Schneier on Security
A blog covering security and security technology.
« Terrorism Entrapment |
| Parental Fears vs. Realities »
September 7, 2010
Consumerization and Corporate IT Security
If you're a typical wired American, you've got a bunch of tech tools you like and a bunch more you covet. You have a cell phone that can easily text. You've got a laptop configured just the way you want it. Maybe you have a Kindle for reading, or an iPad. And when the next new thing comes along, some of you will line up on the first day it's available.
So why can't work keep up? Why are you forced to use an unfamiliar, and sometimes outdated, operating system? Why do you need a second laptop, maybe an older and clunkier one? Why do you need a second cell phone with a new interface, or a BlackBerry, when your phone already does e-mail? Or a second BlackBerry tied to corporate e-mail? Why can't you use the cool stuff you already have?
More and more companies are letting you. They're giving you an allowance and allowing you to buy whatever laptop you want, and to connect into the corporate network with whatever device you choose. They're allowing you to use whatever cell phone you have, whatever portable e-mail device you have, whatever you personally need to get your job done. And the security office is freaking.
You can't blame them, really. Security is hard enough when you have control of the hardware, operating system and software. Lose control of any of those things, and the difficulty goes through the roof. How do you ensure that the employee devices are secure, and have up-to-date security patches? How do you control what goes on them? How do you deal with the tech support issues when they fail? How do you even begin to manage this logistical nightmare? Better to dig your heels in and say "no."
But security is on the losing end of this argument, and the sooner it realizes that, the better.
The meta-trend here is consumerization: cool technologies show up for the consumer market before they're available to the business market. Every corporation is under pressure from its employees to allow them to use these new technologies at work, and that pressure is only getting stronger. Younger employees simply aren't going to stand for using last year's stuff, and they're not going to carry around a second laptop. They're either going to figure out ways around the corporate security rules, or they're going to take another job with a more trendy company. Either way, senior management is going to tell security to get out of the way. It might even be the CEO, who wants to get to the company's databases from his brand new iPad, driving the change. Either way, it's going to be harder and harder to say no.
At the same time, cloud computing makes this easier. More and more, employee computing devices are nothing more than dumb terminals with a browser interface. When corporate e-mail is all webmail, corporate documents are all on GoogleDocs, and when all the specialized applications have a web interface, it's easier to allow employees to use any up-to-date browser. It's what companies are already doing with their partners, suppliers, and customers.
Also on the plus side, technology companies have woken up to this trend and -- from Microsoft and Cisco on down to the startups -- are trying to offer security solutions. Like everything else, it's a mixed bag: some of them will work and some of them won't, most of them will need careful configuration to work well, and few of them will get it right. The result is that we'll muddle through, as usual.
Security is always a tradeoff, and security decisions are often made for non-security reasons. In this case, the right decision is to sacrifice security for convenience and flexibility. Corporations want their employees to be able to work from anywhere, and they're going to have loosened control over the tools they allow in order to get it.
This essay first appeared as the second half of a point/counterpoint with Marcus Ranum in Information Security Magazine. You can read Marcus's half here.
Posted on September 7, 2010 at 7:25 AM
• 63 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I think mobile devices will only become the launching pad to a virtual desktop employed through some fancy new VDI solution. So the security of the end-user device is moot.
>In this case, the right decision is to sacrifice security for convenience and flexibility. Corporations want their employees to be able to work from anywhere, and they're going to have loosened control over the tools they allow in order to get it.
I think it depends on your data, we issue our BB's to our users and have some control over them, but when we assert full control over them, what app's they can and can't install, some "higher-up" needs an exception, and his buddies at the company too, then everyone else feels slighted. We've even tried to "coup" only the have our jobs threatened for a stupid calender app... something the BB has anyway, but isn't as easy as this 3rd party.
I agree with the rest of the statements by Marcus and Bruce, the consumer devices are the driving forces, and the corporate needs are an after thought, much like security in general with said devices. I don't agree with Bruce's tradeoff, there is no way we would let iPhones/iPads etc on the corporate side of our network, and we take steps to try to prevent that (mac filters, NAC which is a joke no matter what vendor; and IDS). We can't prevent it 100%, but we are making it known through polices and training our users that it's a big no-no to use their personal gear, whatever that is, on our corporate network and why that is so. We seem to have made a bigger impact with this training/awareness campaign than we did when trying to block the activities without telling them of the corporate view, even if they were told when first hired about doing such things, the refresher was a lot less effort for us and paid off better (we think).
As for our own company supplied devices, were still in the same boat, people want these apps for this and that, and they are for certain non-work related, but they bitch and moan like babies until some SVP/VP/CEO agrees for whatever reason, and overrides our "authority". Exceptions were to be made for business case's, we have no issue with that, it's the "because I said so" override that irks us, and spits in our faces. These same overriders are the ones who signed off on these policies, blindly I'm sure, so it's a tough road to hoe, but we are still fighting to regain some "teeth" in these matters. I'm sure we will once one of these apps proves to be a back door, and then it's CYA time, we like CYA time, we finally get to do our "we told ya so" dance.
For too long this corporate versus consumer debate has been about the network rather than the data. At last things are starting to move along.
