Enterprise security was once based entirely around the personal computer. A computer was the primary venue from which employees communicated, produced and exchanged data, and opened the company to risk. Now the widespread use of mobile computing devices for both work and pleasure has created security problems that we have previously explored. Thus, accepting the “death” of the PC–at least as a unitary device–is an imperative for modern enterprise security. We must examine the full range of computing throughout the enterprise in order to avoid stovepiping security solutions. Some solutions are emerging, are purely technical, or have yet to be created–the latter highlighting the relative novelty of the security problem. But in the future, mobile risk management may only be the beginning of the security portfolios.
One possible scenario outlined by futurist Kevin Kelly involves not just the death of the PC but the death of the device itself:
[I[n the longer term we will tend to not carry any devices at all. That’s because we will have so many devices around us, both handheld and built-ins, and each will be capable of recognizing us and displaying to us our own personal interface, that they in effect become ours for the duration of our use. Not too long ago no one carried their own phone. You just used the nearest phone at hand. You borrowed it and did not need to carry your own personal phone around. That would have seemed absurd in 1960. But of course not every room had a phone, not every store had one, not every street had one. So we wanted our own cell phones. But what if almost any device made could be borrowed and used as a communication device? You pick up a camera, or tablet, or remote and talk into it. Then you might not need to carry your own phone again. What if every screen could be hijacked for your immediate purposes? Why carry a screen of your own?
As my friend Alex Olesker (currently sitting next to me as I write this entry) pointed out, we can see the bare outlines of this in the “thin client” paradigm, which in turn builds on distributed computing. What Kelly is arguing is that virtualization will become completely ubitiquous, and “cloud” becomes so mundane that a separate term for it (cloud computing) is no longer necessary.
This has two implications. First, any difficulties from the expansion of mobile devices will be greatly magnified. Have trouble with one or two mobile devices? Try trying to secure, manage, and create enterprise policy for an average employee used to running off many times that number for both work and personal business. Dillon Behr has already addressed some existing solutions for mobile risk management and will expand on them in future blogs.
The death of the device also raises the importance of cloud security. All of these devices will presumably be running off one cloud database, increasing the importance of database security and resilience. One existing virtualization solution that CTOVision has highlighted in the past is Invincea, which non-natively runs a browser as a virtual application on a user’s desktop. This allows employees to continue usual browsing behaviors while providing non-invasive malware detection/protection, detailed forensic capture, and easy disposal and renewal of compromised environments. F5 Networks also impressed Alex with their cloud security solutions.
Alex and I believe that the “death of the device” is not science fiction but a reality that as William Gibson famously said, is unevenly distributed. This is why mastering the existing challenges of cloud security and mobile risk management is so important given the future that Kelly had forecasted.