Brian Jackson - Fotolia
Many things in life are something of a two-edged sword -- where very good things are accompanied by potentially bad things. Way back in the pre-Internet days, we controlled access to information with, at most, simple usernames and passwords. After all, our only possible connections were inside of the enterprise. Information security was simple, clean and pretty much devoid of any real risks. With all of the good that the Internet provides, the other edge of the sword is how it has opened our networks and, with that, increased our information security risks.
A couple of years ago I was contacted by the producer of a television program. The program wanted to interview me for a segment they were doing on cybersecurity. I politely turned them down. First of all, I am not an expert on cybersecurity, and advertising that fact on television would have been an open invitation to hackers. Coming across as an expert on cybersecurity would have been equally imprudent, in my view. In a world where there are regular stories about information security breaches, I want to keep as low a profile as possible. That doesn’t mean, however, that information security and cybersecurity should be back-of-mind concerns -- we need to actively think of how to protect every avenue into and out of our systems.
I confess that, in the early days of mobile apps, I did not think too much about information security because the apps themselves were mostly self-contained and were not passing vital information. As a result, I never scored mobile information security as having a high risk likelihood or high impact. But as the number and complexity of mobile apps grow, I need to start thinking about mobile application security. Pretty much every enterprise transaction can now take place via mobile apps, and those transactions are accessing my enterprise information and data stores. This means I need to seriously assess two things:
First, how to design my mobile apps so that the security is built into the app. This includes things like encryption, architecture, rules for data reads and writes, et cetera. In effect, I need to treat mobile apps with the same information security care that I apply to my Web applications.
Second, the use of mobile devices as gateways to my systems. One of the interesting things about the rise in the usefulness and complexity of mobile devices and applications is that mobile devices completely wipe out the line between enterprise and personal computing. My smartphone is where my enterprise and personal computing come together. My camera roll includes photos of the application design session I conducted last week. My camera roll also includes the photos I recently took of my grandson. The apps on my phone range from my personal banking app to my enterprise expense reporting app. These devices bring computing together in a way that challenges what I can control. I need to secure the device in a way that does not reduce the usability of the device. To that end, I need to not justthink about but get very serious about things like encryption, tokenization, access rules, scanning, et cetera. There is a lot of innovation going on in these areas, so it is worth my time to learn more and then do more through research. If I'm up to the task, the next step requires implementing something that makes sense and finds the balance between overkill and under-kill, between risks and costs.
Speaking of two-edged swords, there are days when I pine for the boring, sedentary life I enjoyed in IT before the Internet opened my systems to the rest of the world. On the other edge of that sword -- what a great time to live in an IT world where every day brings new challenges and the opportunity for me to be at the top of my game.