All Along The Watchtower
And God told the CISO — CISO!
And the CISO said — I HEAR YOU LORD
And God said — gaze upon the wonderful wall of fire I have built around your network. it protects so many layers and stops so many malformed packets you should rejoice.
And the CISO said — I REJOICE O LORD! I REJOICE! I SHED TEARS MADE OF SOUR DREAMS AND ANGRY USERS!
And God said — but hear me o CISO. the time has cometh that these walls of fire are not true anymore. Because darkness is upon us.
And the CISO shuddered — what darkness you speak of o lord?
And God said — the people will bring their own devices, and they will connect, and they will download, and they will communicate. And the walls of fire will crumble and wither away to binary dust.
And the CISO shudderd and said: NO LORD! NOT THE BYOD INFIDELS! THEY WILL BE THE DEATH OF US ALL!
AND THE LORD RUMBLED — SILENCE YOU FOOL! THESE INFIDELS ARE THE FUTURE! THE WALLS WILL CRUMBLE AND YOU SHALL BUILD YOURSELF MANY SMALL ISLANDS INSTEAD!
And the CISO balked and said, in a voice lowered by three octaves — Oh Lord, you have finally lost it, the walls shall never come down, the infidels will never bring their own device as long as I’m CISO, so help me you!
And the Lord bowed his head in sadness and set upon the Jericho Forum
I first ran into the Forum in 2007, doing some work for a Multinational that was part of the forum, and was introduced to the concept of De-Perimeterisation for the first time.
Let’s go back in time and think what 2007 was like.
In 2007 the concept of protecting your company was still almost solely based on the Walled Garden approach. You have a nice garden. Nice rose bushes. Nice orange trees. The bloody kids in the neighborhood keep trying to eat your oranges, so you build a big wall around your garden. They climb on top of the wall. You put glass shards on top. They bring duvets. You put electrical wires on top of the wall. They cut the power to the whole area. You bring guard dogs. They bring steaks. YOU PUT UP TOWERS AND YOU SHOOT THEM ALL RATATATATATATA
But I digress.
The point of the matter is, the leading concept in the security world of 2007 was that the world out there is full of nasty bad hackers. But inside your network it’s nice and cozy and protected. No one was allowed in, not a lot was allowed out. And all the security people rejoiced.
Fast forward to iPhone being released. I still remember the scorn I felt as this ridiculous phone came to past. I was waving my Blackberry around claiming that “a phone, with a touchscreen? vs. a physical keyboard? HA! it will never fly”. But stale humor aside, I don’t think that the IT industry has understood yet what kind of impact ole`Steve has had over us. It started with the iPhone and continued, big time, with the iPAD (“ha! a BIG iPhone, this is so funny, it will never fly”). This was, as far as I can recall, the first time that employees dictated IT strategy, en-mass, just because they felt like it. The iStuff was nicer, slick, useful and everyone wanted it. And it all became much worse with the introduction of smart phones with integrated WiFi. From that point onward, every schmuck with a smartphone, an Active Directory login (in case your company actually thought about how to authenticate to WiFi) or that knew what the corporate WiFi password was (“password” of “companyname2014” if you got a REAL BADASS CISO) hooked his personal device to the corporate network. And then to Email. And documents. And internal services. Enter the Android phone in all its glory and malware attached, and you have a new attack vector into the organization.
Not to mention all the schmucks that kept losing their iPhones with half of the company information on it.
Panic mongering you say?
Unprecedented I say. Can you think of another situation where thousands of your employees brought their desktops/laptops/consoles/whatever to work and just hooked them up to the network? Can you think of any other era where most security officers could do nothing to stop the flood?
What happened next, over a relatively short period of time was the introduction of the dreaded Bring Your Own Malware to Work, also known as — Bring Your Own Device (BYOD). Again, a whole new sector of IT service providers was created mostly because employees wanted to bring their precious iStuff to work, and the panicked security people wanted to somehow control all the weird and wonderful gadgets that hook into their network. Out of nowhere, wonderful companies popped up with magical solutions that makes all personal devices “Secure”, “Usable”, all the while “Retaining the Beautiful User Interface and User Experience” while ensuring that “The Cost Remains Minimal to the Company”.
But the more important trend that started out of this very painful first step was the next generation of employee mobility. What started as a “I like my bloody iStuff and I will connect it” soon turned into “you will be connected into your bloody iStuff at any odd hour, you will work even when you’re on a beach in Hawaii and we will make sure that you have all the necessary access to carry out your job, even if you spend the rest of your life in a Siberian Gulag (though we can’t guarantee your bandwidth in the latter scenario).
Fast Forward to 2016, and you can see that the vision of the Jericho Forum really starts to take shape. In many enterprises, a majority of employees is constantly on the move. With some professional services companies, people don’t step into the office for months at the time. Some of them don’t have an office, they work from home. Or their favorite cafe. Or their Siberian Gulag.
The requirement from IT departments around the globe is simple: make my user experience seamless — regardless of location. I need to be able to access, work, print, send, operate and annoy my IT personnel regardless of location in whatever country I’m in.
While IT departments can accommodate that gladly (“open up the company ERP to the Internet? SURE! Put an any-any Firewall rule towards the web? WHY NOT) this was the nightmare of security people come true. Gone are the “inside is good vs. outside is bad” concept. The perimeter defense is full of approved holes. The security department is tearing out whatever is left from their once magnificent hair.
But wait! Maybe for once in our lives we can see this as an opportunity rather than a threat. Maybe we can follow the vision of the Jericho Forum and stop relying to the defunct concept of high walls around our city, and move into securing the data, regardless of your location? Do we really care if the laptop is infected with some god awful malware if the malware can’t reach any of our data? Will we lose sleep over intellectual property being sent via Gmail, Dropbox or WeReadYourInfoWhileSendingIt.com if the data cannot be open by anyone but the designated recipient?
Science fiction! I hear all of you old fashioned security voices in my head. Reality! I reply to the voices (not in public though, it tends to scare people off). There are viable technological solutions out there that will allow you peace of mind while allowing maximum mobility to employees (and I’m not going to name any of them unless one of you solution providers want to *ahem* sponsor me. I can always make room for more branded t-shirts).
The perimeter defense as we know it dead. It will go through significant changes in the next few years, putting more and more holes in the walls while finding new (and better?) ways to secure your data.
And what of the Jericho Forum you say? They were acquired by The Open Group in 2010 and decided that they have better things to do in 2013 and disbanded. Shame, as I think their vision is only now starting to materialize and we have a long way to go still.
Let me finish by dedicating All Along The Watchtower to the members of the forum. Not the Jimmy Hendrix version, the Battlestar Galactica one, as I’m sure they were all cool geeks like the rest of us,