President Bill Clinton talked about building a bridge to the new millennium. With that bridge now 14 years in the rear-view mirror, the challenge for enterprises is to build a security bridge to the Millennials who are flooding the workplace.
[Want to protect your corporate data and manage Millennials? Better rethink that social media policy]
By now, the list of the "totally connected" generation's employment expectations is familiar:
- Universal access to high-speed networks.
- Freedom to use multiple devices – smartphones, tablets, eReaders and more – to access and share both personal and corporate data, anytime and anywhere. Oh, and they want to use their own devices, not the company's.
- Freedom to use personal apps for work.
- Intuitive design of apps, so no training is required
- Flexible hours and locations. What's the problem with finishing the report at home at 2 a.m., instead of in a cubicle between 9 and 5? What's the problem with working with colleagues online or face-to-face — whichever is most convenient?
- No significant separation between "work" and "life."
- The use of social networking to collaborate.
- A seamless user experience on their phones, without cumbersome security limits imposed by IT.
It all sounds like a productivity dream, undercut by a potential security nightmare. The attack surface of multiple personal devices that comingle personal and corporate data would appear to be both wide and deep.
But experts say employers can and should – must – embrace the productivity without jeopardizing security, with a combination of technology and accountability. It's just that there are varying opinions on what the right combination is, and what is involved.
Nick Stamos, CEO of nCrypted Cloud invokes a religious – actually, non-religious – image. "The enterprise needs a network-agnostic, device-agnostic, app-agnostic approach," he said, adding that the corporate network that employees use, "should be considered untrusted, and open to anyone onsite."
Stamos rejects Virtual Private Network (VPN) connections, arguing that only SSL (Secure Sockets Layer) connections should be allowed to any corporate systems.
"Login to all corporate systems and data should be controlled through SSO SAML 2.0 (Single Sign On, Security Assertion Markup Language) integration. Where possible, multi-factor authentication should be required," he said.
But Chris Moyer, global chief technologist, HP Enterprise Services, argues that while, "VPN used to be a 'nice to have' it's now a 'have to have' for any organization that wants to keep its employees satisfied, productive and secure (because) many of the systems developed in the past do not have enough data segregation or role-based access built in."
But "data segregation" appears to be a key goal for the future. Another theme from experts is that enterprises need a mobile device strategy that, "focuses less on the device and more on applications and data. That will provide the enterprise with the security that it requires while giving workers the freedom and flexibility that they want," according to Dan Dearing, vice president of marketing, MobileSpaces.
Dearing said while there are numerous Mobile Device Management (MDM) vendors who provide plenty of security features, they tend to, "fall short when it comes to employee productivity and satisfaction, often changing the user experience and limiting application use to just a few dozen apps in their proprietary ecosystem."
The solution to that, say Dearing and others, is "containerization," which separates work and personal apps and data and thereby prevents enterprise data leakage and ensures employee privacy.
Done effectively, that allows employees to use any device for work and allows the enterprise to control access to its apps and data, including the ability to wipe them without affecting the employee's personal data or apps.
The best version of that, so far, according to Rich Mogull, analyst and CEO of Securosis, comes from Apple's iOS7. In one of a series of blog posts that are being combined into a research report to be released Feb. 10, Mogull wrote that Apple's latest mobile operating system takes, "an active role in mediating mobile device management between the user and the enterprise, treating both as equals.
"We haven't really seen this before; even when companies, like Blackberry, handle aspects of security and MDM while also treating the device as something the user owns," he wrote.
What that means is that Apple is selling different models of devices, depending on whether they are for BYOD or for the enterprise.
"In BYOD, users own their devices, enterprises own enterprise data and apps on the devices, and the user experience will never suffer. No dual-personas. No virtual machines," Mogull wrote, adding that this also means users don't have to worry about exposure of their data to the enterprise.
With enterprise-owned devices, "the enterprise controls the entire provisioning process, from before the box is even opened," he wrote. And when the user does open the box, "the entire experience is managed by the enterprise, down to which setup screens display."
Others agree that iOS 7 leads the pack in this area. MobileSpaces' Dearing said other major vendors have not yet provided that level of separation. "Google has not provided similar support and has instead let the handset vendors such as Samsung solve the problem," he said. "Unfortunately, that's create a highly fragmented approach to mobile security that makes it difficult for IT to predict the security posture of employee's Android device even if it is a Samsung device."
"Apple BYOD gets it right," said nCrypted Cloud's Stamos. "It's about the data, and he who owns the data controls the data. Employees are trustees of corporate data, and when their tenure ends, they lose access. Clean and simple."
The cloud is also expected to play a role in maintaining security in an "always connected" corporate world.
"Using cloud infrastructure eliminates planning guesswork since scale is automatic," Dearing said, "because there is no software or hardware to install and manage in the datacenter."
He added that datacenter overhead can be eliminated through the use of cloud-based services such as Google Apps, Salesforce and Box. "But a note of caution — most security containers do not permit the flexible use of these services," he said.
Stamos calls the cloud, "the Wal-Mart of IT services. It allows companies to specialize and bring huge saving of scale and cost to end users and business."
And use of it is, essentially, mandatory, he said. "There is no choice. Anyone who doesn't want to get onboard the train, will simply get run over by it. Just remember 'ETC ETC': Embrace The Chaos, Embrace The Cloud."
But, he and others say enterprises need to manage their use of the cloud with security in mind. "Legacy applications should be located in hardened data centers, and isolated from employee network. No direct connection should be allowed, apps should be published in Citrix or VDI (Virtual Desktop Infrastructure) solutions," he said.
"All corporate data at rest on any computer or devices should be encrypted on local device storage, classified, with full DLP (Data Loss Prevention) instrumentation and single click revocation."
Finally, there is the "human factor" — the risks that employees bring to enterprise data through carelessness, lost devices or simple vulnerability to phishing or other attacks.
HP's Moyer said it starts with training. "Keeping employees up to speed on emerging risks helps," he said. "Since Millennials are more technology comfortable, they tend to like having a deeper understanding of how attacks are initiated and will gladly share their knowledge with their communities and co-workers."
Dearing said he conducted an informal poll among some of his daughter's friends, who fit the Millennial profile. He said they all took security seriously, "but sometimes for personal reasons, such as the protection of their privacy."
According to one of them, "Your employees are your #1 security risk. Two-factor authentication is a must for remote systems access (and) online workplaces. Social networking if encrypted. It's not my emails I'm worried about, it's the email addresses of all my customers."
But Stamos contends that employees, rather than being the highest security risk, "are the key to solving the problem," if enterprises train them properly. "When IT treats people as the weakest link, they behave that way," he said.
"The only solution is an accountability based model, where employees have the responsibility to protect the data and the freedom to share it as needed. It's how our society works.
"We have a duty to educate our end users, give them the responsibility, and hold them accountable for their actions," he said.