Building the Security Bridge to the Millennials
The younger generation's desire to be connected all the time expands the attack surface. But experts say enterprises can manage the risk.
Mon, February 10, 2014
CSO — President Bill Clinton talked about building a bridge to the new millennium. With that bridge now 14 years in the rear-view mirror, the challenge for enterprises is to build a security bridge to the Millennials who are flooding the workplace.
By now, the list of the "totally connected" generation's employment expectations is familiar:
- Universal access to high-speed networks.
- Freedom to use multiple devices -- smartphones, tablets, eReaders and more -- to access and share both personal and corporate data, anytime and anywhere. Oh, and they want to use their own devices, not the company's.
- Freedom to use personal apps for work.
- Intuitive design of apps, so no training is required
- Flexible hours and locations. What's the problem with finishing the report at home at 2 a.m., instead of in a cubicle between 9 and 5? What's the problem with working with colleagues online or face-to-face -- whichever is most convenient?
- No significant separation between "work" and "life."
- The use of social networking to collaborate.
- A seamless user experience on their phones, without cumbersome security limits imposed by IT.
It all sounds like a productivity dream, undercut by a potential security nightmare. The attack surface of multiple personal devices that comingle personal and corporate data would appear to be both wide and deep.
But experts say employers can and should -- must -- embrace the productivity without jeopardizing security, with a combination of technology and accountability. It's just that there are varying opinions on what the right combination is, and what is involved.
Nick Stamos, CEO of nCrypted Cloud invokes a religious -- actually, non-religious -- image. "The enterprise needs a network-agnostic, device-agnostic, app-agnostic approach," he said, adding that the corporate network that employees use, "should be considered untrusted, and open to anyone onsite."
Stamos rejects Virtual Private Network (VPN) connections, arguing that only SSL (Secure Sockets Layer) connections should be allowed to any corporate systems.
"Login to all corporate systems and data should be controlled through SSO SAML 2.0 (Single Sign On, Security Assertion Markup Language) integration. Where possible, multi-factor authentication should be required," he said.
But Chris Moyer, global chief technologist, HP Enterprise Services, argues that while, "VPN used to be a 'nice to have' it's now a 'have to have' for any organization that wants to keep its employees satisfied, productive and secure (because) many of the systems developed in the past do not have enough data segregation or role-based access built in."