The whole NAC/NAP thing was the last gasp of a lost war. Protecting the network by insisting on standard builds was just too difficult to accomplish, and didn't serve the objective or adapt to the realities of globalisation. The result - standard builds that were supposed to be hardened for security but that ended up months behind regular consumer systems with auto update turned on.
I disagree with JKordish about VDI. Whilst VDI provides a convenient way to put a control bubble around data it doesn't resolve the occasionally connected state management problem. Luckily the VDI vendors have woken up to that one and come up with means to carry state around when off net and sync it up later.
Of course if we're going to look after the data rather than the network then there needs to be effective means to do this - particularly where there's local state on an easily lost/stolen device. Some platforms do this well, others less so. The Jericho Forum talked a lot about deperimiterisation, but I prefer to think about it as reperimiterisation. The perimeter has moved from a network defined by physical boundaries (of the building holding the network) and become virtual and around the data that belongs to the corporation. That virtual boundary needs to be well defined and have the right controls at its ingress/egress points.
@: "Should enterprises give in to IT consumerization at the expense of security?"
The answer (IMHO): it depends.
Depends on the data, the function, the how who what when where and why.
I can definitely see this been a legal liability nightmare for some companies.
But if you let everyone use their own newest tech toy, you end up in a babel of formats and "standards".
People want to have their address list updated in every device, want to access to the Sent Mail, want to check the calendar and want all these data backed up and restored.
How can you give this services considered "basic" if you have various and different versions iOS, Symbian, Android, RIM and God only know what other platforms?
What happens if the schedule is updated on RIM, partially updated on Android (except for, say, the recurring events) and not updated at all on iOS?
And who pays for all this different platforms, programs, data plans...?
"So the security of the end-user device is moot"
Far from it that is where the attacks will come from. Effectivly the device via the user is in the corperate network. Thus anyone who works out how to do an end run around the Encrypting tunnel, will have the equivalent access as the user (maybe more).
@ Matt White
Thanks for the link to the tasty blog post. The most thought compelling bit:
"If you want to keep those millennials that are already in the organisation, then perhaps it's time to move to adopt their ways of working rather than enforcing yours?"
Here's a link to source article http://www.cio.co.uk/article/3238071/...
May you live in interesting times.
Somewhat hilariously, it would appear that 'Information Security' magazine have attempted to implement a paywall, but have put their 'printer-friendly' pages *outside* it...
"In this case, the right decision is to sacrifice security for convenience and flexibility."
I hope they're not responsible for protecting my data. How about you?
On a completely unrelated note, the techtarget.com website that Bruce's links point to has a weak spot.
Confronted with a reg-wall when I first clicked on the link, I couldn't remember which of my e-mail addresses I had used before (or even if I had registered), so I entered one of them, and was confronted with the standard form for new registrants. Not wanting to fill the form out again if I already had registered with a different e-mail, I clicked back, only to find that the reg-wall had disappeared and that I could see the whole article.
Another important point for consideration is that whilst many enterprises still forbid consumer devices from connecting to their network they allow them into the building. It's almost impossible to use 3G data in places like Canary Wharf due to the density of iPhones, iPads and Netbooks with 3G cards. Where corporate policy blocks consumer sites like Gmail, Facebook and Twitter, consumer devices route around that blockage.
Of course the next step is that those consumer devices leave the desk side and come into the meeting room. They become the one thing that's taken on the business trip due to travel weight. They're where the meeting minutes and customer notes end up regardless of policy (perhaps emailed to the corporate account later for integration with 'official' systems).
When this happens there are only two choices remaining - confiscate devices at the turnstile (as happens at sensitive government and military sites) and make the workplace even more hostile, or embrace consumerisation and make security work within it.
@ Chris Swan
"When this happens there are only two choices remaining - confiscate devices at the turnstile (as happens at sensitive government and military sites) and make the workplace even more hostile, or embrace consumerisation and make security work within it."
No, there are alternatives. This isn't always an all-or-nothing game. Take Kroger for instance. They have a cell phone ban that doesn't work and they have thin clients that use browsers to access confidential data. Everything on the thin clients is logged and access anomalies are investigated. People could be storing massive amounts of confidential data on their phones or iPads, but they don't. It's too inconvenient to copy it all by hand. So, they just use the company provided tools.
In the area of mobile phones and laptops, certain RTOS vendors are producing strong hypervisors that allow devices to have a "work VM" and a "personal" VM. INTEGRITY Global Services and LynuxWorks already offer this. So, if businesses demand it, cell phone vendors might start loading the hypervisors on smartphones to isolate business data from risky personal browsing. This could also work for laptops using Intel VT. This scheme is already used in products like the Sectera Edge, QubesOS, Turaya Security Kernel, and the Motorola Evoke (for baseband processing isolation, though).
So, there are more options to consider. Businesses just aren't looking into them. Many businesses can get away with forced restrictions, although they might needs an IDS for the executives' devices. (rolls eyes) I've seen so many successfully employ the approach that I know more could. Not every company, but many companies. Not every risk or piece of data, but much of it. What's their excuse? The Apple-loving workers will quit their job during the recession? Heh, maybe... probably not...
