- * The consumerization of IT.
- * The drive toward virtualization.
- * The challenges of the cloud.
IT managers face a tough fight on all three of these fronts, as they manage tighter budgets with the critical requirement of providing security for the data flowing into and out of their enterprise organizations every day.
Regardless of which of the three areas takes priority in your IT organization, a successful data security strategy is not merely about protecting the confidentiality and integrity of your data, but also about ensuring its availability to all authorized users.
The Consumerization of IT
The BYOD onslaught became real in 2012 and will only get more pronounced in 2013. In October 2012, Forrester reported that two–thirds of employees regularly use two or more devices at work, with 12 percent using tablets. A Juniper Research report from June 2012 predicts that the number of employee-owned smartphones and tablets used in the enterprise will grow from 150 million devices in 2012 to 350 million in 2013.
All of this doesn’t even begin to take into account the threats posed by lapses in physical security. Mobile phones are frequently lost or left behind; think about how much confidential corporate data can become exposed by someone circumventing a password or lock – a relatively easy task for any seasoned hacker. Stolen devices can compromise even the most protected encrypted data, as well as lead to unauthorized access to corporate services, such as email and the VPN.
This consumerization of IT presents serious data security challenges for IT departments, as the number of entryways opened through smartphones, tablets, netbooks and other managed or barely managed devices multiplies quickly.
The drive toward a BYOD environment is being driven by the end user. Everyone from a C-level executive to the clerk in the mailroom wants to apply the ease of use they get from their personal devices to their corporate responsibilities. But as that happens, the number of access points into the enterprise from outside the firewall continues to grow exponentially. And then the likelihood of a serious security breach skyrockets without the proper measures in place.
Today, too many IT generals are still fighting the last data war with security measures built for a time when IT controlled every device accessing the network. That’s just not the case anymore. They need to look anew at the systems in place and their capacities to plug all of the new security holes created by the consumerization of IT.
For instance, one of the biggest challenges in the BYOD environment is the greater risk posed by mobile malware. This malware can come in many forms, from stealing and possibly corrupting data, applications and communications on the devices themselves, to becoming launching points for advanced network attacks, such as advanced persistent threats and denial-of-service attacks. Cybercriminals use APTs to steal critical data and even revenue over a long period of time, and they can also be used in state-sponsored attacks on other countries. So-called “hacktivists” also use APTs to disrupt service or deface a website.
Any attack launched from a compromised mobile device poses additional difficulties for those trying to understand the who, where and why of the attack. Since the attack doesn’t often originate from a known server or fixed IP address, it is difficult to trace and even harder to combat or defend against. This is complicated even more by the fact that the mobile devices being used to generate these attacks roam from one wireless hotspot to another. Even worse, these attacks can often occur without the knowledge of the device owner.
As more mobile devices are rolled out with support for HTML5, it’s only going to get worse. Now browsers will provide access to mobile device features, such as cameras, test messages, JavaScript and more – all opening up more and more gateways for malware to attack the enterprise network. In today’s app-driven world, this presents a significant challenge for enterprise IT departments to just keep up. Just because an application is available through an app store doesn’t mean that it is secure enough for your enterprise.
Both Google’s Android OS and Apple’s iOS platform are ripe for the malware picking. Malware for Android rose 400 percent between 2010 and 2011, according to a Juniper Networks study. And iPhones and iPads are losing much of their security capabilities because of “jailbreaking,” which removes limitations imposed by Apple and allows users to gain root access to the operating system so they can download additional apps, extensions and themes not available through the iTunes App Store.
In both cases, compromising the internal security doesn’t just threaten the security of the device – it can compromise the confidentiality, integrity and availability of data inside of enterprise IT networks. IT organizations have to understand the full scope of these threats and then create new measures to address those issues.
Virtualization and the Cloud
The push toward virtualization is changing how and where data is being stored and accessed. It’s also causing a lot of security concerns. Previously, if one server went down or was compromised, it could be relatively easy to trace; in a virtualized environment that becomes more complicated.
