Wednesday, October 17, 2012

Do security like a start-up or get fired - It's just IT

This is part of a blog series. For more details, start with the intro.

Cloud and BYOD are just IT

BYOD of course, stands for "Bring Your Own Device". I've written a few articles about this (here and here) if you're interested in more in-depth content. I'll also be writing a follow-up post to recap my recent series of presentations on the Consumerisation of IT (update - 20 Nov 2012: follow up post is now available). For these reasons, I'll keep this post fairly short.

Almost everyone I come across is talking or asking about Cloud and BYOD. News outlets can’t help themselves either, because putting Cloud or BYOD in the headline is click bait. An agile company however, doesn’t talk about Cloud or BYOD. It’s called Information Technology.

Cloud is really just a change in the economic model of how an organisation pays for IT, unless you're still running everything on mainframes. Why? Because the perimeter disappeared some time ago. From a security standpoint, organisations need to focus on one thing: information.

Protect the information (notice I didn't say data), and you've solved a huge part of the Cloud security issue. This is obviously easier said than done, especially if you don't know where everything is, what information you have and how to protect it. But identifying the problem and learning what to focus on is usually the hardest part. Once you figure out what to focus on, good project management, prioritisation and resource allocation will get you most of the way. Execution gets you the rest of the way.

Both Cloud and BYOD are simply the compelling events for organisations with their heads in the sand to finally notice that there hasn’t been a security perimeter for quite some time. If you realised that a long time ago and did something about it, you're in a great position to deal with both.

Going the extra mile with tactical products like Mobile Device Management (MDM) and Mobile Application Management (MAM) should really be an extension of the endpoint management policy you've had in place. MDM and MAM should NOT be the way you deal with BYOD. As mentioned above, I'll expand on this in a later blog post (here's a sneak peak of what I said, nicely written up by ZDNet). Update - 20 Nov 2012: blog post now available.

Ultimately, it's all about the information. Figure out where it is. How people get to it. Control access (and understand context). Know the identities. Have the visibility required to react quickly when required. This is called having a good security foundation to build on, with identity being at the core. Your organisation becomes more agile and security becomes a lot easier once you've got your foundation in place.

Don't let Cloud and BYOD intimidate you out of running business as usual if you've been doing it right. If you haven't been doing it properly, consider Cloud and BYOD your kick in the backside.

Next up - Standards & APIs.

No comments: