Security tunnel vision – Mobile devices and VPN

Over the last few years of my career, like so many people I have experienced “Security tunnel vision”.  Security tunnel vision is when we as security professionals get fixated on only one aspect of security and forgot the overall landscape of the organization.

An example of this would be mobile devices, such has smart phones and tablets accessing corporate resources.  There is a certain fear among some security professionals that these devices are not secure enough to access corporate resources using technology’s such as VPN etc.   These professionals are fixated on the point that these devices can be jailbroken, users can download malicious apps; they have entered the state of security tunnel vision. 

They have lost sight that users were already using mobile devices such as laptops to access corporate networks using approved methods.  The solution is not to ban mobile devices from using proven technologies such as VPN, but to put mitigation controls in place.  Banning mobile devices from corporate access will not drastically improve the security landscape for their organizations if VPN is already being leveraged for a mobile workforce using laptops, it will only inconvenience the business and stop productivity. 

As security professionals it is important to create policies and standards that protect a company holistically.  If the corporate policy approves technologies like VPN, then devices should be allowed to use that technology as long as criteria security has indicated are met. 

In this case, a mobile device management solution, mature governance on which applications are to be allowed, a policy on BYOD, and polices and standards on mobile devices should be leveraged and established.