The problem with next-generation information security technology is that it is predicated on last-generation enterprise architecture. In many instances, the best new security options are no more than minor iterations from existing technology. Even though the definition of next-generation includes improved application awareness, security devices still work to control network and device access, just with extra layers.
The architecture of applications has become distributed, but information security still insists on inserting a layer of physical access, the network perimeter, which impedes the flow of information more than it helps protect it. Information security is working to perfect its ability to control the endpoint and control access to enterprise-managed resources, but applications and systems have evolved to become agnostic of the physical infrastructure on which they reside. Platform and location dependence are characteristics of the legacy computing architecture.
Let’s be realistic, the information security industry has long leveraged FUD (fear, uncertainty, doubt) for its own agenda. Information security still lives in a world that mimics the thought processes of the cold war, the era in which it was created. In this world, hackers are presented as anti-social computer wizards with no moral compass (sometimes they are even enemy states) and the ability to destroy the fabric of the burgeoning Internet society and all that is good. Enter the cyber cops, i.e., information security.
Locked in a digital arms race, the information security industry continues to build stronger walls peppered with every form of malware detection. Access through private doors (defined devices, ports, applications, users) is restricted by complex locks (access control) that require secret phrases (complex passwords). The industry has even created user awareness training because regular users cannot understand the complex processes and procedures implemented for their own safety. Further, information security describes breaches with terms that could be derived from the warrior language of Klingon. What’s a Conficker? It sure sounds bad, like a hairless bird with big claws and a razor beak. That doesn’t sound fun.
The real impact of the consumerization of technology may well be the realization that technology actually is not complicated. Unrestricted by enterprise security requirements, consumers have discovered a world of usability and easy access that allows them to accomplish any task imaginable. Technology has become personal. Consumers also happen to be employees equipped with newfound personal information technology (IT) skills, a phenomena known as shadow IT. These employees can procure their own devices and applications without advising their enterprise technology groups. While the information security industry crafts infinitesimally better ways to detect malware, enterprise information is flourishing in the wild. When commercially accessible systems and methods prove to be advantageous for the enterprise, what is the value in reverting to counterintuitive legacy systems and processes?
Instead of walls, the industry should build bridges. EISA must shift from a control model to a serving model, as is the premise for service-oriented information technology models, such as IT as a Service (ITaaS).
The first analyst brief in my series on enterprise information security architecture (EISA), “Are Asset-Centric Security Models Outdated?”, questions the way in which the current information security technology landscape has evolved, while the second brief in the series, “Future Of Computing: Problems Ahead”, follows the development of information and application architecture. There are five basic principles of computing (people, information, applications, systems, and infrastructure) that the information security industry needs to consider when defining the EISA. While not strict guidelines, these principles are intended to propel EISA in a direction that is consistent with the rapid changes in information technology. In this way, we can ensure that whatever it is that the information security industry does build will be relevant and compelling to the business units.