The war is on between corporate assets and personal assets. Companies are just beginning to understand the most important asset the company has: DATA!. Once a company loses it's data the company has lost it's cyberspace presence. I am responsible for the company's cell devices, laptops/desktops, the the company's network (plus a other technology). The direction we go always includes dollars in the decision. I see relaxation on personal cell phone access to the network for mail and I also see the early seeds of data protection sprouting.
A lot of companies will need to invest heavily to move legacy systems and ideas from 1980's to the present. This will be long road with lots of frustration. The fustration is the preception that once data is in the cloud resources can be removed from the company. People will still need to manage the data and security no matter the access device.
I have held for quite some time that one of the biggest challenges facing us today in networking as well as security is that we keep wanting to shift control, responsibility, blame etc. ( I believe you call it the CYA syndrome or something to that effect) onto the someone else when what we as security professionals ought to be doing is developing a standards based criteria for apps and devices to comply with as an industry. If we built security into both the devices and applications from the ground up, we would surely have fewer problems. What I would propose is a consortium much like the IETF or WiFi Alliance who take on the responsibility of developing criteria that would certify an application or device having passed differing levels of compliance. FIPS would be a an example but a bit of overkill in this situation. Then in order for vendors to attain the "seal of approval" they would have to meet certain criteria for secure communications. A huge undertaking but maybe one step at a time we can get there. Meanwhile let's get on to IPV6 :)
Just my two cents.
"In the area of mobile phones and laptops, certain RTOS vendors are producing strong hypervisors that allow devices to have a "work VM" and a "personal" VM."
I think you missed the point. Even if that is an option, the users will still want to use THEIR systems on the corporate network.
Whether their system can be set up in a hypervisor nor not.
The problem here is the age-old problem of whether the executives have to conform to the rules they set down or not.
You have more status if you have the latest, coolest toy. And none of the executives will settle for having obvious signs of reduced status. Nor for their people.
Whoever is running the IT Department as the "Department of NO" is not paying attention to the last 20 years of outsourcing, offshoring, and working with contractors and vendors instead of 100% in-house teams.
Almost any project of meaningful size is going to have participants "outside the firewall" on their own IT systems. So, except for a few highly regulated industries, the in-house people who have to get some work done are going to put the project's info on 37signals or Google Docs anyway. At that point, enforcing a clunky browser for the in-house staff doesn't buy you anything.
I would expect someone to be crazy to use the same machine to keep both personal and corporate data on it. When you leave, you may end up losing your personal data when the machine is repossessed by the company. Even if the hardware belongs to you they may be able to make you give up the machine temporarily using the legal system, in order make sure you don't have proprietary data on it. While that could happen anyway, you have a much better case for opposing the seizure if you can claim a strong separation between work and personal stuff.
"But security is on the losing end of this argument, and the sooner it realizes that, the better."
Just because an executive over-rules you does not mean that you are wrong or that he is right.
It just means that in that specific instance, he had more authority than you did.
Now, what happens when that "losing argument" becomes the company's bank account info and passwords?
"In this case, the right decision is to sacrifice security for convenience and flexibility."
I cannot agree with that. It is an easy statement to make in a vague, generalized fashion. But it is difficult to justify AFTER the bank account passwords have been compromised.
"Also on the plus side, technology companies have woken up to this trend and -- from Microsoft and Cisco on down to the startups -- are trying to offer security solutions."
And like most retrofitting, these will have massive holes and edge-cases that allow information to leak out.
Instead, I'd recommend that IT be provided with a budget for "new toys". And be allowed to evaluate such PRIOR to allowing them on the network. And to maintain a listing of the devices / services that are NOT allowed and the specific criteria where they were not sufficiently secure / manageable to be allowed access.
I've got a situation.......unbeknownst to me. I've been having issues with my Blackberry and I stumbled across my certificates. I've got ALOT of DOD certificates ROOT CA-2 (listed 1-24) and DOD CLASS 3 EMAIL- ca-7, ECA ROOT ca-5, DOD intermediate CA-11 ROOT CA 2, IDEN TRUST ECA 1 , ECA ROOT CA, ORC ECA FOREIGN NATIONALS CA....a whole bunch of them, no two alike all issued by Department of Defense. I do not nor have I ever worked there deeper into them the read PKI= serial 1f key usage-digital sig , key 1 cert...and RSA-PKCS1/SHA1..........okay i'm worried and there is more but i need advice. I've already contacted appropriate agencies to give them my info and I got the brush off. When I know its so much more. I done my research for hours now this came about last night. worried
@ Anonymous coward
Just to the right of the article title labelled printer-friendly.
Some weary boomer probably assigned their website scut work to some millennial intern...
@bruce. Okay bare with me- I don't blog. Came across Bruce's site and here I am. I have 50 of these certs on my BB! I pulled more stuff off net that pertains to them- here it goes. Fairfax, Va Operational Research Consultants, INC put into full operation the ORC External certificate Authority for issuing DOD authorized digital certs to contractors, vendors, allied partners, North Atlantic Treaty Organization, foreign nationals, members of goverment. Commencement of full operational status follows the recent memorandum of agreement of external certificate authority policy management as signed by the acting asst. Secretary of Defense. JUNE 29. 2004 - there is some sort of infastructure with VPN on my BB too. I don't use a VPN . I think these certificates are trying to copy, mimick or gain access to CAC cards and maybe there are modules on BB devices to read them properly so "people" may use just their handheld to access data. REGARDLESS this crap is on my phone. Still worried .....be back with somemore "printer-friendly" stuff ............Amare
Great example of what Bruce is talking about is Obama wanting to continue to use his blackberry after becoming President.
