Security

In the post-PC era, information security must adapt to new realities

Alfonso Barreiro identifies some fundamental changes that infosec personnel need to make to their approach in order to operate effectively in their organizations.

If there is one thing everyone agrees on when talking about the cloud, the BYOD movement, or the consumerization of IT in general, it is the fact that IT departments must adapt or face irrelevance. The need for change is perhaps even more important for information security offices, as the risks their organizations face increases, not only because of these trends, but because of changes in the overall threatscape. The attitudes and approaches to information security must evolve in order to effectively protect an organization's information assets.

The disappearing network "perimeter"

Take, for instance, the network perimeter: a long time ago (by technological standards), maintaining strong defenses on the perimeter of the network (firewall, IDS, and so forth) was one of the most important jobs the information security office had. As long as nothing from the outside could breach those defenses, it was considered a job well done. IT departments became confident that their perimeter security was enough and internal security controls were far more relaxed. Today, the notion of an impenetrable perimeter is obsolete, brought down by the rise of the mobile workforce, BYOD and other changes, each one poking holes in the traditional network boundary.

There is no denying that the network perimeter is important, but as workers' laptops or smartphones (regardless of whether they are company-issued or personal devices) routinely move in and out of the organization's internal network or communicate with it via VPN connections or even the open internet, attention must also be placed on additional internal controls that assume that an attacker will compromise any of these devices or the applications they use and gain access to the internal network. Yet despite the evidence of this type of change around them, some IT departments (as well as some information security offices) live and die maintaining this concept of an "invulnerable" network perimeter.

Changing from the inside out

Perhaps the most important change security organizations can make is to alter the perception of what information security contributes to an organization. Sometimes there can be a serious disconnect between the information security office and the rest of the organization. This can be due to any number of reasons: for example, a security office might have played the role of traffic cop or referee in the past, punishing those that break the rules. This in turn creates the perception that the security office's only objective is saying "No". The idea that security is something negative that should be avoided lest it becomes an "obstacle" then becomes generalized among the business units and even among the rest of the IT department. Usually this manifests itself when projects move along without knowledge of the security office or its involvement arrives too late to make a difference. Other symptoms include willful disregard of security policies or advice and the active creation of workarounds to security controls.

Changing the perception that the security office is an obstacle can be difficult, but the results will be worthwhile. A good place to start is by becoming more involved in the day to day activities of the different business units and IT units. This way you will be able to detect the "pain points" of the different security controls and policies that might be perceived as affecting their work. This approach also gains you a deeper knowledge on how each unit operates and the information assets they actually depend on, which in turn, will allow you to provide them with relevant practical advice on how to operate securely and efficiently and how to protect their critical assets effectively.

Analysts and pundits like to tell us that we are entering a "post-PC" era, but regardless of how you define it, computing has become more personal than ever. In order to be successful at managing and mitigating the risks of our different organizations, security offices must also have a more personal touch, involving themselves deeply into how the business operates and become the asset the organization needs them to be.

About

I am a technology specialist with over 10 years of experience performing a variety of corporate IT functions, including desktop and server operations, application development, and database administration. My latest role is in information security, fo...

6 comments
Tony Hopkinson
Tony Hopkinson

Bit glib isn't it? What is this post PC Era anyway? As far as mobile goes, all that's happened is your PC got smaller, and you don't have to walk around with cable trailing after you. Cloud? Client Server writ large. Security Perimeter disappearing? What perimeter haven't seen one since ActiveX and applets and stuff. Decades ago that was. I appreciate you drawing this stuff to people's attention, but it's a big problem now because it wasn't considered commercially sensible to fix it when it was much smaller. Can't help but feel you are spitting into a hurricane now.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

I'm not sure about the post PC era, but there is defiantly a lot more mobile work being done. In my opinion that isn't really the issue though. What the main problem is that bad guys are figuring out more ways to bypass the network perimeter by manipulating allowed processes. This can be through phishing, vphishing or web site vulnerabilities. Once the bad guy has a hook on the inside then they can easily reach out. This doesn't belittle the need for a strong perimeter, rather it shows that perimeter security was working extremely well (and that needs to continue in my opinion) so bad guys turned to softer targets. Social engineering is really one of the most successful methods of penetrating a perimeter defense which is why staff and client education is so important. It's also important to communicate in a consistent, safe manor with clients so that clients can distinguish between a valid communication and a phishing attempt.

Gisabun
Gisabun

Don't you love how some bozo starts with this "post PC era" and everyone jumps on the bandwagon and yet while they claim that this new era begain already end of the year totals in sales revealed that there was little drop in sales [352.8 million in 2011 and 352.7 million in 2012]. If there was an end of the "PC era" they 2012 sales would of declined more than the [under] 0.05%.

Tony Hopkinson
Tony Hopkinson

Or more correctly there are a thousands of overlapping ones, of varying quality always leaving routes through from the places you can't trust to the places you shouldn't.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

Well, there technically is a perimeter in that every corp has (or should have) a firewall between their ISP and the inside of their network which is what I was referring to. I agree with your comment as well because employee's access systems outside the corp net. That access can create an unintended direct link into the system which is where the "thousands of overlapping ones" come in. If your not prepared for the "thousands of overlapping ones" then your not ready for reality. Bill

Tony Hopkinson
Tony Hopkinson

requires people on either side to think, "oh mustn't step over that"

Editor's Picks