I’m creating this blog item to celebrate the creation of a global Capgemini security capability from the many national and regional security-related strands scattered around the company.  I’m going to cover mobile security, which is one of the focus areas of our new capability.

Mobile security is the response to a tangled bundle of trends, driven by business and user needs, all of which make things more difficult (well, more complicated) for security professionals.  Here are some examples:

  • Physical mobility – users don’t want to work just in an office, they want to be able to work anywhere.  Because there’s more risk that users aren’t in a secure location, they need to be more aware of their surroundings.
  • Mobility of access device – users want to be able to use a wide variety of different access devices, including their own.  This is also called ‘bring your own device’ (BYOD).  There are also more complicated scenarios like consultancies wanting to attach their access devices to client networks.  These raise issues of how an organisation can evaluate the security capabilities of all these devices without controlling them, and how they can control access to their data once it has left the perimeter they control.
  • Mobility of service hosting – cloud computing, in other words.  Organisations want to use services on infrastructures they don’t control themselves.  How can they be sure they can trust these infrastructures, and how can they integrate and orchestrate them together securely?
  • Organisational mobility – the ability for users to move quickly between and within organisations.  More generally, access policies will need to cope with complex multi-stage contractual relationships with staff (for instance, someone may work for an employment agency which hires him to a consultancy which hires him to an end client).  Organisations must be able to provision (and, most importantly, de-provision) staff quickly and conveniently as all these relationships change.

Taken together, these involve turning an organisation ‘inside-out’: instead of being a physical establishment that happens to own some contractual relationships, it becomes a set of contracts that happens to own some physical locations. 

That’s why I describe mobility as the ultimate challenge for security.  It affects everything the security organisation does, from user awareness to access device management to cloud computing to policy development to identity management and provisioning.