Ancient Chinese General Sun Tzu's relevance to Internet Security continues to impress me. Famous for his documented military tactics in ‘The art of War', Tzu stated, “Know thine enemy and know thy self; in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal.”. Countless times have I reflected on this statement when considering the many different aspects of technology security. Today's focus will be on mobility.
Despite all the doom and gloom stories, mobility isn't evil. Personally, I think its a great idea and should be promoted. It is an enabler that keeps me working during situations that I would have previously deemed 'down time'. In fact, this post is being written on a tablet on the train somewhere in the English countryside. Mobility is great but, as Uncle Ben said to Peter Parker in Stan Lee's Spiderman, "With great power comes great responsibility!". Bringing us to the security element of mobility.
Security is about compromise. The best way to secure data is to ensure that no-one has access to it. But then what's the point of that data - Schrödinger's cat anyone? So, architecturally, we start with zero access and then work back from there until, eventually, we have data that is reference-able by the desired audience - we have implemented calculated risk. And with it the complexity added to the data's security by the technologies wrapped around it.
As important as many vendors will tell you their security boxes are its important not to lose focus on what it is we are trying to protect - the actual data. Concentrating on the technologies and devices around the data is a good way to lose sight of the original goal, a great way to add unnecessary complexity and leave the data itself open to danger. And this problem is big in terms of where the data could end up - refer previous post: "Data theft: 9,751 phones stolen last month".
Slashdot post "Popular Android Anti-Virus Software Fooled By Trivial Techniques" brought to my attention a great example of fighting the battle instead of the war. Anti-virus is a tactical solution and, in this case, was circumvented to provide access to data. If the security solution protected the apps and their individual data stores as entities in their own right - protected themselves even from the host operating system - then the data remains safe.
Sun Tzu told us to fight the war, not the battle - to not lose sight of what the security solution should be protecting. Are you fighting tactical security battles or are you winning the data protection war?