Sorry, but a VPN is not the only secure mobile connection

A few days ago, I had the pleasure of being involved in an interesting security discussion on Twitter. If you tuned into the middle of the conversation, it appeared to be about VPNs and whether they were a valid way of connecting to the enterprise with a mobile app. The vagaries of the 140-character limit on Twitter, as well as having quite a few people in on the conversation, meant it took a lot of tweets to get the point across. What was interesting, though, was that on one side of the argument you had a few security guys who insisted a VPN was the only way to drive a secure network connection to the enterprise, while on the other side you had at least one security guy and a couple of mobile guys stating it wasn’t the only way and certainly not always the best way.

Once you got past the “Are you crazy?” and “What have you been smoking?” comments, you could see an age-old conversation was going on. The crux of it is fought in enterprises every day, whether dealing with mobile apps or any type of apps or computing: Where does security belong in the conversation?

[ Subscribe to InfoWorld’s Consumerization of IT newsletter today. | Get expert advice about planning and implementing your BYOD strategy with InfoWorld’s in-depth “Mobile and BYOD Deep Dive” PDF special report. ]

Let’s start out with my belief: Everyone has some responsibility for security, needs to have awareness, and needs to be part of the solution.

That said, I still need to be able to get my work done. I have dealt with security people in the past that have looked at me and said, “No means no,” even after I explain what I am doing is a requirement of my work and needed for the company. More often than not, when those situations arose, business needs trumped security concerns and an exception was granted. The cost was a delay to me getting my work done and a security person unhappy for being overruled.

It’s not that I necessarily disagreed with the security stance, but that the stance didn’t take in all  the business objectives. Instead, that stance said all data and computers must be wrapped in the same plastic blister-pack shells that electronics come in — you know, the ones you can’t get open unless you have a machete. The problem with this approach is that when you wrap the emergency supplies and the machete in these hardened cases, you can’t get them out of the package when you need to.

The good news is you kept the data safe; the bad news is that no work got done. This is an experience that businesspeople relate all the time.

The opposite viewpoint is that of the security professionals who live through the malware and attempted intrusions every day and just wants to do their best to keep the company’s assets safe and secure. They look at the users as the offenders. They know someone is going to click on the phishing attempt or open a malware-infested link. It’s not even a probability to them but a certainty. When it comes to mobile, they see it as 10 times worse. People lose their phones or leave them on tables, use public Wi-Fi, and basically do everything they can to compromise the organization, albeit unwittingly.

What’s the solution to a user on a mobile device connecting back to the mothership with an app to be productive? According to most security professionals, users must use only secure communications, and the only way to do that is with a VPN connection. You can’t trust the developers to develop a secure app, and you can’t expect the app to connect back without a VPN in a secure method because how would a developer know how to do that in the first place? VPNs are tested by other security people all the time as well as by the public. We know developers don’t do any of that with their apps, so why should we trust them?

The security people believe they know security better than anyone else, so why are you even bothering to argue with them? You know what? They’re right! They do know security better than everyone. But part of their job has to be to educate all those other people. They have to be willing to step up in this new world of the IT-ization of the user and impart their knowledge — not just to users but to developers, too. You see, the developers look at the security guys and assume they want to create hoops and roadblocks that the developers must jump through, while breaking their app, so that they can be secure — without even caring how the app works.

What the enterprise needs is a culture where the bickering stops. People need to stop with the red lights to progress and productivity and instead learn to enable users. Everyone throwing their hands up and building insecure apps and using nonsecure devices doesn’t accomplish this. Neither does putting everyone in a security prison.

To get that secure but enabling environment requires the business units, IT, developers, and security all partnering to make things happen. You need to move from a culture of bolt-on security to baked-in security. The security team partners with the development team to build secure frameworks for apps that any developer in the company can use. Security is there in the requirements phase of the project and from the beginning of the development phase. Security pros help the developers understand what security issues exist due to the business need and the app requirements, and they work with the developers to build that security into the app. They take the lessons learned from each app built and work with the developers to codify it into a framework that they all can use moving forward. It creates a common language and library that everyone can work from.

When a user’s app needs to connect back to the enterprise, VPN connections are one part of the framework that can be used to secure the communications — when it is the right solution. On the other hand, if it is too heavy-handed and exacts a toll on the user experience, that makes it a less than optimal solution, in which case there are other secure methods of having that same communication.

It’s always simpler to look at our world in black and white, but we truly live in a Technicolor world. We need to use all those colors.

This article, “Sorry, but a VPN is not the only secure mobile connection,” originally appeared at A Screw’s Loose and is republished at InfoWorld.com with permission (© Brian Katz). Read more of Brian Katz’s The Squeaky Wheel blog at InfoWorld.com or at A Screw’s Loose. For the latest business technology news, follow InfoWorld.com on Twitter.