Executive Summary: The more you tighten your grasp, the more systems will slip through your fingers. (Computer systems that employees use, this time, not star systems.)
In fact, this quote seems to be quite worth remembering for security in general, both IT and non-IT.
Personal devices (laptops, smartphones, etc.) connecting to the company network accessing company data? It's possible as long as all the parties are "on the same page", regarding security and privacy matters.
There are many things to consider which will impact both the company and the employee. Do employees accessing company data on their personal devices understand they will lose access to their device (and all their personal data on the device) when a legal hold is put in place? How will privacy matters be handled when company support personnel need to access personal devices to fix problems? Who owns the software licenses for company required software installed on the employee device? What about personal devices used for company business with unacceptable software or images (which might violate acceptable use policies for company owned devices).
Lots to consider.
I think there's a lot to be said about companies that make these consumer goods to collaborate on security to a point where they can be trusted more by companies. It's what should happen anyway.
"security decisions are often made for non-security reasons"
Because they don't understand the risk of something going bad and they rather milk all the money and spend as little as possible.
So why is it when we wanted to uses Linux devices in the corporate network it was okay to tell us no, but we can't tell the new kids they can't use Apple devices?
Are we really concerned about losing talent? Aren't most people still just trying to keep the job they have?
How can you allow these devices while keeping risk down, and being able to show compliance with regulations when you have no insight into the device access and connecting with your data and network?
With increased regulation requirements, data retention laws, and E-discovery requirements
@ Brandioch Conner and others
Good point about the devices. My main point, though, is that if the low level employees are dictating corporate behavior, rather than management, then the company has serious problems. A policy requiring certain devices to process internal data and strong enforcement usually insures compliance. Even people who don't like to do something they will often do it if there is a real risk that exposure results in their firing.
The hypervisor solution provides a compromise in that, while it's not *their* phone, they get to use a nice phone with the latest apps or OS's. They don't necessarily have to look at dinosaurs with horrible interfaces and apps, yet security is still maintained.
Classification of data is also useful here. Nonsensitive data may be allowed on personal devices, whereas confidential data may only appear on work approved devices. Data like human resources or marketing plans might not ever be allowed to leave the corporate network or certain in-house machines. The use of classification can give the user more freedom, while providing measurable risk reduction for sensitive data. This assumes they have dedicated work devices and the company does strong policy enforcement. Again, there are thousands of companies that do this in practice and still innovate, keep talent, etc.
I thought "cloud computing" was a stupid idea the first time I heard about it. Nothing since has changed that; the more I hear, and the more it spreads, the stupider it seems. It's hard enough to control the data, sw, and hw in my own hands, but at least I can try, and *know* what efforts I have made.
I know that this trend isn't going to change, and nobody asked, or asks, my opinion before implementing it. But there will be some satisfaction in being on record the day that the cloud becomes a mushroom cloud, in having been the boy who said aloud that the Emperor has no clothes.
The same goes for everything else in the article, about letting whiny babies bring their shiny toys inside the corp. Go dig ditches for a living, and then you can listen to your iTunes all you want to while you do so.
There's a reason why computers at CIA don't have USB ports....
Maybe it is a little bit cynical but I always assumed that IT security guys job was answer ever simple question with confusing gobbledygook, say no to every reasonable request AND gracefully resign whenever the S**T hits the fan.
Are you guys trying to change the job definition? :-)
Everyone has already cherry picked this line, but here goes anyway..
"Security is always a tradeoff, and security decisions are often made for non-security reasons. In this case, the right decision is to sacrifice security for convenience and flexibility."
Sorry but to state that as a universally applicable truth is just dumb.
There are still far too many situations for corporates (e.g. financial institutions - customer financial data) where this can result in losses well in excess of any benefits gained from the convenience and flexibility gained.
Sensible security requires considering what you are trying to guard against and what is really needed. If you're the CIA with informant identities, or indeed a bank with a big pile of cash, you stick it in a vault, surround it with armed goons and don't let anything in or out without serious searches - but most companies just aren't in situations comparable to that. Is letting a utility company sales rep access company email from an iPhone rather than a BlackBerry a problem? It shouldn't be - apart from anything else, it's almost certainly the user rather than the device which poses the relevant threat, intentional or otherwise (letting slip about the big new offer starting next month, planned price rise, etc).
Working (sometimes remotely) for a university is an interesting experience. There is a firewall - but with email being outsourced off-site and the majority of users accessing services from outwith the university network, is it really any use? As a kneejerk response to some malware using malicious DNS servers, it blocks port 53 - forcing users to go through what was, at the time, an unpatched and vulnerable BIND installation rather than using something more secure; no doubt future versions of that malware will implement the DNS service locally rather than rely on an outside server anyway, eliminating what little benefit that gave entirely - but of course leaving the downside in place. End result of this and other port blocks? Increasing numbers of users VPNing out to get proper Internet access despite the firewall.
