Managing the Madness of Mobile Security
Security in the IT realm is a very complex issue to deal with, largely because the very attributes that create vulnerabilities are the main creators of value for individual users, businesses, and society itself. Just as the value of a network increases as the square of the number of nodes on that network, so too does the probability of a bad actor exploiting the network to his or her own ends. Every innovative service created and offered to the marketplace of individuals and businesses creates another vector for an attack that compromises the infrastructure that provides the service.
Hardware advances also increase security risks. If computing power doubles every 18 months, the threats to trusted encryption technologies increase accordingly. The cheaper digital storage becomes, the more of our sensitive data we store, to mitigate the risk of loss through technology failure by having copies of our most valuable data on our own drives and in the cloud. These giant aggregations of financial and personal data create mouth-watering targets for those inclined to unethical and criminal behavior.
Declining prices of computing power, storage, and network traffic have put immense power in the hands of more people than ever before. A tiny startup can compete with a giant conglomerate, and a pupil in the developing world can access the same educational resources online as one in the developed world; but so too can a teenager with too much time on his or her hands and an unformed moral compass wreak as much havoc on a global enterprise as a state-funded "cyber warrior" attacking the military infrastructure of an enemy nation.
The complication comes not from recognizing those risks but in trying to mitigate them. In a classic case of "throwing the baby out with the bath water," any blunt force solution to the problems described above also jeopardizes the enormous value created on the other side of the equation. Constraining access to a network both creates a dichotomy of "haves" and "have nots" and diminishes the potential value of that network. Limiting the services allowed on the nodes of a network similarly reduces potential innovative value creation.
This was the situation at the beginning of our transition into the current mobile age -- Internet-connected personal computers and servers vulnerable to all manner of exploits with some Band-Aid solutions available, each posing significant tradeoffs with regard to usefulness and value creation. If you locked down your corporate network to the maximum level of security, you would effectively isolate yourself from the world and doom your business to a slower rate of growth than your less safe peers in the market. However, most IT departments struck a workable balance, allowing email and Web traffic, sniffing at packets and ports, scanning for viruses, encrypting data, monitoring logs for breaches, and enforcing adequate levels of authentication for access to services.
And then mobile happened. Long predicted, the mobile revolution still took the community of IT professionals off guard. Initially, it seemed that the mobile computing market was limited in scope -- the Windows CE, Palm OS, Symbian, and even BlackBerry OS devices too expensive and unwieldy to appeal to more than a minority of users. Then the iPhone happened, striking a remarkable balance between Apple user friendliness and carrier-subsidized price point, and the era of the smartphone began. In the span of seven years, mobile has arrived with unprecedented velocity. As one article in this issue notes, there is now a smartphone for one out of every five individuals currently alive on earth.
This astonishing adoption curve has yet to reveal its ultimate ramifications for human society and the global economy, but at this stage, one implication is very obvious -- the teetering balance struck by enterprise IT in the networked PC era is not working anymore. In fact, we seem to have been thrown into a state of extreme volatility.
I welcome your comments about this Advisor and encourage you to send your insights to me at firstname.lastname@example.org.
[For more from the author and others on this topic, see "Mobile Security: Managing the Madness."]
-- Sebastian Hassinger, Senior Consultant, Cutter Consortium