I attended a security conference a short time back (http://nuspire.com/CAMPIT.aspx). There were two panel discussions that involved the securing of network data sources while allowing social networking by employees. The discussions covered a wide range of topics of which the first was whether to allow access to social networking with corporate networking resources. The second was to allow employees to utilize privately owned devices with social networking capabilities to connect to the corporate network. The last was to allow employees to use their smart devices while at work but not connect them to the corporate network.
The audience was obviously very interested in this topic since it carried over to a table discussion during lunch. I listened to the banter back and forth about the reasons why it should be allowed and while most had their valid points, they reminded me of similar discussions in the past about other new emerging technologies.
These types of discussions always start the same, this is really "cool', "cutting edge", "enabling", or "wave of the future". I was surprised to hear this same rhetoric while attending a security conference. In the past it was usually prevalent while speaking about networking, server or desktop support personnel. The security person has always dealt with the attitude that all data must be available all of the time to everyone.
While this may be an over statement of the attitude, it is indicative of the problem of securing data. There are many reasons for this attitude, one being it is easier to just give everyone access. The creation of role based access, RBAC, is a significant administrative effort by the network and system administrators. This effort is an ongoing task that includes determining who should have access to what and when. This type of policy change is typically a new mindset change for the entire company.
The "new" emerging technologies that were discussed in years past were; Wireless Local Area Network, Cell phone "air cards" for Internet/Intranet access, Remote desktop software, and Web conferencing, to name a few. These were all "cool" technologies that solved many IT problems but from a security perspective created many more.
The concerns the security experts had revolved around creating access "doors" to the internal private network. The perimeter or edge protection that was painstakingly put in place was being pierced for the sake of making the administrators jobs easier. The security personnel understood the reasons for the opening of these doors since many of them had cut their IT teeth as administrators. They also understood the risks these doors represented to the data they were hired to protect. The risk became greater after certain legislative measures along with industry regulations were created to strengthen the protection of certain select data constructs. (check back soon for part 2 of this post)