This is probably the biggest ‘no no’ in security theory. Don’t let an untrusted device onto your network. Most security professionals know that is an ideal, but not really achievable. Companies are forced to let customers connect via the Internet with any system they choose to. Browsers such as Firefox, Safari, Opera, Internet Explorer; Windows, Mac, Solaris, Linux for an operating system. In most cases for the end user shopping it is all acceptable.
In an attempt to mitigate this problem, we use firewalls, Intrusion detection/protection systems (IDS/IPS), and other devices along with design principles to create Zones. These Zones then have policy applied around them indicating levels of trust to be permitted into a particular zone. All this is very similar to physical security principles, just stop and think about an airport.
Most large companies apply these theories described above on their internal network as well where they have enjoyed much more control. Often an organization has a laptop they give you. It has their chosen Operating System, their selected applications, and is locked down by a policy they have chosen and enforce via Active Directory or some other mechanisms. Combine this with internal security devices, apply “Zoning” and appropriate policy and you feel safe — you have control of your internal network right?
But there are always the exceptions. These exceptions represent the outside pressure to change your security stance. A consultant or vendor is a good example. In comes a consultant to do a 8 month project. She needs access to certain aspects of the systems. Access to employees calendars, access to critical systems for the project, external access to the VPN of her own company, external resources on the Internet that are ‘bocked’ by your particular policy. She doesn’t use Windows, but her own flavor of Linux she created herself. Taking a security stance you can say no, but that only works for a while. Eventually a project comes along that is too critical, costs the company a lot of money to complete, and completion means bigger sales. Now you and the security principles you enforce are perceived as a roadblock to accomplishing a key objective. Inevitability, you are forced to make an exception. It is at this point all your hard work is nullified. Not only that, you loose the respect of others in the organization. You are seen as a inhibitor, a constant roadblock, a team that no other teams wants to deal with.
This problem which has been around for years is accelerating and getting worse. With PDAs, netbooks, iPads, iPhones, and every other network enabled device that is becoming common for everyone to have. They are going to want to connect them to your corporate network. You can resist for a while, but resistance is futile. Like the common consultant example above, you will make exceptions and eventually the number of exceptions will be greater than the non-exceptions. Bruce Schneier recently commented on this when he was interviewed at RSA.
More and more companies now have to get used to the fact that people are going to come in with the technologies they want and that is what they are going to use. So we are going to see a lot more security around connecting random untrusted devices into a trusted network.
When you get to the younger generation, they are not going to work and get a computer that is less powerful than the one they use at home. They are not going to be given a second cell phone.
“I’ve already got a cell phone, I’ve already got a PDA! … I’m not going to use two.”
We need to shift how we design security. Rather then resist these new devices, we need to design our security on our internal networks and systems so that we can manage the security around these untrusted devices connecting to our networks while allowing these devices to function. Resisting this will end up just like trying to resist the consultant or vendor, being forced to make an exception, being perceived as the team that is difficult to work with, and loosing the respect of your colleagues. With the number of Android phones, iPhones, iPads, and other portable network devices coming onto the market, the exceptions to most security policies are about to sky rocket.
Is your organization working pro-actively to address, incorporate and manage untrusted devices in your internal network?
