Thursday, March 7, 2013

Blog – Agentless way of doing security, why does it matter?

(reproduced from i7 networks blog with permission)

Just back from another US trip and one thing that stands out in security is that they don’t frisk you every place you go, be it in the mall, or shopping centers or even the subway/metros or the hotels or anywhere for that matter. Back to India and you will be frisked at every major hotel, at every major venue and you will be asked to go under a metal scanner and also if you take your car, it will be checked too including making you open the trunk and your bags will be checked and this is creating lot of inconvenience and added cost to the management and of course added time for the person who is undergoing it and a pain everyone loves to get rid of. More importantly people easily escape this check :-(

Same goes with airports too, multiple frisking, multiple tags and multiple seals and everyone doing the same act again and again without trusting the previous person or his act. I am not saying the airport check @ US airports are any better…it is also horrible but they don’t repeat the checks. Also I was happy to read a board there that said they are experimenting with a new way so that they can get rid of checking all personal items including laptops and requires just a walk in a scanner and if that happens will be a welcome sign to all those travellers, and huge cost and time and more importantly the horrible experience and inconvenience saved.

Just because here in India we do multiple frisky checks does not mean that we are very effective. I myself being a security freak have tried to break all these checks (call me an ethical hacker J). Few to quote here are, in many star hotels, they give you an access card that lets you to only that floor where your room is. Amazing security step and I am sure all of you have felt very good about it but have you ever checked whether someone can easily get to your floor without any checks via stairs? :-) (An exception was Hotel ibis in Mumbai BKC where you can get out of the stairs but you cant come in).  Same goes with all shopping malls here, bags are frisked and you need to go under a metal scanner and we all know it is just a visible security and nothing more than that. Not just that, interestingly most malls has this back entrance where employees of the mall regularly use which has no check. I have found one like that in pretty much every mall I have visited. Back entrance always works!!!! Not just in malls, shockingly found this even in a big MNC company, which provides security software (firewall software) :-). This company was held by a private equity firm and recently got sold to a huge computer manufacturer who recently went private. Anyway I had a meeting there and on purpose I used the service elevator where all food and other materials are transported and I got directly into their floor and into their canteen and then into the working area to see and meet all the employees who were working on latest and greatest firewalls and then to the reception to register so that I can meet the person who I intended to :-)

No I am not making fun of security here but just wanted to let all know that most frisking security is more of hogwash. For every such a frisky check, people always find a way to escape it. Effective security I feel should be non-intrusive, done quietly and will be far more effective than the frisky business. A great effective security solution in my view is one that does not intrude or interfere with the normal working, does not create inconvenience but still keeps a hawk eye on every subject and analyzes all and provides a superior security.

Pulling this comparison to securing say BYODs in an enterprise, I consider putting a client or a profile, changing the behavior and user experience, making them to go to a self-registration portal and do certain steps etc. is pretty mush same as the frisky business creates inconvenience and also a way of intruding into their privacy and can be escaped and all your security measures is only against those who are using it and many go unmanaged and many of them will be unsecured also, and hence creating that huge security hole.

This is not the way what I call US way of doing security and what I call the old-gen security. Next gen of security (for BYODs) should be done without putting a client or an agent on your device, not intruding into your privacy but still making sure that you scan all of the subjects, collect all the data that you need to feel comfortable that all is well but still being transparent but effective. Very tough proposition and ask but should be possible. If US can do frisk less security watch in their malls and shopping centers and train/bus stops why not possible for BYODs that way :-)

Manjunath M Gowda
CEO, i7 Networks, “Agentless BYOD Discovery & Control”, @i7networks,

No comments:

Post a Comment