What do Virtualization and Cloud executives think about 2012? Find out in this VMblog.com series exclusive.
The Slow Death of Generic Security
Contributed
Article by Kurt Roemer, Chief Security Strategist, Citrix Systems, Inc.
We've all
experienced it - security measures that seem cookie-cutter, irrelevant and
invasive. It's called...generic security.
In the past,
generic security was manifested in the quest for standardization and control.
When IT was tasked with an objective, such as implementing security best
practices or complying with regulations specified by HIPAA and PCI, it was
easier to configure controls to apply across the environment. This generic
layer of security resulted in security that was akin to the children's story of
The Three Bears: security was often too
hard or too soft - and rarely "just right."
Generic
security gets in the way of business. Generic security doesn't adequately
protect highly sensitive data. Generic security is expensive. Generic security
needs to go. Here are two predictions specific to the gradual death of generic
security in 2012:
Mobile
put a PIN in the heart of security - it's time to take it out.
Depending on
the situation, we need more or less than a PIN to be appropriately secure. It
just amazes me how many corporate secrets are protected by a simple user-selected
device PIN these days :-(. Intellectual property that should be considered
private can be unlocked and easily shared with anyone at any time using just
four numbers.
By the same
token, that PIN becomes a nuisance rather than a benefit in certain situations.
For example:
-
when it restricts the device owner from accessing public content;
-
when it becomes a personal safety issue for drivers by constantly
nagging to be entered into a moving car's GPS navigation system;
-
or, when the same PIN that opens the device for a child's game app
on a device also gives that child access to a parent's corporate email.
What if a
"Require PIN" setting could be applied to specific apps or screens, similar to
how location services is controlled today? And, a complimentary "Require
Passcode" setting could be used to restrict access to highly sensitive data and
for enterprise information stored on a personal device using stronger
credentials, such as multifactor authentication or biometric data. These
capabilities could be further leveraged by enterprise apps and by Mobile Device
Management (MDM) solutions.
Prediction: Vendors will be pressured to rethink device
PIN schemes.
Best
Practices? The monsters you know are not
the real monsters.
When devices,
applications, websites and data are being successfully attacked everyday, it's
obvious that the victims weren't focusing on the true threats. Security
professionals were taught that if you focus on threats mitigated by Patching,
Antivirus, SSL and Tokens (notice that this conveniently spells out the acronym
PAST), everything would be OK - and secure. Note that these are all essential
security technologies - but none can be relied on by itself and must be
complemented by further security layering, configuration and practices.
Unfortunately, even up-to-date and professionally maintained systems have
increasingly fallen victim to stealthy malware, zero-day attacks, and
occasionally Advanced Persistent Threat (APT). And, what if a system admin knows
that there's a zero-day exploit for their favorite browser, database, or PDF
reader but can't do anything about it until the vendor releases a patch?
What's needed
is a sandbox to further contain risk. Browsers and other oft-attacked apps
would run in the sandbox, without access to filesystems, the Windows registry
or having unbridled access to the network. The sandbox would be used for apps
that present business risk (such as financial systems), as well as direct risks
to underlying technologies. Using application and desktop virtualization, app
and worker capabilities can be further restricted to disallow the use of
cut/copy/paste/print/save/email in a specific situation, further mitigating the
threat to sensitive data and reducing risk. Combined with centralized control
over authentication, antivirus, encryption, Data Leakage Prevention (DLP), data
tokenization and redaction (just to name a few) - protection of sensitive data
can be made even more specific and powerful. And, without having to reach out
directly to every endpoint for every copy of apps and data, IT can respond much
faster if a security issue does sneak through.
Virtualization
can also protect individuals. For employees who work within a company that uses
virtualization technology, a worker's risk in using sensitive data while mobile
is lowered because most content accessed by the device is housed remotely in
the datacenter and any local content can be wiped immediately by IT if the
device is lost.
Prediction: Virtualization will be used in more creative
ways to isolate and sandbox risks to both the individual and the enterprise.
###
About the Author
Kurt Roemer is chief security strategist, Citrix Systems, Inc., and
a member of the CTO Office. In this role, Roemer leads security, compliance and
privacy strategy efforts for Citrix products. As a member of the Citrix CTO
office, he sets the technical direction for security. Roemer is a seasoned
information security veteran with more than 20 years of experience in
networking, applications and the evolving Web services infrastructure markets.
He has designed, implemented and assessed solutions and policies for Fortune
1000, mid-size and government organizations worldwide. Roemer is a CISSP and is
a frequent speaker at industry conferences. Prior to joining Citrix, Roemer
held roles as chief technology officer and chief security officer at
NetContinuum, and headed up information technology practices at Micron
Electronics, NetFRAME and Hewitt. Roemer has spoken at a wide variety of
leading global security and business conferences, and has appeared as a
security-issues expert on CNN, NBC, Fox Business News and the Fox News Channel.