On the May 30th Virtualization Security Podcast, Shaun Donaldson, Director of Alliances at Bitdefender Enterprise, joined us to discuss end user computing (EUC) security and how their new Gravity Zone product ties their enterprise products together under one scalable management umbrella. We had a very interesting conversation on the subject of EUC security, Bring Your Own Device (BYOD) security, and all aspects of the the EUC stack. There are quite a few moving pieces in the EUC stack. It is greater than your mobile device and the system it is accessing; there is a complete networking and political stack between the two, and perhaps many systems you have to jump through to access your data.
As we showed in Cyber Defense: Using Virtual Desktops?, there are many other systems we do not normally look at within the network that provide security from the firewall, security servers, network segmentation, etc. All these are required, just as endpoint security is required on the EUC device as well as on the system the user is ultimately accessing. However, we cannot be sure what the user is accessing from their EUC device if we do not control that device, hence the need for better mobile device management. But, we could run into privacy issues when dealing with BYOD. BYOD is still a political and legal hot potato, as you cannot manage a personally owned device better than you can manage a company owned device.
Privacy is a large concern, as are the existing cloud apps the users are looking at, but what is really interesting here, is that the security team cannot say no—they should look at ways of integrating their efforts with those implementing BYOD. Security teams need to start saying yes, but in intelligent ways. It is not “no, not possible”; it is “yes, it is possible, but…”: this is what you give up, this is the way you have to access things, or this is the application you need to use. To make matters worse for security teams, it is an uphill battle, because end users are already using apps that get their job done on their own devices, so enforcing the use of other apps requires that those apps have at least the same functionality of the existing apps but provide enhanced security.
But what this also means is that before an app is developed, before a tool is built or even allowed, security needs to be involved at the architecture level, at the very beginning, and embedded into the teams making the decisions. If the sales team needs cloud services, then the sales team should have embedded within it a security person to ensure the sales teams business needs are met.
Security must move not just at the speed of the network, but it should also move with the business and react quickly as the business changes in some positive fashion. This implies lots of quick thinking, possible changes in direction, and the need for a flexible set of security tools which can be managed from a single location, perhaps, but which is also inclusive. Security needs to start to become very flexible. It can no longer be the naysayer; it can no longer slow down the business. There are many sides to this die: the business, security, application developers, and end users. No matter how you roll it, currently something ends up down and out of sight.
It is not only the security team that must change, though, but it is the business, employee, and application development teams that must change, as well. Actually, perhaps what is really needed is a redefinition of the word team as it applies to the business, because the new model for IT cannot be silos of any type but multi-disciplinary groups, containing security, that shift size and direction with changing needs.
What are your thoughts?