Does your security policy reflect mobility and cloud security?

Gordon Merrill, MSIA, continues his series on security aspects of operating systems mobility and the cloud. Everything that follows is Mr. Merrill's own work with minor edits.

* * *

In the previous article in this series questions were raised about the growing mobile connectivity trend and whether we are ready internally for the wave of personal mobile devices that will connect to us for business reasons. Recently I was at a technical meeting and overheard a client say that even though this area had just recently suffered a great deal of damage from several tornados, businesses are still very reluctant to develop or test Disaster Recovery Plans (DRP) or Business Continuity Models (BCM).

Most of us reading this article would cringe at that statement and then answer the question titling this article, with a resounding "No". But if you are part of a major company which currently does have a detailed DRP and BCM, are you ready for the barrage of connectivity attempts from 10,000 different mobile devices as described in the first article

A speaker announced to businesses recently in a conference in Orlando that business needs to shift from the traditional computing model to virtualization and private cloud models. He went on to suggest that those businesses using the private cloud may have a competitive advantage. Symantec surveyed businesses and found that 32% are not satisfied with private or hybrid cloud computing. Recent articles about the destruction of mail for 150,000 GMAIL users, phishing attacks against hundreds of cloud-based e-mail accounts and Amazon's loss of cloud data are reminders of the complexity of the move from having data under our control to placing our data on the other end of an IP address.


• if the ratio of mobile devices to traditional computers is now growing much higher than 1:1; and

• if we have thousands of different types of devices that now need to get to our data and our business in two seconds or less; and

• if our business should be on the cloud in order for us to keep our competitive advantage;

• but if every IP address is hack-able;

• then our traditional perimeter security and perimeter defenses are no longer valid.

With data in the cloud and any mobile unit trying to access it we (literally) virtually no longer have any boundaries, restrictions or borders.

We now have to secure it all.

I have not yet spoken with any information assurance (IA) professional or any CIO who can state that their DRP or BCM are ready for the mobile future of IT. I get the feeling from talking with these professionals that although they want to move into the future with IT they have no confidence in any of the solutions to date to protect their data and their company on the other end of the IP address.

Steven Levy has expressed it better than I could: "If we're going to make the leap to the cloud, we'll need renewed assurances that personal data on the servers of Google or other companies will enjoy the same protections as the information stored on our personal hard drives and in our desk drawers."

In the next article Gordon Merrill will explore how all these changes in infrastructure and data model designs affect our legal and compliance status.

* * *

Gordon Merrill, MSIA, currently lives and works in Tennessee. His career has taken him to 48 of the 50 states and to six foreign countries. Gordon's information assurance background has included working for major computer companies such as IBM, managing IT projects for Fortune 250 companies in the risk management field, owning his own business, and working as a private consultant. He was chair of the School of Information Technology at the ITT Technical Institute in Chattanooga for three years.

Learn more about this topic

Is the operating system dead?

Is your company ready for 4G mobile connectivity?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.