Mobile computing, the cloud, bring-your-own-device and the Internet of things are trends that are changing the way computing is being done, and forcing businesses big and small to rethink what security needs to look like in order to protect the growing numbers of user devices and data.
At a recent panel discussion in Boston, Dell officials and customers, as well as analysts and journalists, discussed the security challenges that these trends bring with them, the issues facing enterprises and small and midsize businesses, and what security measures will be needed in a world where workers are more mobile and armed with more smartphones and tablets, data is stored in the cloud and information is constantly flowing across networks to and from a multitude of systems, machines and devices.
The July 24 event was the first of what Dell officials are calling their 1-5-10 Series, where company experts and others will tackle a range of issues facing the IT industry and what can be done to address them in the present, near-term (five years) and future (10 years).
The series comes at a time when the newly private Dell is continuing to evolve beyond its PC-making roots and into a provider of enterprise IT solutions and services, an effort that has been ongoing for several years and in which Dell has spent billions of dollars buying companies to grow its capabilities in such areas as networking, storage, software and the cloud. Also at the forefront has been security, through such acquisitions as SecureWorks in 2011 and SonicWall, AppAssure and Quest in 2012.
The wide-ranging discussion at the Boston event touched on a range of issues, from the rapidly growing number and sophistication of threats and the particular challenges facing SMBs to the problem of human error, the need for security to become more proactive than reactive and the way security will need to evolve to address the changing IT environment.
It eventually comes down to people: those who are the threats—both inside and outside a company—those who are putting the products together and developing the software, those who are deciding on features for their offerings, and those who are making the decisions about security for their businesses.
“The human is still the weakest link in security,” said Tim Brown, Dell fellow and executive director of security for Dell’s Software Group. “But humans are also the greatest enablers of security.”
For many SMBs, they don’t have money to pay a staff of such enablers, which is a key problem for them, according to Laurie McCabe, an analyst with the firm SMB Group. SMBs are overwhelmed by what they’re doing just to stay in business, McCabe said. Having to keep up with the mounting security threats is almost impossible.
“They can barely keep up with the day-to-day stuff,” she said.
Don Ferguson, Dell senior fellow, vice president and CTO of Dell’s Software Group, said the amount of security threats—and their complexities—are things that all businesses struggle with. The sheer number of threats is massive, Ferguson said.
“It’s huge,” he said. “I think people have reached a cognitive saturation just thinking about the known [threats].”
And it’s not just the threats themselves that are inundating businesses, panel member said. It’s also the number of devices and the mobility of both the workers and the data. Organizations can no longer count on workers being in the office, using corporate-issued computers. Now they’re more mobile, using an array of devices both corporate-owned and personal, and demanding access to company data from anywhere and on any device.
“There’s no longer a way to contain an end user,” said Brett Hansen, executive director of client solutions software.
Dell Panel: BYOD, IoT Increase Security Challenges
So in this new world of bring-your-own-device (BYOD), mobile workers and the cloud, in what direction should security evolve? According to the panelists, it should be in all directions. Ferguson said a key focus should be on developing ways to better containerize the data—make it so that the sensitive corporate data on a smartphone or tablet, for example, is kept separate from the personal information on the device and controlled by the IT department.
“You can’t contain the person, but you can contain the data,” he said, adding that the “data needs to be self-protecting.”
Patrick Sweeney, executive director for Dell SonicWall, agreed.
“Over the next few years, it’s going to be about protecting the data, not devices, not networks,” Sweeney said.
However, others argued that the focus of security should be more than just about the data.
“You need to do everything,” said Roger Kay, principal analyst with Endpoint Technologies Associates. “You need the belt and the suspenders.”
Jon Ramsey, Dell fellow and CTO of Dell SecureWorks and executive director Dell SecureWorks CTU, agreed.
“It’s important to talk about the security of devices even if the data is protected,” Ramsey said.
The responsibility for security essentially will fall on everyone, from the business people and their employees to the product makers and the software developers, the panelists said.
Device makers and software developers need to start thinking about security from the start, they said. Too often the focus during the development cycle is more about what the product can do rather than making sure it is secure. It’s a matter of simplicity vs. complexity, as well as money. At the least, security should be a “part of the discussion before you put the product out the door,” Dell’s Brown said. The problem is that it’s those cool—and maybe not-so-secure—features that help sell products, Ramsey said.
“If you have a product manager who can have 10 unsecure features or five secure features, they’re always going to choose the 10, and probably get seven,” he said.
Security should be inherent in software, and the risk-vs.-profit discussion needs to be rethought in order to make security not only a key part of the end product, but a selling point, Ferguson said. There needs to be a basic awareness around security.
“People are becoming program literate,” he said. “They need to be security literate.”
Dell Panel: BYOD, IoT Increase Security Challenges
That security awareness also needs to be inherent in the users, the panelists said. The problem not only comes from hackers on the outside, but also the people on the inside who continue to open attachments that contain malware or go to infected Websites. People need to be taught not to click on attachments they’re not sure about, said David Wrenn, vice president of Dell partner Advanced Office Systems.
Corporations are seeing “the human factor behind it, and the sneakiness of the people behind it,” Wrenn said.
“The people inside the build are just as dangerous as the people outside the building,” said Michael Gray, director of IT solutions provider and Dell channel partner Thrive Networks, which is owned by Staples.
The oncoming Internet of things (IoT) will only add to the challenges, according the panelists. Cisco Systems is predicting that by 2020, there will be more than 50 billion devices connected worldwide, communicating with each other, exchanging data and opening up even more targets for cyber-criminals to attack.
It also puts the responsibility for securing all these machines and devices in the hands of people who often will have no training, Ferguson said. “In the IoT, the system administrator inside the home is my mom,” he said, adding that another problem is that for many of these systems, no one is monitoring them. “If my thermostat was on the Internet right now, no one’s going to watch it.”
The challenge with the Internet of things is not only the massive numbers of devices, but also the wide range of diversity, and the fact that they’re all going to be connected, Ferguson said.
“The Internet of things scares me, and my first reaction is to sleep with the lights on,” he said. “But now a kid in China can turn the lights off.”