When increasing fractions of both the resources and their users are external to the network, what exactly can a firewall or restrictive connection policy achieve besides getting in the way? Protect the resources themselves appropriately, and accept that the real role of your internal network is little different from a regular ISP: one possible route for your users to access resources. Malicious users - and remember, statistically most of them are internal ones - WILL compromise your network if it benefits them, whether installing packet sniffers or probing for vulnerabilities, and they won't worry about any "policy" against doing it. If your security relies on controlling end-user devices, it's already failed.
I initially hated the concept of the cloud from a security and architecture perspective. It seemed like we were going back the client server days and reliance more on things out of our control (corporations to manage servers). And then our data was out of our hands.
Then I got to thinking about a small company that is trying to start up. It's not necessarily in their skillset, financial means, or business need to manage the infrastructure. And even some large companies might be better off not doing it.
So now, I'm conflicted. I understand and agree with the theory.. The implementation leaves a lot to be desired.
We all here, because we have some experience of security, more or less. We give our advice about secuirty for other people. But the problem, that many people don't realizing everything about what they should do. They try to do choise, by asking google or "Grandma Tips Telegraph". Only equal individuals do their choise by investigation of technology. Theres nothing to be change. It's alwayse be better by feeling the chain of faith.
@ Bruce. Hmm...Well I'm here to update you on my status of my nightmare BB device. I'm the one with the. +40 Department of Defense Certificates that magically appeared on my device. After searching for hours I came across Bruce's site and this seemed the place to be to let it all out.
ROUND2. IT's gotton worse and well here it goes..
In my frustration and angst; I decided to take the dive and go through my BB device for more possible clues. I went in 0ptions, than Apps, and nothing special until I clicked menu and than clicked modules from there. In this long list I came across MIDP Root certificates. I didn't see those under my security section like the others.
So I researched for awhile and pulled this- its a Two-factor Authentication. that verifies that a BB device is bound to a smart card. It prompts the user to type the smartcard password to turn on the two-factor authentication by using the smartcard. Then binds to the smartcard by storing the binding information in the store in the BB device memory that the user cannot access. Than it needs the name of the java class that the BB smart card reader requires. Then binding that information so it can format the smartcard type and name of the java class the smartcard code requires a unique 64 bit identifier that the smartcard provides a smartcard label that pushes the current IT policy to the BB smartcard reader. So now I was left with DOD certs and this MIDP cert and I thought oh sh*t my info gathered a day prior to this lead my to CAC cards from the DOD certificates. So panicked now I went through the long long list in the same modules for anything relative and BAM I came across this exactly as I list now..net_rim_smartcard_gsacac. What caught my eye aside from smartcard was the lettering CAC in the gsacac. I clicked on that and it didn't give any significant info that said I'm a goverment issued CAC card it was looking like what I guess a normal property module but its description listed it as unavailable. I know squat about smartcard so I researched again just on the lettering of gsacac. Low and behold its a CAC. That's how its listed apparently. So now how and when and WHY?? Is this here, what's the deal? So. After my findings I brought it to the attention to Home Land Security and the NSA. Why is it my damn BB? And who put it there? And what's the purpose that what really blows my mind. I'm off to follow a lead and to make sure it won't serve its purpose for whatever reason it was put there. And to backtrack it all the way to the source. Any advice ? Ideas? Plz share.. BY THE WAY- earlier posted by J. Sutherland.
.I'm not a malicious user nor am I a statistic of "oops" malware. I'm a Mom of three and I don't get all cyber happy and let it consume my time. I shop occasional QVC here and there nothing big. And my email has around 3000+ and hasn't been checked I'm months. Until recently I upgrading like all the people out there from a simple flip phone to this Blackberry. I dont have any clue as of yet. But I'm also not ignorant to the computer world either my Dad was a very smart man and forced me learn all about computers, programs, langs ETC. He was a programmer in the Air Force years and years ago. He taught me really young and I had no childhood. Thus why I'm a HOUSEMOM for more than seven years not a malicious user. With that note ...off to yoga and to ponder with my grey matter. I will be back for sure..later though. Help me figure this out!!
New services and business changes are always created WITHOUT security in mind. Security doesn't become an issue to the overpaid airheads until something happens. Security should always be a vital part of the planning stages.
@Amare "Why is it my damn BB? And who put it there? And what's the purpose that what really blows my mind."
Disclaimer. Don't have a BB and you've gotten deeper into the internals then I ever have...
At a guess; RIM pushed out the certs for USGov to all BB devices by default? (Sounds stupid to me but maybe it's easier to do all by default than just some devices.)
You have indeed found a Common Access Card (what DoD calls CAC) certificate store.
That GSACAC would be listed is not surprising. GSA has management responsibility for the HSPD12 system. The HSPD12 system is the Identity Management system for all Government employees and contractor employees on contract to the department and agencies.
In accordance with Excutive Order HSPD12 it provides all USGov workers with a strong Personal Identification Verification credential and a horse for it to ride on.
The output of the HSPD12 process is a CAC (a smart card with photo, data and fingerprint biometric and a pki certificate(s)).
