IT's control freak security mentality is starting to unravel

IT's control freak security mentality is starting to unravel

Summary: With the rise of the cloud and staff using their own devices, IT's mistaken assumptions about ownership, control and security are becoming apparent.


The big flaw in conventional thinking on information security has been exposed now that IT is losing direct control over enterprise computing.

For years, IT has made the mistake of equating ownership with security, according to analyst firm Gartner. But with staff increasingly using their own devices and non-IT functions buying cloud services, the failings of that assumption are clear.

"It's not about ownership and control. That worked in the past because we owned everything. We don't own everything and we need new models for trust and trustability that do not rely on direct ownership," VP and Gartner Fellow Neil MacDonald said.

"In fact information security was never about device lockdown, or dictating applications or building firewalls. It was always about protecting the confidentiality, the integrity, the authenticity, the availability of information. That's our job," he told an audience at last week's HP enterprise security event in London.

According to MacDonald, IT's loss of control is one of three fundamental issues facing security, along with advanced targeted attacks and the friction caused by the business chafing against restrictive security measures.

Compensating security controls

To make up for the decline in IT's direct influence over technology, it has to come up with compensating controls for information on personal devices it doesn't own and on servers in a provider's cloud, MacDonald said.

"We have to start to changing our mindset and another inversion in information security. Lots of security folks start from the bottom up," he said.

"It's about lockdown, locking down the network and the operating systems, issuing a standard image and, 'You only get the applications I give you'. That's typically how IT works. They're trying to equate ownership and control with trust. We need to flip the model."

A top-down approach to security controls is not based on hardware, networks, or devices but on the value of the information and the use of logical containers, such as applications, to protect the data.

This shift is accompanied by a move to context-aware security, which involves taking a leaf out of consumer banking's book, MacDonald said.

For example, a woman logged on to her bank account from a laptop is trying to transfer $1,000 to another account.

"She's logged in with valid credentials, so what are we missing? Context. Let's adds some context, some information about this to make a decision in real time. So we geo-resolve the IP address to China. The time of day is 1am EST. Last time she logged in was in Connecticut six hours ago," MacDonald said.

"It's physically impossible for her to be in China. The device? Never seen it before. Never profiled it. Unknown device, wrong time of day, physically impossible for her to be in China, therefore an action I might have allowed, I now deny based on context."

Transactions on consumer-owned devices

The bank does not dictate whether you use Windows, or Explorer rather Chrome or Safari, or whether the customer is patched or running antivirus software, yet can handle these sensitive transactions on consumer-owned devices.

"So why can't IT. What is so different? The techniques and technologies used in consumer banking for device profiling, fingerprinting, for back-end transaction anomaly detection, fraud detection, these will be used in enterprise IT," MacDonald said.

"It's the same problem. They've been doing this now for 10 or 15 years. We can learn from how consumer banking is handling unknown, unmanaged devices."

He said car auctions worth millions annually take place on eBay despite the risks, partly because of the reputations of buyers and sellers and what others say about them.

"We are doing the same thing for IT elements and entities: reputations of IP addresses, URLs, domain names, email senders, device reputation, certificate reputation now emerging with Windows 8.1, email gateways, content and file reputation — the entire stack," MacDonald said.

"Reputation, this notion of trust scoring, helps us fill in these blanks because we have this flawed assumption we either trust something or we don't. The real world is full of shades of grey and where do we draw our line in terms of trust in allowing a transaction to take place in the context, given what I know about these different elements of the stack," he said.

"That's exactly what the banks are doing and that's what IT increasingly will do in adaptive security policy enforcement."

More on security

Topics: Security, Cloud, Enterprise Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • But the Banks always cover their * with the customer agreement.

    The fine print always says the bank will take "reasonable precautions" to ensure that only actual customer-authorized transactions take place, and that if they fail, and admit they were wrong, their only liability is to reverse the bad transactions, but they are not liable for "consequential damages" (such as: your home was foreclosed - even by the same bank - because the missing money kept your payment from being made on time, before the fraud was discovered and the money refunded). In other words, they suffer no consequences except some bad PR and a small (to them) refund if they screw up.

    For most EMPLOYEES, however, any mistake that causes a loss to their EMPLOYER, however innocent in intent, can result in termination ... in some companies, IMMEDIATE termination without investigation, EVEN if there was fraud that deceived the company "in a reasonable context" causing an intruder to be recognized as the employee. And in some industries, such as health care, penalties for the COMPANY are harsher than the self-limited ones in banking "agreements" due to specific public laws (HIPAA, for example).

    So the ENTIRE context must also be considered. Should an employee who CARELESSLY lets malware on his/her device be treated the same as one who SCRUPULOUSLY follows the security procedures prescribed by the boss, yet the malware or the hacker gets in anyway? How much exposure does the company, and/or the employee, have to civil or CRIMINAL liability? Depends on the industry, of course; if the leaked information was the design of a nuclear bomb trigger, or the arming codes for a cruise missile, there might be NO room for an honest mistake, leading to permanent "termination" for one or more people in the company.

