There are always plenty of things to keep the average security practitioner wringing their hands and losing sleep, but most of these factors are driven by external events. Bring-your-own-device (BYOD) and bring-your-own-network (BYON) are different, and pose something more terrifying to the information security practitioner: a radical shifting of the goal posts. The castle we are tasked to defend has up and moved itself somewhere new. After all the effort we’ve made on moving away from the “crunchy outer shell, squishy underbelly” to a model where security is a part of the information fabric itself, right as that transition finally starts happening, the very thing we’re trying to protect changes once more.
Perhaps it’s time to start making some tough decisions and run with them. The theater of risk has changed from network service-based attacks to attacks against the endpoint. And the needle has swung to the other extreme. We’re obsessed with protecting the endpoint now. Yet as anyone who follows reports of major breaches in the last few years can see, somehow all it takes is for one endpoint to be compromised and the whole house of cards tumbles once again.
Let’s start focusing on the actual information, not the systems. Assume your endpoints are compromised at all times – one desktop should not be able to assault the entire network from within, no single access credential should hold all the keys to the kingdom. You can’t stop attackers, but you can definitely make it as difficult as possible for them. If BYOD is to become the new normal, we’ll need to continue to build security into business processes and operational IT, and that means tradeoffs in convenience versus security. Corporate IT engineers are going to have to take lessons from internet engineers, constructing internal networks as if they were exposed to the general public.