Feb 17, 2009

Security in the workspace - Part 2

The word de-perimeterization is used by security experts both to describe a problem and a solution. The problem is clear: when we rely on perimeter defense, a disappearing perimeter is problematic. The solution says that instead of fighting de-perimeterization, by trying to rebuild parts of the perimeter, we should admit that perimeters will be gone soon and implement our security measures on a different level.

What is causing the problem? Here are three major factors which seem to drive de-perimeterization:
  • Networked Business: Suppliers, customers, and service providers all work with the organization on a much finer grained level than they used to. This is the result of specialization. An example is outsourcing: It can be very cost-effective to outsource certain tasks to more specialized organizations. Outsourcing requires so-called service level agreements: contracts between the organization and service provider about the quality of the services rendered. Security should be a part of such agreements as these parties operate within the perimeter.
  • Governance, Regulations, Compliance: Organizations need to comply with more and more external laws and regulations. Often these call for more transparency towards shareholders, governments and the general public. This means that these parties need to pass the perimeter.
  • Insider Threats: Employees are not the loyal workers they once were. Maybe most of them still are, yet some of them will try to gain access to your most valuable assets for personal gain. If you cannot trust your own employees, who operate within the perimeter, then you might as well get rid of the perimeter.
It is clear that each of these factors impacts the perimeter. Are there more?

The de-perimeterization factors are closely related to trends typically attributed to Future Workspaces. The difference is in the perspective. When I think of securing an organization, I tend to take the perspective of the organization. When I try to imagine what the workspace of the future will look like I tend to take the perspective of employees. We identify the following trends:
  • Relation to employer (or, perhaps, loyalty to the organization)
    • Employees no longer work for one employer for 40 years but switch jobs regularly.
    • Employees work for different employers at the same time (I used to work here and here at the same time, which rarely led to conflicts of interest).
    • Professional social network of most employees is bigger than it used to be, extending well beyond the organization’s borders.
  • Responsibilities
    • Employees are given greater responsibility in representing the organization.
    • Organizations are less hierarchically managed.
    • Employees (are encouraged to) write about their professional lives in blogs.
  • Collaboration
    • Not every organization has experts in every field. Organizations are aware of external experts (thanks to openness of other organizations) and encourage employees to collaborate with them.
  • Work in different contexts
    • Employees can work from home.
    • Employees (especially knowledge workers) travel much more and work while in transit (using mobile devices).
    • Employees work (while outsourced) at client.
    • Employees work irregular hours.
    • Employees work shorter hours, some colleagues may almost never meet in person.
At the very least we can claim that the Future Workspace trends reinforce the de-perimeterization factors. The de-perimeterization problem is made bigger and more urgent for organizations to deal with. In fact, many of the security incidents that organizations are faced with can be explained in terms of security controls which are part of the old perimeter defense interacting with employees' new found freedom.

In part 3 I will look at ways forward in the de-perimeterized future workspace.

No comments:

Post a Comment