As senior security architect, Dr. Tim Cranny is responsible for understanding the biggest threats facing the increasingly mobile enterprise, as well as developing tools that best address them. With a background in pure mathematics and evolutionary computation, Dr. Cranny isn’t just blowing smoke when he talks about information security and the enterprise. As for his forestry skills, that’s another matter.
Mobile Enterprise: What are the biggest security issues facing the mobile enterprise today?
Dr. Tim Cranny: One of the dangers is that people will concentrate on a narrow, specific issue. Is there a vulnerability with this type of packet overflowing this type of buffer? Those details are important, but they risk missing the big picture. If people are constantly looking at specifics they’ll be trapped in a reactive mode. People need to step back and realize that the introduction of mobile devices and the way that computing is changing the shape of the enterprise is from a technology perspective, and security is guaranteed to be wrong if it doesn’t reflect those changes. Questions such as, “Is my perimeter firewall of the right type?” are stuck in an old mindset. Stop
fiddling with the dials, step back and realize that things are fundamentally different. A lot of people will concentrate on the trees and miss the forest.
You now have huge amounts of data residing on your laptops, and these computers are going to conferences and going to hotspots and going home. You’re not just being asked tougher questions, you’re being asked different questions. Make sure you understand what the challenges are, then start worrying about vendors and technology.
ME: Is there still a place for worrying about the perimeter?
TC: Absolutely, we’re not saying everything in the past is irrelevant and you should throw it all away, what we’re saying is that it’s growing more complicated and the scope of what you need to put your arms around is larger. Those old solutions, although fully relevant, are no longer adequate in and of themselves. We’re talking about what you need to add, rather than throw away your firewall and live free.
ME: How is Senforce addressing the forest, as it were?
TC: We recognized very early on that a big area would be actively trying to secure the endpoint—making sure that a company’s security policies are not just shelfware. It’s not a tremendous challenge today to figure out what your security policy should be. Even for a beginner, give them two hours on Google and they’ll be able to craft a pretty good security policy on paper. But a policy on paper doesn’t protect you. What you really need is the technology and the processes to be able to enforce that policy, and that’s the space that Senforce lives in and helped create.
ME: What are the greatest dangers at the endpoint?
TC: Some of the latest Gartner analysis says that up to 75 percent of corporate data is residing at those endpoints. If an executive loses his or her notebook and it’s got Outlook folders for the last year, there’s almost nothing that can’t be learned about that company from that missing laptop. Also, things like wireless have some obvious functionality benefits, but now you can be attacked, your laptop can be hacked when you’re sitting at a hotspot or at home, your communications can be overheard.
ME: So far we’ve been talking about laptops in terms of the endpoint; does Senforce also cover PDAs and smartphones?
TC: Not today, but that’s something we’re working on closely. It’s a growing issue. One of the drawbacks has been that we’re only now beginning to see consolidation in that space. I think notebooks are 90 percent of the market, but going forward, we’re seeing an emerging business case for smaller form factors.