Securing the enterprise beyond the perimeter
- 11 September, 2008 10:03
Trying to secure laptops, cell phones, PDAs, and other mobile devices today is "terrifying," says Christopher Paidhrin, IT security and HIPAA compliance officer at Southwest Washington Medical Center. "End-point security is scarily immature."
No doubt these are menacing times. Cloud computing continues to push data and apps online and beyond traditional network security perimeters. Business users demand access to data using newfangled mobile devices over 3G wireless networks. Every day, creative hackers invent ways to steal data to sell on the black market -- and Internet security lags behind the curve.
Catching up won't be easy, yet the answer might be found in the cloud itself. Security pros know they need to extend perimeter security controls to end-point devices before it's too late. One way is to put security agents on laptops, which is an expensive proposition fraught with risk. Another option is to leverage an emerging class of Web-based security service providers, such as startups Purewire and Zscaler.
Cloud-based security service providers take shape
Here's how it works: Remote users wanting to access data stored in the cloud would first have to go through a security service provider. Already, cloud-based security services for malware and spam detection account for 20 percent of the market revenue, say Gartner researchers, and this figure will jump to 60 percent in five years. Other security services are quickly moving to the cloud, too, such as vulnerability scanning, denial-of-service protection, and (down the road) authentication and data leakage services.
Cloud-based security has many advantages over security agents on laptops. For starters, savvy end-users can disable end-point-installed agents, whereas the cloud provider has complete control over the agents it hosts. Security agents installed on individual devices are also costly and difficult to manage. A major company with top-notch traditional security controls recently discovered this unpleasant fact: It analyzed its 80,000 personal computers and found that 3,000 of them -- almost all mobile laptops -- had botnet clients, says John Pescatore, a Gartner analyst.
End-point security agents are simply on the wrong side of technology trends. "Look at the iPhone," Pescatore says. "No way you can have your own security software on the iPhone because it doesn't even exist. You can't provide any security on the iPhone other than doing it in the cloud."
To be fair, cloud-based security providers face challenges, too, most notably in pricing. A provider must secure data transfers going to and from the remote user, which puts a strain on bandwidth, increases costs, and cuts into margins. Given that infrastructure burden, odds are cloud-based security services will become part of a larger cloud service.
This means ISPs, large companies with cloud-based infrastructures such as Google and Akamai, and wireless carriers riding the promise of 3G or 4G cards in every laptop will likely take on this security-provider role. "In five years, we think the share of security services that are delivered in the cloud will triple," Pescatore says.
But are cloud-based security providers moving fast enough?
Southwest Washington's Paidhrin knows that outsourced security services are the future, yet he must keep his hospital safe today. Southwest Washington provides remote access to a network of partner clinics, which include some 2,000 medical workers. Those workers need to tap into the hospital's network via the Internet to download patient files and access more than 200 applications. Southwest Washington also has its own laptop-toting mobile staff.
For hospitals under the HIPAA hammer, Paidhrin says, the stakes are high. "We will not be on the front page here at Southwest like our good partners across the Columbia River at Providence" Health Care, whose laptop containing 365,000 patient records was stolen a couple of years ago.
Paidhrin's plan: For Southwest Washington staffers, policies keep data stored on mobile devices at a need-to-know-right-now minimum, laptops have full-disk encryption, and so on. Anyone accessing the network remotely must come through a single gateway. "We have Active Directory, LDAP, RADIUS -- all coordinated through single sign-on and all through an SSL portal," Paidhrin says. "We log and track ... with a rule-based access control matrix."
Meanwhile, most small and mid-sized businesses are taking a wait-and-see approach, says Dan Nickason, IT supervisor at Genesis Physicians Group of Texas. Simply put, they have too much to lose -- "they can easily crumble from one mishap," he says. "Although cloud computing is pushing network access to edge devices, the fact is many small and medium-sized businesses are not entrusting their IT infrastructure and computing needs to the cloud yet."
Chad Swartz is senior manager of computer operations at such a company, Preferred Hotel Group. He is implementing a new CRM system, demanded by the business, that lets people access customer data over BlackBerrys and laptops. That means he must contend with the potential of a lost phone or an employee who leaves the company and takes his BlackBerry with him.
So Swartz is using what exists today, including a secure tunnel, Citrix servers that highly limit the amount of files on end-point devices, and an audit module from Sonoma Partners. "We have not incorporated full-disk encryption yet, but that's definitely the next evolution," he says.
Of course, Swartz knows securing data in today's mobile, work-anywhere world isn't perfect. "Internet security is very immature," he says, echoing Paidhrin's words. "Big picture," Swartz adds, "if someone really, really, really wants to get in, they can still get in."