What's the solution to a user on a mobile device connecting back to the mothership with an app to be productive? According to most security professionals, users must use only secure communications, and the only way to do that is with a VPN connection. You can't trust the developers to develop a secure app, and you can't expect the app to connect back without a VPN in a secure method because how would a developer know how to do that in the first place? VPNs are tested by other security people all the time as well as by the public. We know developers don't do any of that with their apps, so why should we trust them?
The security people believe they know security better than anyone else, so why are you even bothering to argue with them? You know what? They're right! They do know security better than everyone. But part of their job has to be to educate all those other people. They have to be willing to step up in this new world of the IT-ization of the user and impart their knowledge -- not just to users but to developers, too. You see, the developers look at the security guys and assume they want to create hoops and roadblocks that the developers must jump through, while breaking their app, so that they can be secure -- without even caring how the app works.
What the enterprise needs is a culture where the bickering stops. People need to stop with the red lights to progress and productivity and instead learn to enable users. Everyone throwing their hands up and building insecure apps and using nonsecure devices doesn't accomplish this. Neither does putting everyone in a security prison.
To get that secure but enabling environment requires the business units, IT, developers, and security all partnering to make things happen. You need to move from a culture of bolt-on security to baked-in security. The security team partners with the development team to build secure frameworks for apps that any developer in the company can use. Security is there in the requirements phase of the project and from the beginning of the development phase. Security pros help the developers understand what security issues exist due to the business need and the app requirements, and they work with the developers to build that security into the app. They take the lessons learned from each app built and work with the developers to codify it into a framework that they all can use moving forward. It creates a common language and library that everyone can work from.
When a user's app needs to connect back to the enterprise, VPN connections are one part of the framework that can be used to secure the communications -- when it is the right solution. On the other hand, if it is too heavy-handed and exacts a toll on the user experience, that makes it a less than optimal solution, in which case there are other secure methods of having that same communication.
It's always simpler to look at our world in black and white, but we truly live in a Technicolor world. We need to use all those colors.
This article, "Sorry, but a VPN is not the only secure mobile connection," originally appeared at A Screw's Loose and is republished at InfoWorld.com with permission (© Brian Katz). Read more of Brian Katz's The Squeaky Wheel blog at InfoWorld.com or at A Screw's Loose. For the latest business technology news, follow InfoWorld.com on Twitter.