USGov is a heavy user of the BB (other phones haven't yet been certified though Apple has great hopes for Iphone v4) so it makes sense that they would do a mass push of certificates (if in fact they didn't come with your phone when purchased.)
Maybe an overly broad distribution of public certificates but unlikely to be nefarious.
DHS should have been able to give you some information; just gotta find the right person there (not easy). NSA won't care since they doubtless have back doors into the RIM servers.
@ BF Skinner
Yeah, you're probably right about them pushing the certs in. I actually wish they did the same for IE and Firefox. I don't mind having a few certs' because I know what they mean: an identity has been verified by someone to some degree. They say nothing of certainty or trust. Of course, this could be dangerous for lay people and I wouldn't recommend it. But it would be nice to have an option to download all the CA certs for one's government and military.
Back to preloading being useful, I remember when I originally went to DOD portals to get info on EKMS and certain Type 1 platforms I got warnings that the CA's were invalid and the site "may be untrustworthy." That made me a tad nervous, considering the potential MITM-attack value of these portals. Ever the paranoid, I spent a decent amount of time looking into the DOD PKI and validating their CA certificates. Then, I added them, made a written note of them for later reinstalls, and proceeded to enjoy peace of mind.
"NSA won't care since they doubtless have back doors into the RIM servers."
Will be at the firmware, driver, or OS level. Quite a few avenues for attacks in a phone with no backdoors. I've always thought that, if NSA was given source code, they'd probably sit on any zero day they find that's sophisticated to exploit and hard to remove. I know they backdoored Lotus and made secret modifications to Windows 2000's public release, so assuming backdoor by default is a reasonable thing to do.
You're actually right about VDI or thin client approach moving to mobile phone. You might want to look into the OK Labs Nirvana phone. It runs a phone OS and a Citrix remote desktop client side-by-side using the OKL4 "microvisor" (microkernel w/ virtualization support). You plug a monitor, keyboard and mouse into it, load the software, and BAM! you have a desktop PC to work with. It might be at your house, at your office desk, or a VM in a server farm. Best of all, the microkernel's isolation is stronger than most OS's and this helps in data loss prevention.
I imagine that many of us are trying to work out how the trend of consumerisation is going to work out where we have information assets of high value. It boils down to how can we deliver services to all legitimate users without having to care (much) about the client device or the network. Some clues above, but not many. And such services will frequently need to cross organisational boundaries. I don't see any real solutions in the near term, although I could find a use for them.
Our security policy forbids installation on our company PCs of any software not approved by the IT department. As I'm a software developer, this means I'm technically in breach of the regulations any time I compile my code. (As a workaround I have considered only writing code that won't compile.)
"...if the low level employees are dictating corporate behavior, rather than management, then the company has serious problems."
I used to be the sysadmin for a high school, and this is exactly what happened. When the school district set a GPO above my head requiring secure passwords, teachers flew off the handle over having to set their passwords to "MathIs#1" instead of "math". Fast forward 90 days into the school year, and there was another round of teachers flying off the handle over having to change their passwords. I was actually quite happy the GPO was set above my head, so I could truthfully say I couldn't do anything about it.
One teacher in particular went to the assistant principal because she did not want to participate in the whole "screen locks after 1 hour idle" thing. This was a GPO I had set myself, but when I was asked about giving just this one teacher an exemption, I told a white lie and said that there was no way to do that.
What did we learn here? That if management lets employees dictate security policy, you don't get security. If the university housing department allowed dorm residents to dictate security policy, no doors would ever get locked.
Don't familiar with Matt about management policy. I think that there is many ways to be secure by regarding policy of your organization.
Do you mean that security require some special software? So, it's whery easy to bypass corporate ips. For ex. using ssl anonymizer from home machine and have too much problems.
Maybe the solution to this will be to provide a virtual machine... at the moment, Paragon go-virtual software is used by many employees willing to work with more comfort from their desktop at home (compared to their corporate laptop)!
For Paragon, maybe we can be confident with the tool... but this use could make their mind to others willing to break-in employees generated VMs!
So maybe providing what people want is the best way to keep some control and virtualisation can help a lot.
As well, just having a machine on the internal network having a SSH server that do not administratively prohibit tunnels (and so, reverse tunnels!)... combined with an HTTPS proxy not white filtering (or at least filtering dyndns and no-ip domains)... and anyone can go trough the most severe controls with proxytunnel on corporate machine (supports adding an ssl layer to avoid ssl banner detection and can be given another less suspicious process name! Great tool!) and an stunnel4 on the home side able to get traffic from 443, remove the ssl, and forward this to 22 on the ssh server: So you make you own VPN and as the tools exists on almost any OS (desktop+mobile)... problem solved for 99% corporate environments.
The problem with the consumeration(sp?) is that the Security department will be the ones getting axed when the VP's Iphone is used as a remote access point and the company db servers puke private data to outside entities.
Along with TARP came greater levels of scrutiny by the banks of their vendors. One of the most frequent questions we get these days is 'Do you allow non-company owned assets on the corporate network?". To answer yes to this question is to invite almost certain death as a bank vendor.