    As I am retired and not doing consulting, this would not affect me, but if it did, I would NOT work for a company that expected me to do ANYTHING involving company work on company data using my devices rather than company-issued ones. I would rather carry three smartphones, not just two, rather than have my personal life mingled with company data.
    • It is Not That Complicated

      Where I work, employees are NOT permitted to put data that they work with on any mobile device. If the device is lost, it is always the employee's fault since data is not permitted to leave the building. Not that anyone has ever lost their job here, even with a breach. Such is government, I suppose.
    • Slight Correction

      Devices that are approved and fully encrypted are allowed to hold data. But there is still a lot of paperwork involved even in that. Bottom line: They can hold the employee responsible (if they wanted to).
  • Shades of gray

    The idea that security is separate from the real world may have worked in the simpler old days but it is long overdue that it reflects what's happening today where a multiplicity of factors are in play in all facets of IT, especially security. While the idea of context may not work 100% of the time, it certainly makes sense to build on the idea of trust using situational data to determine the authenticity of data transactions. It should be the goal of IT to reduce, as much as possible, the risks associated with multiple users, devices, access points, and stupidity, because that is the real world equation of today.
    • Thats exactly it

      Even if it means banning BYOD i make it a point not to connect business related services such as email on personal devices. Business of control of devices is still a valid way to control data leakage.
  • Security teams should be providing solutions not barriers

    Most of the security people I encounter are all about blocking what the business people want to do and playing their security card with vague threats and false doomsday scenarios. Rather they should be informing how things can best be done and what risks exist but not in a way so as to create roadblocks. i.e. solutions not power trips.
  • Security Teams Are Not Just I.T.

    You want your I.T. teams to provide you the wherewithal to use personal devices, to install untested non-secure apps which access proprietary and privacy-needed data on devices not under I.T.'s control?

    Then work with the Team. You can start with the company lawyers. They in conjunction with CEO's, COO's, CFO's - and Stockholders - make the decisions about what I.T. is allowed to do or not do.

    Stop blaming your support personnel. Stop doing things that compromises your firm, your customers, and your jobs. Instead of just bringing in, installing without approval, and the like, present a business case for approval of the things yo want to do. And be prepared to accept responsibility when unforeseen consequences place your customers and your fellow employees at risk.

    In other words, stop the mindless finger pointing and join in to create the solutions.

    Otherwise, shut the hell up and comply with the employment policies, procedures, and agreements you signed onto when you were hired, or retained.
    • Could not...

      Have put it better. People just want their toys, and the second there's a breach none of them will own it. They'll point their fingers at the CSO and move on.
  • Who is going to pay for all of support costs for this BYOD goodness?

    The bank does not dictate whether you use Windows, or Explorer rather Chrome or Safari, or whether the customer is patched or running antivirus software, yet can handle these sensitive transactions on consumer-owned devices.

    "So why can't IT. What is so different?

    The difference is fundamental. The bank is primarily providing access to data, maybe a simple HTML applet. If there is a problem accessing the data, the bank will rarely work to help you with it. They will just say it is not their fault or problem. In house IT is providing full service. When an application doesn't work as expected, in-house IT has to fix the problem. When a device does not connect, in-house IT has to fix the problem.

    Bottom line, it is easier, AKA CHEAPER, for IT to support a limited set of hardware and software. BYOD is changing that, but it is going to take time for IT to adapt. Part of the adaptation is higher support costs and limits on what hardware/software qualifies for BYOD.

    It is the same old story, "IT is too slow, I wanna do it all myself", aka BYOD and departmental clouds. But the minute something goes wrong, they call IT for support, and expect to get it "for free", even though IT knows nothing about the details of the hardware/software in question.
  • The descendants of Google Glass...

    will make IT level security next to impossible. Here's how:

    An employee is reading/skimming through an important, confidential company document that is 130 pages long. It only takes 30 sec, because he is pausing every now & then, but mostly tapping the "next page" link. 30 seconds after that, a perfect replica of the document (which has been captured by high-speed video & encrypted) is wirelessly transferred to a receiver in a briefcase he set behind the bushes about 60 feet away (outside). The employee's Google Glass, Jr. device is then automatically wiped clear in another 20 seconds; it now holds no company data, encrypted or not. Someone else, at 2am, retrieves the briefcase, careful to avoid the security cameras pointed at building entrances.

    This is an example of document theft; the stolen IP could be anything which appears on a screen or can be seen with the human eye. Of course, a version of this could be (is being) done today, but not nearly as quickly and easily. Furthermore, with virtual currency gaining widespread use, payment for the document would also be impossible to trace.

    The right way to combat this has nothing to do with IT. The right way is to hire employees with a lifelong track record of honesty, and then to incent them to protect company IP as if they were stockholders. IOW, this is a spiritual issue.
  • Naive Thinking

    Anybody who thinks you can abandon the bottom up approach (traditional risk-based vulnerability and practical configuration management) for this top down approach is naive and will deserve to fired when the inevitable breach occurs. All this stems from the conception among non-technical management that IT security is an out of control op-ex cost, and not an integral component of your product development and brand identity in the 21st century.
  • um

    In the days of paper and pencil, there was such a thing as data that did not leave the office. it stayed locked up in the office. It was a breach to take it home in your briefcase.

    No angst about employees bringing their own briefcases and did security have to provide briefcase locks.

    If it was company data then if you lost it your in trouble.