What are the challenges organizations will face with regard policies in this new Web 2.0 era?
It's not so much adopting new policies. Companies have security policies. And they are usually along the lines of: I'm general manager I need to get access to the financial information. Nuaf is my vice president of engineering and he needs to access source code. But I don't need to access source code and Nuaf doesn't need to have access to financial information. That's simple policy.
Expressing that as a these mobile devices come into the enterprise gets much, much harder and its more difficult to be able to enforce those policies. What we are advocating is that companies make the investment in new technologies and new infrastructure that allows them to enforce those polices that they had yesterday and will have tomorrow in this distributed, borderless, mobile enterprise that is clearly emerging.
Besides mobility, there are plenty of other new aspects in today's IT environment. There is the use of social networks, there is virtualization and cloud computing. What are some of the difficulties with these technologies?
Web 2.0, and I'll use the interpretation to include virtualization and cloud computing, is almost the evil twin of mobility. If mobility means I have more users on more devices outside of my traditional perimeter, then the Web 2.0, cloud-computing trend means my data may not reside behind the traditional perimeter in the data center.
When you combine those two, your worst case scenario from a security standpoint is when my VP of sales goes to conduct a sales force task in Salesforce.com on his smartphone, there is no traditional firewall, or traditional security solution in that transaction at all. As an IT person, how do I ensure the safety of my assets? Basic stuff; like customer lists, customer names?
How do I put controls in place to show who accesses this information and revoke those privileges if need be and provide some level of accountability of who accessed them when, where and how. We really need to rethink how we build and deploy security to address these types of use cases.
Where do you think enterprise organizations stand now with their adoption of technologies and infrastructure to handle this new environment you're describing?
At Cisco, our officially supported iPhone-user population is about 100 users. We think the actual number of iPhone users is somewhere between 6,000 and 9,000. I see this sort of scenario everywhere I go. The devices are coming into the enterprise whether we like it or not. Because they are good and they help people get their job done.