Security on the Move: Risks from Remote Endpoints, Mobile Devices and the Cloud
Part of the Real Time Club / British Computer Society 2011 Network Security Winter of Discontent
Ten years ago, an organisation’s servers and clients were normally in fixed locations, connected by the organisation’s own Local Area Network. With such a network it was reasonable to expect the organisation to know “is this system secure?” and to fix it if it was not. Since then, however, it has become much more common for clients, servers and even whole LANs to become much more mobile.
- Many workers telework from home one day, an airport the next, and on the train in between.
- Many organisations have outsourced their servers to cloud services where flexibility of location and connectivity is a positive resilience and environmental feature.
- Whole LANs, from buses to mountain rescue teams, can move themselves between whatever upstream connectivity happens to exist at their location.
- Cars that can exchange traffic and other information via transient ad hoc networks are already being imagined.
In this world of shifting connectivity and control we can no longer regard security as an absolute but must treat it as a matter of acceptable or unacceptable risk. We should be asking both “is this system safe enough for me?” and “is this system safe enough from me?”, because compromised or malicious systems may now be a bigger threat to others than they are to their owners. To answer these questions, we need to look at the tools available to all parties – including users, designers, providers and regulators – to see if they are still adequate and whether the incentives to use them are correct. For example:
- Will incident detection tools based on recognising good and bad network flow patterns still work in a world of extreme mobility?
- How do we discourage a car from announcing a non-existent traffic jam to guarantee itself a clear road?
Andrew Cormack is Chief Regulatory Adviser at JANET(UK), responsible for keeping the network and its customer universities, colleges and schools informed about the regulatory, policy and security requirements of running networks and networked services. Before taking on this role he led the JANET CERT team, coordinating the response to security incidents on the network. He is also involved in national and international efforts to improve network security as chair of the Funding Council of the Internet Watch Foundation and a member of the Permanent Stakeholders Group of ENISA, the European Network and Information Security Agency. He has degrees in Mathematics from Cambridge University and Law from the Open University and is a Chartered Engineer.