one of three fundamental issues facing security, along with advanced targeted attacks and the friction caused by the business chafing against restrictive security measures.
Compensating security controls
To make up for the decline in IT's direct influence over technology, it has to come up with compensating controls for information on personal devices it doesn't own and on servers in a provider's cloud, MacDonald said.
"We have to start to changing our mindset and another inversion in information security. Lots of security folks start from the bottom up," he said.
"It's about lockdown, locking down the network and the operating systems, issuing a standard image and, 'You only get the applications I give you'. That's typically how IT works. They're trying to equate ownership and control with trust. We need to flip the model."
A top-down approach to security controls is not based on hardware, networks, or devices but on the value of the information and the use of logical containers, such as applications, to protect the data.
This shift is accompanied by a move to context-aware security, which involves taking a leaf out of consumer banking's book, MacDonald said.
For example, a woman logged on to her bank account from a laptop is trying to transfer $1,000 to another account.
"She's logged in with valid credentials, so what are we missing? Context. Let's adds some context, some information about this to make a decision in real time. So we geo-resolve the IP address to China. The time of day is 1am EST. Last time she logged in was in Connecticut six hours ago," MacDonald said.
"It's physically impossible for her to be in China. The device? Never seen it before. Never profiled it. Unknown device, wrong time of day, physically impossible for her to be in China, therefore an action I might have allowed, I now deny based on context."
Transactions on consumer-owned devices
The bank does not dictate whether you use Windows, or Explorer rather Chrome or Safari, or whether the customer is patched or running antivirus software, yet can handle these sensitive transactions on consumer-owned devices.
"So why can't IT. What is so different? The techniques and technologies used in consumer banking for device profiling, fingerprinting, for back-end transaction anomaly detection, fraud detection, these will be used in enterprise IT," MacDonald said.
"It's the same problem. They've been doing this now for 10 or 15 years. We can learn from how consumer banking is handling unknown, unmanaged devices."
He said car auctions worth millions annually take place on eBay despite the risks, partly because of the reputations of buyers and sellers and what others say about them.
"We are doing the same thing for IT elements and entities: reputations of IP addresses, URLs, domain names, email senders, device reputation, certificate reputation now emerging with Windows 8.1, email gateways, content and file reputation — the entire stack," MacDonald said.
"Reputation, this notion of trust scoring, helps us fill in these blanks because we have this flawed assumption we either trust something or we don't. The real world is full of shades of grey and where do we draw our line in terms of trust in allowing a transaction to take place in the context, given what I know about these different elements of the stack," he said.
"That's exactly what the banks are doing and that's what IT increasingly will do in adaptive security policy enforcement."