Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Building the security bridge to the Millennials

Taylor Armerding | Feb. 11, 2014
The younger generation's desire to be connected all the time expands the attack surface. But experts say enterprises can, and should, manage the risk

President Bill Clinton talked about building a bridge to the new millennium. With that bridge now 14 years in the rear-view mirror, the challenge for enterprises is to build a security bridge to the Millennials who are flooding the workplace.

By now, the list of the "totally connected" generation's employment expectations is familiar:

  • Universal access to high-speed networks.
  • Freedom to use multiple devices -- smartphones, tablets, eReaders and more -- to access and share both personal and corporate data, anytime and anywhere. Oh, and they want to use their own devices, not the company's.
  • Freedom to use personal apps for work.
  • Intuitive design of apps, so no training is required
  • Flexible hours and locations. What's the problem with finishing the report at home at 2 a.m., instead of in a cubicle between 9 and 5? What's the problem with working with colleagues online or face-to-face -- whichever is most convenient?
  • No significant separation between "work" and "life."
  • The use of social networking to collaborate.
  • A seamless user experience on their phones, without cumbersome security limits imposed by IT.

It all sounds like a productivity dream, undercut by a potential security nightmare. The attack surface of multiple personal devices that comingle personal and corporate data would appear to be both wide and deep.

But experts say employers can and should -- must -- embrace the productivity without jeopardizing security, with a combination of technology and accountability. It's just that there are varying opinions on what the right combination is, and what is involved.

Nick Stamos, CEO of nCrypted Cloud invokes a religious -- actually, non-religious -- image. "The enterprise needs a network-agnostic, device-agnostic, app-agnostic approach," he said, adding that the corporate network that employees use, "should be considered untrusted, and open to anyone onsite."

Stamos rejects Virtual Private Network (VPN) connections, arguing that only SSL (Secure Sockets Layer) connections should be allowed to any corporate systems.

"Login to all corporate systems and data should be controlled through SSO SAML 2.0 (Single Sign On, Security Assertion Markup Language) integration. Where possible, multi-factor authentication should be required," he said.

But Chris Moyer, global chief technologist, HP Enterprise Services, argues that while, "VPN used to be a 'nice to have' it's now a 'have to have' for any organization that wants to keep its employees satisfied, productive and secure (because) many of the systems developed in the past do not have enough data segregation or role-based access built in."

But "data segregation" appears to be a key goal for the future. Another theme from experts is that enterprises need a mobile device strategy that, "focuses less on the device and more on applications and data. That will provide the enterprise with the security that it requires while giving workers the freedom and flexibility that they want," according to Dan Dearing, vice president of marketing, MobileSpaces.


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.