C-Note: The Changing Risk Profile in a Mobile Computing Environment

By Rick Dakin, CEO, Coalfire

As I connect with other security professionals developing solutions for mobile IT users, I am hearing the refrain of what controls should we deploy in a "post firewall" world.  Wow … this is hard for a long-time IT auditor to grasp.  However, I see the argument.  Our business processes, data flows, systems and resulting risk profiles are changing.  Are we changing our control framework to align with the new user profiles?

The user profile has changed form a PC user located in a controlled building on a company managed network (with firewall and IDS) to a user connecting to a Starbucks network through an iPad not owned or controlled by the company.

The hosting profile is quickly changing.  Systems are becoming more commonly hosted in a shared data center on shared systems and increasingly, shared applications (or the cloud).  As we identified in an earlier cloud article, these shared facilities have the potential to be highly secure but most are not today.  In addition to less control over networks, systems and applications, more of our systems are being manufactured by low-cost, low-margin vendors outside the United States.  How much can we rely on manufacturer testing of those systems that the cloud providers are using?

As companies lose direct control over users, networks and application hosting, how have the controls and audit programs changed?  For years, our annual audits would require a review of enterprise risk assessments.  The level of focus on risk assessment has been declining over the past few years since most early controls have been acquired and deployed.  Companies may not be truly analyzing the changing operating environment and associated risks.  Those new risks are not adequately addressed in most current risk management systems that we review today.

Think about it.  We all have to change how our security systems are deployed to make sure our risks associated with mobile – cloud solutions are introduced into our environment.  Coalfire has modified its risk analysis reviews to identify changing processes and modified computing environments to ensure our clients address the migration to the cloud.