Security tunnel vision – Mobile devices and VPN
Over the last few years of my career, like so many people I
have experienced “Security tunnel vision”.
Security tunnel vision is when we as security professionals get fixated
on only one aspect of security and forgot the overall landscape of the
organization.
An example of this would be mobile devices, such has smart
phones and tablets accessing corporate resources. There is a certain fear among some security
professionals that these devices are not secure enough to access corporate resources
using technology’s such as VPN etc. These professionals are fixated on the point
that these devices can be jailbroken, users can download malicious apps; they
have entered the state of security tunnel vision.
They have lost sight that users were already using mobile
devices such as laptops to access corporate networks using approved methods. The solution is not to ban mobile devices
from using proven technologies such as VPN, but to put mitigation controls in
place. Banning mobile devices from
corporate access will not drastically improve the security landscape for their organizations
if VPN is already being leveraged for a mobile workforce using laptops, it will
only inconvenience the business and stop productivity.
As security professionals it is important to create policies
and standards that protect a company holistically. If the corporate policy approves technologies
like VPN, then devices should be allowed to use that technology as long as criteria
security has indicated are met.
In this case, a mobile device management solution, mature
governance on which applications are to be allowed, a policy on BYOD, and polices
and standards on mobile devices should be leveraged and established.