It has not been a quiet week in Lake WobeBlog, my hometown.
I could never get that sentence into a Gartner research note, as the reference to Prairie Home Companion would be deemed too “non-global,” so apologies to those of you who don’t know who Garrison Keillor is or what uff da means.
Anway, there have been lots of Gartner blog posts that were just begging for security comment this week. I spend a lot of time doing internal peer review in the Lotus Notes system Gartner uses to produce our Research Notes, so here here’s the blog-world equivalent:
Google Chrome OS – the IT industry loves vendor wars, so a simple Google blog post about a Chrome OS caused all kinds of industry furor and oodles of Gartner analyst blog posts. If Chrome is designed as a “cloud” OS for mostly Netbook like devices with limited need for local processing and storage, it would seem that it could be a very lightweight OS and lightweight *can* certainly mean more secure. However, I think any user OS will inevitably need to support local apps and storage – heck, look at the iPhone or the fact that Google already had to offer Gears for PCs for Google Apps.
So, a lightweight “cloud” OS that later tries to tack on the features needed to be a huskier “real” OS would likely have just as many and likely *more* security issues as an OS that was built from the start assuming local processing and storage as major requirements. Where Chrome should have a security advantage, just like iPhone: not having to deal with years of legacy apps and an infinite number of hardware platforms. That, not the “cloudiness” or Chrome the browser’s security capabilities, is where I think Chrome could change the OS security game.
Social network risks – Andrea DiMaio posted about a Facebook page that appears to be impersonating a government agency. That’s something that has to be dealt with these days, even if you are not embracing social networks. Brand monitoring services exist to let you know if your content or presence is showing up on spoofed web sites or social network feeds or in peer to peer networks. If you do start to officially use social networks for business you still need that, plus processes to deal with inadvertent or malicious exposure of sensitive data.
Employee-owned IT – Nick Jones blogged about the debate on the costs of allowing the use unmanaged PCs and the like on corporate networks. Nick advances the usual arguments about innovation, but the key point he makes that I agree with is “The real challenge is not employee owned technology, you already lost that battle.” This has been true for more than 5 years now – ever since Outlook Web Access and SSL VPNs came out. The issue is making the use of unmanaged IT secure enough for business use. That’s where Network Access Control, host virtual desktops, portable personalities and other areas of Gartner research have been pointing what needs to be done to remain at a due diligence level of security. Without thinking through what is need to protect customer and business data, the first security incident will consumer a decade of capex savings.
Cloud – Lydia Leong had a great post on thinking through if cloud-based computing services make sense or not for you. I invariably find when I do “cloud security” calls with Gartner clients that they are really asking about Software as a Service, vs. cloud. But even real cloud infrastructure as a service is under consideration, to the list of issues Lydia says to think through, I certainly add security – how can the cloud provider prove to you that your data will protected to the level you require? If a traditional hoster can prove that, but a cloud provider today can’t, should it even be on the table for you? Would the business side of your organization work that way? OK, maybe they would – but we are supposed to be security folks…
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.