Security is about risk management at the end of the day. You can decide to allow your users to use their own devices to access/store/process your business information but you need to understand the risks of doing so and then do a cost/benefit analysis to see whether the risks is justified.
If you can't retain staff because your secure operational environment makes it too hard for them to work then that is a risk to your business. It has a real cost that can be evaluated and compared to the possible cost of staff using unmanaged devices - malware/data loss/etc.
I can't imagine achieving PCI compliance if every admin used their own PC or mobile device for convenience.
You really want to prevent this sort of thing?
"You can use whatever you want, knock yourself out. If it's not A, B, or C, don't call the helpdesk. If you lost Accounting's database it's on the director of Accounting to explain it to the CEO... and it's on the director of Accounting to pony up the budget funds to pay for data recovery. And the next time the director of Accounting tries to convince me to use something, I get to throw this in their face and say, "No."
It's not coming out of my budget. If you're using an iPhone, don't ask my network guy to fix it for you. I can't budget for things I can control, any more than you can. You can't complain that nothing works right when I have no predictive capability to build infrastructure because you get to change the specs tomorrow."
I agree, Bruce, that to disallow people to use toys is largely a losing battle... but it's a losing battle because the IT department (in most organizations) is considered to be a value-neutral or value-negative part of the organization. Sort of like government oversight: at best, a pain in the ass to be worked around.
And, for the most part, we let them do it. Read CIO magazines, they're all talking about doing whatever the users want, whenever the users want, and doing it all on less budget than last year and with a grin on your face. Don't lead. Enable. It's the industry trend.
This is astonishing to me. No other profession allows itself to be treated this unprofessionally. No other profession constantly kowtows to others and accepts blame and empowers users to shoot themselves in the foot and then takes the heat when that happens, too.
I don't tell an accountant how to do double entry accounting. I don't tell an HR person what the legal constraints are in letting a pregnant person go two weeks before delivery. I don't tell the CEO what market we should be seeking to penetrate. I don't tell the salesmen that this customer needs a soft sell and that one needs nagging.
And yet, we all let the users tell us how to use computers. And for that, we deserve what we get, including the blame for the outcomes.
Kind of disappointed that you didn't emphasize that the upgrade might be FOR security. Cars, for example, that boast better braking and handling etc. are being sold on the premise that cool and new also actually means much more secure. The only sacrifice is your wallet.
@ Pat Cahalan,
"No other profession allows itself to be treated this unprofessionally."
Are we a profession in anything other than our own minds?
Think how users see us, we are the "reparman who play with toys and speak nonsense"
Think how users see their computers some like phoness, some like cars, others like personal jewellery, but in nearly all cases as "unreliable".
You ask a user about their computer experiances at work it's about "how it let them down"
Once upon a time kids who had been lazy said "the dog ate my homework" and quite rightly the teacher did not believe them. Now however they say "Dad fixed the computer and my homework vanished" and the teacher believe's them.
We have an image problem we are seen less favourably than that shady guy selling rust bucket auto's on that downtown corner on the other side of the tracks.
Our whole "profession" is about being confidence tricksters on the make, you only have to read the first few paragraphs of an End User Licence Agreement to see it, then try and negotiate a site licence to feel it.
But then think how we look as we get close to the board room... We cannot give any predictability about function only failure, we cannot show return on investment, at best we offer a high risk of liability.
Which brings us around to "security" we cann't measure our effectivness in a testable and verifiable way. We cann't even offer any assurance that we will know when data has been stolen.
What do we put on the table when it comes to budget appropriation time? doom gloom and sunk costs. And what of the budget competitors, even the building manager can say he can keep the lights working, the doors locked and the toilets clean with more certainty than we can.
So what happens we don't do "security" any more we do "compliance by audit" to minimise liability. We do "best practice" as done by our competitors who say they have not done as badly as we have, but the reality? Who knows they certainly don't any more than we do.
Do we honestly look like a "profession" to others?
If one sacrifices security for convenience and flexibility, why have security at all? I don't like the cliché of the weakest link in a chain analogy, I rather compare it to a rubber band; one can stretch security and provide more flexibility. But the more you stretch it, the more tension on the rubber. And eventually it either snaps or wears out in elasticity. Eventually, humans demand even more flexibility, and thus the rubber band of security wears down and looses all it's flexibility: the rubber band just lost it's functionality, so why have it all? The trade-off, I guess, is to let the rubber band of security bounce between restriction and release.
@ Pat Callahan
Nice post. If you don't mind, I'm archiving these three paragraphs for use in future business presentations (with credit given):
"This is astonishing to me. No other profession allows itself to be treated this unprofessionally. No other profession constantly kowtows to others and accepts blame and empowers users to shoot themselves in the foot and then takes the heat when that happens, too.
I don't tell an accountant how to do double entry accounting. I don't tell an HR person what the legal constraints are in letting a pregnant person go two weeks before delivery. I don't tell the CEO what market we should be seeking to penetrate. I don't tell the salesmen that this customer needs a soft sell and that one needs nagging.
And yet, we all let the users tell us how to use computers. And for that, we deserve what we get, including the blame for the outcomes."
