Information security professionals are faced with two difficult questions when trying to secure the network. They can either lock down the network, or free up the technology, according to Cisco's newly appointed head of security.
The bring-your-own-device (BYOD) trend and the consumerization of IT pose significant challenges to the enterprise. While many security professionals want to lock down the network and prevent employees from using non-approved devices to access data or applications, it is not always possible, Christopher Young, the head of security at Cisco, said during his Feb. 29 keynote speech at the RSA Conference. Organizations are increasingly worried about the prospect of a cyber-attack compromising their data, and allowing employees to use any device for work purposes expands the potential risk.
We're torn between these two extremes, Young said.
Locking down the enterprise infrastructure doesn't guarantee security any more than opening it into a free-for-all, as employees have no qualms about breaking the rules when it is not convenient to follow them. Security is often too cumbersome and complicated for the average user who winds up going to great lengths to bypass security in order to do their jobs, Young said. In a recent survey, 70 percent of employees admitted to breaking company policy, Young said.
This tendency was in evidence even among the technically savvy and security-conscious audience at the RSA Conference. The conference organizers deployed a secure wireless network that used digital certificates to authenticate devices onto the network. People lined up at the wireless help desk for assistance in getting online connectivity on their smartphones, tablets and laptops. And there were even more people not bothering with the secure network and trying to connect to one of the free wireless hotspots, said Val Rahmani, CEO of Damballa.
Administrators are also constantly second-guessing themselves. In the struggle to come up with the right decision, security professionals compromise their own efforts, Young said.
We have to have both. We need to have our cake and eat it, too, Young said.
The way to have both is by unlocking the power of the network, according to Young. The network is uniquely equipped to deliver security in a way very few technologies can, he said. The network is what collects the data about what users are doing, what data is being accessed and what the systems are transmitting. The network sees all the users, devices, applications and systems, as well as the interactions between the components, Young said. All this is available in real time, he said.
This is why the firewall is still important, as are virtual private networks and secure wireless networks, Young said.
It is not possible to expect administrators to physically manage every kind of device every day. As a dizzying array of mobile devices floods into the network, administrators will need to rely on the network for information about what device is connected, where it is connecting from and what it is doing, according to Young.
The network allows you to lock it down and free it all up, he said.
Cisco estimates that by 2016, there will be 8 billion smartphone devices globally, and desktops will be delivered on the network to whatever device the user is using at the time, Young said.
Rahmani said there should be less worry about the exact device that is being used. At the heart, every device is essentially just an IP address, so the important thing is to make the network secure, she said.