I recently saw an executive carrying five mobile devices. There was an iPhone in one pocket, a BlackBerry in another, an Andriod in his jacket, a Droid Pro stuffed somewhere else, and an iPad in the back of his pants. It made me wonder when we’ll gain the ability to have one device (of our choice) that can do it all rather than be forced to roll like the human equivalent of a clown car.
A wave of consumer devices has flooded the enterprise and caused some tsunami-type problems for IT and for employees. Companies need to secure this constant parade of devices, and employees want unencumbered access to business information, anytime, all the time, from any device they want.
While the old school solution has been to issue sanctions, like the “BlackBerry Only” rule for the workplace (driving employees to use the BlackBerry for work and an iPhone to manage the rest of their lives), this is hardly solving the problem. At Cisco, our internal IT team acknowledged this situation and implemented an “any device” policy that allowed users a choice of mobile phone as well as PC or Mac desktops and laptops.
After two years of “any device,” costs have dropped, and end-user satisfaction has increased. The combination of lower costs and better end-user satisfaction has driven widespread interest in an “any device” policy across the industry. Today, some 80% of Fortune 500 companies have deployed or are piloting iPhones.
But none of these changes can be made without acknowledging a new security paradigm for the Dynamic Networked Organization of the future. The new architecture must deal with the full spectrum of devices, ranging from the traditional corporate PC or Mac, all the way to next-generation endpoints like iPads. Security is enforced in the network, so the only requirement of the endpoint is to authenticate into the secure borderless network and find the nearest and most optimal attach point.
Not only does a new, more distributed architecture allow employees to use a device of their choosing, but it also fosters more effective, higher-level policy creation and enforcement. Since this architecture uses a broad array of parameters for policy, it enables more effective security and situational awareness.
The network is aware of who the user is, and is built around enforcement context: “The VP of sales can access the global sales forecast, but if she’s coming from a smart phone in China and using a strange protocol, and furthermore the VP badged in to the main campus in California two hours ago, then this connection is invalid.”
Ultimately, security becomes smart enough to know who someone is and what she is doing and therefore, get out of her way. (It will not pop up and annoy the user every 30 seconds.) Oftentimes, customers think there’s a tradeoff between a seamless end-user experience and security. But there doesn’t have to be a tradeoff: True excellence in security is delivering both.
Next-generation scanning elements blur the lines between a firewall, an IPS, an anti-virus engine, and a web proxy. They are built on the solid state, inline technology of network infrastructure. They can be deployed in multiple form factors, either as an appliance at the customer headquarters or main campuses, as a module in a branch office router, or as an image in the cloud. However the customer chooses to deploy the scanning elements, they work together to create the Security Fabric (wherever the user may be and on whatever device that end-user might have). This new vision for a Security Fabric does for security what a content delivery network did for web pages.
With a new approach to security comes an exciting convergence of dynamics. We can provide better, more accurate, and more consistent security for the enterprise that will always be on, and we’ll gain freedom to choose our device—and enjoy a much better end-user experience.