It was just so well said. :)
When I wrote a couple of days ago, - stated my last resort of help. All the big-wigs gave the brush off. But- rest assure somewhat I did not reveal what I know is detramental and what common consumerism gone haywire for hacks. I put my contigencies in order before I did this. Sercurity Hill has been informed. before I went on a search for knowlegde of why, how, when. There is really nothing I've stated that wasn't available at the right click. I did walk away with lots of info and great advice from here. And - hold Bruce in my highest respects he is the man that is far more surpassed than I or you will ever be. I have figured out the "big components" to this . It was just a matter of turning on the lights and seeing which ones scatter. I did this in a way to protect my country and its security. So feel free to copy the blog and post it at your schools "this is not what to do" its like seeing um..let's a James bond movie in the 80"s and "what's that 9ue" it's a liquid crystal image-sharpest of its kind. But 9ue has. Had it in the goverment padlock a long long time. So believe me when I say I left the BIG stuff out and that going inder our goverment padlock. And let's say some things out there to think about and worry over too. We don't need this kind of tech float freeky in certain places, situations, or hands for that matter. On that note - some of these blogs have the right idea and some a decade behind. First post I quotes the Asst.acting Second. of Defense and that was ten tears ago. And that was about the new and improved CAC cards and they chunked the old ones because they we proven Hmm..flexalbe rubber bandish. So yes let's keep certain things that can cause big problems out of plaaces that need serious security. And yes make sure we run ports and components and apps only for certain issues thatwould need it. Bruce is right Do we really need like five different ways to check. Our email? With that note I bidd you good night and farewell.
Two notes. First there are a few "what, are the employees going to find another job in a recession???" comments above; IT policies tend to not change when the economy picks up, and if you start playing capriciously with your employees they will treat the company the same way. Sorry, that's not a good argument to make. Moreover, the employees that are really hard to replace are also the ones who can get a job elsewhere the most easily, even in a recession, and they also tend to be the ones most likely to bristle at needlessly overbearing controls. Finally, the company is also facing the realities of a recession, and losing key personnel because of this type of issue can tip a company over the edge as well.
Second topic: I think the main issue that a lot of folks have with their IT department is that security is seen as black and white. Someone's email might contain sensitive information, thus everyone may only ever view their email on an approved device all the way down to the secretary. The email server is on the company network, so no non-approved devices may use that network. Some folks deal with credit card info, therefore all access to the corporate network must be "guarded" by password rules that make the Gestapo seem friendly. What happened to security zones and adjusting levels of security to the specific needs of the data being secured?
It's harder, yes, but (again, only in my experience) this is an area where, if IT was more "on the side" of the folks who just want to get work done, they'd have a much better relationship with the rest of the company and we'd end up with better security, not worse. The main problem is that folks "in the trenches" of the company's line of business end up seeing IT as that evil org that puts loads of "lockdown" crapware on every employee desktop/laptop (which crashes certain computers at 4:00 every day like clockwork but can't be taken off until the vendor puts out a fix because that would compromise security) and keeps the contractors in Costa Rico from being on VPN and accessing WebEx at the same time. They aren't a part of the org helping us keep data safe; they are the part of the org keeping us from creating that data in the first place.
Anyway, just a thought. If you are already customizing zones of control and working with the rest of the company to make sure you achieve the right balance of security vs obstruction, that's great. It just seems like a very rare thing from the non-IT side of the "fence", especially when the company has more than a few hundred people in it.
@ Tom Dibble,
"What happened to security zones and adjusting levels of security to the specific needs of the data being secured?"
Two things happened to it the first is the resourses required expand not with the number of zones but the complexity of interaction between the zones.
Secondly moving to a "web based solution" to reduce resource issues on the users machine means that the zone issolation that is possible at the OS level is not realy available at the browser level (although this is changing).
As was once remarked "you get what you pay for" thus a resource straped IT department is looking to reduce complexity to be able to perform at all.
Most users and managers assume either a linear relationship between "objects" and resources required, or one that decreases per object resources as the number of objects increase.
Few understand (even when explained carefully) that from the security asspect complexity is the driver and even at the simplest level complexity goes up by the number of simple relations between objects ( ie a half n^2-n).
So if you have a browser with shared memory between open windows there is the issue of how many open windows or "tabs" and how you ensure adequate segregation between memory spaces to ensure security whilst still providing a secure mechanisum by which information can be moved from one window to another (ie simple cut-n-past) whilst maintaining adequate mechanisms to prevent accidental or deliberate disclosure.
Security is an area of ebbs and flows.
I agree that it 'll be harder and harder to say no especially if the CEO says to do it and security has been and always been a balance.
While the consumerization of IT will shift the balance of power over to the 'left', all it will take is for a number of high profile incidents or an increasing rash of incidents for the pendulum to swing back to the 'right'.
Personally, considering the issues surrounding Android security and that all of the smart phone platforms are have or are starting to have banking apps on their platforms - I feel that this may happen sooner rather than later.
Bruce, how about you and Marcus publishing your point/counterpoint essays on a non-spammer, or maybe talk Marcus into posting his halves on ranum.com like you do here? In the less than a week since I signed up to read this I have received more than a dozen emails from all sorts of IT related stuff that I am not interested in.
Yeah. That's why it pays off to give them false information. Sad, but true.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.