Cool versus Control: Part 1 of 3

Throughout the World, the more interoperable, fringe, or radical a system, person, or thing is, the cooler it is… and generally the less under control it is.

And cool technology is all around us these days, creating a tangled web of brokered trust.

Programmers develop object-oriented code, which faithfully accepts unknown input from other modules. Whole application stacks are developed independently by different companies, which then work together through APIs.  End users accept this ubiquitous enhanced functionality, embedding rich content, programmatic code, whole tables, and even entire files into other documents – a slippery slope that started with OLE and macros. Flash forward from those early steps.  It has now become second nature to upload, share, view, collaborate, edit, mash, publish, and synchronize documents, pictures, and videos in real time using 3rd Party Companies’ free or paid services over the air while on the run.

Today, the web pages connecting us must be dynamic with pretty graphics provided by Flash and JavaScript, along with PHP active content supplied using some flavor of injection-ready SQL on the backend.  This is all hosted on unknown systems in Data Centers whose operators not only have access to USB drives, but encryption keys (if any) used to secure the data… connected up and trusted thanks to SSL certificates minted by a “trusted authority.”  Viva la Web 2.0.

All of which is very cool… and completely out of control.

The expectation of users today has changed with the melding of personal and corporate technology. The lines of responsibility have blurred, and access is everywhere.  Part of the problem is education (or lack thereof,) and another part is providing secure alternatives.  IT security pros can try to communicate the reasons why users cannot/should not use a port-hopping and vulnerable application such as Skype, yet users cannot fathom that someone might want to listen to their call much less hijack their session.  Many users simply see security policies as obstructionism and just “in the way.”

We speak a different language – like parents and teenagers.   To users, residents of the fast, and out of control Interworld, stone-fisted control of the corporate network is out of touch with today’s reality, and blocks them from getting their jobs done.

The near-daily delivery of new start-up services causes an ongoing disruption to the way we’ve done things in the past. We thought we were safe behind our perimeter, but it is clear that the perimeter is long gone. Look no further than cloud-based services, anywhere computing, USB storage, BYOD, Wi-Fi, smartphones and tablets… and all the problems that these things bring with them.

While many users operate under the misperception that everything they do online is safe and trusted, the entire technological food chain is full of undisclosed Zero Days that are utilized for 10 months or more.  In our post silver bullet world, one might argue for an “end of the world” view, yet the number of exploits in use is always limited to some degree by the number of people willing and able to commit the crimes.  Simple economics of paying the rent keeps everybody but State-sponsored teams or those with lots of automation more focused towards effective payoff.  A flimsy zone of herd obscurity perhaps, but it bears consideration that not every house gets broken into and not everyone gets their pockets picked.

A big challenge we must face head on is evaluating the risk of evolution and change all around us.  Not services we know, but being prepared to adapt to and incorporate new ones we couldn’t even imagine last year.  New ones that could be material competitive differentiators for your organization if used properly.   It’s what makes “cool” happen, but security policy paralysis prevents the benefits of cool – leaving users to find their own sometimes misguided paths to digital freedom. Forces of change collide with a creeping, crawling beast we might call the corporate firewall rule base and the hermetically sealed original version of the Corporate Electronic Policy.  Undocumented rules written in the archaic ancient tongue of former employees are not to be touched, attaining a type of permanence formerly attributed to stone tablets.

Meanwhile, on the other side of the corporate policy…  Your users know what is out there. The cool shiny stuff.  They want it.  They need it. They are seduced by cool.  So what’s the answer?

In the next installment, we will look into the traditional corporate security approach to this Web 2.0 love-a-thon.  Lock it down, block it, restrict it, create a policy, and generally hope that it goes away.  Of course this ends badly.  We all know the clever workarounds…and I would love to hear your stories in the feedback.

Finally in Part 3, I will discuss striking the balance between Cool and Control.  Is it even possible?