I recently registered for a website hosted by a government agency that handles some of the most sensitive personal information available within U.S. Government. While the site is only a simple scheduling system, imagine my dismay when I received an email confirming my registration that included both my username in password in the email body. That email demonstrates that, despite all of the reported attention to security over the past several years, especially within the Federal Government, we are failing to build an effective information security culture.
As just about everyone who reads the news knows, Google announced on Tuesday, January 24, 2012 that it would merge the data it collects from individual users across all of its properties starting March 1, 2012. Basically, Google will be able to better anticipate how to direct individual user activities to best serve their needs, building a grand database of all user activity and behaviors. The question that few are asking, though, is what the impact will be on businesses. That's where things get really complicated.
Imagine that each of us would need a tank to safely drive on the road. We would be well protected from any obstacles that could come our way, but at the expense of speed, agility, and cost. We could also blow each other up, forcing us to buy bigger and better tanks all of the time to retain a consistent state of security. That's the kind of environment that companies face when using the Internet. Rather than being able to invest in economical transport, each has to regularly procure stronger individual protection to defend themselves. What went wrong?
The 21st century workforce is demanding a flexible work environment. Employees do not want to be constrained by an office or dealing with the traffic to and from work. Most information workers today can work from anywhere as long as they have an internet connection and a mobile device. This rapid shift in the workforce demands are threatening traditional organizations’ comfort zone. Organizations do not want data leaving the perceived safety net of their controlled environment and do face the real threat of data leakage and other real security risks.
Cloudscaping is the practice of beautifying your cloud footprint. For example, you may outsource pieces of your infrastructure to Amazon, your email to Google, your collaboration platform to Microsoft, and your customer relationship management to Salesforce. But, while doing all of that may save you some capital costs, you're going to make it up by lacking a clean data path between each of your services. It's like having an office campus with a bunch of buildings, but no sidewalks to help you go from building to building. Trudging through the mud is ugly, and so too will your ability to efficiently leverage your cloud services be dissatisfying.
After reading this article in FCW by John Zyskowski this morning, I was floored by this statement:
"Agencies will [be busy managing data, not devices] in part through a series of deliberate decisions, such as buying certain kinds of prepackaged data center capabilities and not buying personal computing devices for every end user..."
In an environment where all of an organization's data is under distributed control, device control becomes much less relevant. We're now caught up in a philosophical discussion about how to secure data in this environment. Despite the security arguments against them, cloud-based services can probably help by providing an easy mechanism for receiving data while maintaining tighter control over it. Since everyone is connected nearly all of the time and cloud services are very available, then deploying services to the cloud actually gives the organization the potential for increasing data control.
Since InfusionPoints began using Microsoft Online Services (MOS) Business Productivity Online Suite (BPOS), we have noticed that navigating the required password changes can be a bit tricky. Once a password had been changed, we would have a variety of problems, from the mobile device not accepting the new password, to the Outlook client prompting for the password or refusing to connect to Exchange.