Once upon a time, on a faraway local area network, a company's information technology systems were defended like a fortress. Employees toiled in safety behind the protection of great firewalls and the integrity of data was upheld. But as virtualisation and cloud computing become more commonplace - and more fundamental business demands such as staffing and knowledge management create a demand for agile, task-based permission systems - the idea of the firewall as a company's main line of defence is fast becoming outdated.
Increasingly, corporations will be forced to relinquish control over their data and enterprise applications to the cloud in order to achieve the flexibility demanded in modern working environments.
In doing so, however, they lose all pretence of maintaining a security perimeter.
The shift to store corporate data outside the network is inevitable but it increases vulnerability by making it more difficult for IT administrators to exercise direct control.
Although the industry continues to evolve to cope with the changes, the frequency, persistence and deviousness of cyber attacks are also on the rise.
In the 2009 edition of its annual Computer Crime and Security Survey, the United States industry body, the Computer Security Institute, suggests the security industry is reaching a new level of maturity. CSI director Robert Richardson says, however, that the modern technology landscape is still inherently flawed and insecure.
"The solutions available have their uses but cannot be relied on past a certain point," he says. "There's a vaccine for measles but steep hills yet to climb in fighting auto-immune diseases."
Respondents to the survey reported an increase in malware infection, from 50 per cent in 2008 to 64.3 per cent in 2009. There was also a big jump in financial fraud, up from 12 per cent to 19.5 per cent.
Ernst & Young's 12th Global Information Security Survey, published in December, also shows an increase in cybercrime activity, with internal attacks up 25 per cent and external attacks by 41 per cent.
The survey of nearly 1900 senior executives from around the world found spending on information security continued to grow in 2009, despite difficult economic times, but suggests that while companies today are more concerned about information security than ever before, they are paradoxically continuing to pursue unsafe technology practices.
Implementing or improving data leakage prevention technology in 2010 was among the top three priorities for two-fifths of respondents but a remarkably low 41 per cent were encrypting laptop computer fleets and just 17 per cent said they were planning to do so in the next year.
Ernst & Young information security head Mike Trovato says the results were surprising given the number of breaches that had occurred due to loss or theft of laptops and the ready availability of affordable encryption technology.
"The impact [of introducing encryption] to users during deployment is relatively low and should no longer be a barrier," he says.
Challenges of mobility
Adding to the weaknesses revealed in corporate computer fleets, the rising ubiquity of smartphone devices over the past two years has contributed millions more new, highly mobile and ever more powerful points of potential data vulnerability.
Gartner analyst Robin Simpson says the security of these devices is very important. Employers and employees alike are discovering the benefits of the flexibility offered by portable technology and as a result access models for core data and enterprise applications are being compelled to change, he says.
In the past, employees came to work and accessed the tools they needed within the office building and behind a physical wall in a system that could be contained. Now, remote access devices need to be able to dip in and out of the tools and databases as an individual job or employee requires - and not hemmed in by a minor detail like proximity.
"A lot of the problems that are arising come out of the fact that employees are having to access enterprise applications from all over the place - from home, out and about on their mobile device, anywhere," Simpson says.
"And, in turn, employees are also placing pressure on their workplaces to offer that flexibility."
The chief information officer for the Australia-Pacific region at Parsons Brinckerhoff, Christopher Johnson, says that about 55 per cent of the company's fleet is necessarily mobile.
"While our focus has been on protecting our own network and the equipment we deploy, it has become increasingly difficult to secure our own network when our workforce has such a high reliance on mobility," he says.
As an operational design and project management consultancy, Parsons Brinckerhoff collaborates with organisations to complete their designs. "That means our equipment is essentially exposed to networks that we don't control," Johnson says.
"One of the challenges was 'split-tunnelling' - our people often need to access the stuff within our own firewall while concurrently accessing information on the local network to which they are connecting."
Parsons Brinckerhoff has intelligent VPN and remote working applications to cope with those challenges.
"We need to secure our mobile workforce without limiting their access to the information that is our business," he says.
Tony Pollock is CIO for employment and corporate skills development company Angus Knight. He agrees that protecting the integrity of the company's infrastructure while allowing the necessary access is a big concern. "Because of the nature of our business we have a lot of casual users accessing our networks, both in job search and training environments," he says.
Simpson says that although comprehensive security solutions are available, many enterprises still need to put all the pieces in place. Smartphones are an important part of the way people carry out their jobs in the modern workplace and they are even less secure than laptops.
Finding a holistic approach
"They're a bit of a weakness at the moment," he says. "They tend not to have the security tools that traditional personal computers have had."
Pollock says Angus Knight's network hosts more than 350 mobile devices, one-third of which are smartphones.
"We're considering looking at additional security to meet the growing need for mobile technology - making investments in multi-layered authentication so we can provide access to systems information in a more secure environment," Pollock says.
The company is also involved in an active education program for network users about securing their devices and best practice when working in a mobile environment.
Simpson says that devices running Microsoft's Windows Mobile and Apple's iPhones have only basic security measures in place, such as tools that allow a user to wipe their phone remotely if it is lost or stolen. Corporations can also require employees who have mobile access to install simple password protection applications which provide another fundamental layer of security.
But Simpson says if you really want a secure mobile fleet there is only one way to go, and that is Research in Motion's BlackBerry. He says the BlackBerry, which occupies 20 per cent of the international smartphone market, has a very high level of security, despite its security software not always being compatible with external enterprise software.
But despite the comparative lack of security features on mobile devices, Simpson says the number of different operating systems in use means the risk of hacking or attack by malicious software is reduced.
Even though the segment is technically more vulnerable than personal computer systems, the development of malicious software is more complicated, less effective and consequently less attractive to cybercriminals.
"Smartphone security weaknesses are probably not as dramatic as they would be for PCs because there are so many different kinds of mobile phones," Simpson says. "There are multiple vendors, so at this point it's difficult for a hacker to develop malware that would run on enough phones to make it worthwhile."
Some security experts have also suggested there are fewer drivers for criminals to target mobile phones because they are generally less likely to provide access to sensitive personal information such as bank account or credit card details.
Simpson says the real challenge facing corporations is not whether to allow remote and mobile access but, rather, the best way to provide it.
"Virtualisation is forcing organisations to reassess their security approach from the ground up," he says.
"It's very different from anything they've done before."
Security and access to enterprise applications also needs to be controlled on the basis of an individual's role within the company.
Modern office dynamics demand employees be able to move around, access the data they need for the task at hand from different machines and increasingly from machines that might not even belong to the company.
"The enterprise can't really make any assumptions about the configuration or security or the virus state of the machine the person at the end of the line might be using," he says.
Trovato says that, ultimately, data and application security is something that, more than ever, needs to be tailored to the individual organisation.
"Regulators are stressing holistic solutions, which will draw a need for diverse approaches," he says.
"Only by understanding the use of information within critical business processes can an organisation, and in particular its information security function, truly begin to manage its security needs." MIS Australia
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.