Saw an interesting column the other day from a security consultant arguing that healthcare enterprises need to re-envision security and pull information from the network perimeter and back into servers, where everything is easier to control. It's a compelling argument until you get realistic, practical and focus on the reason enterprise networks exist in the first place.
Going back to a server-centric model—once known as client-server computing where the perimeter was crowded with what were they called dumb terminals or, in a nicer voice, thin clients—makes sense only if you see data-protection as the primary purpose of an enterprise network. For those of us who see the network's primary purpose being easy access to data in such a way to make the business operate better, more efficiently and more effectively, this sounds like the proverbial security tail wagging the enterprise dog.
Interestingly, this argument applies to any vertical, but nowhere is it more critical for healthcare. The mobile movement is powerful and it is a perfect fit for doctors and technicians who have to access different large-files for every patient—and they often have to access them while visiting different locations in a building. Contrast, if you will, power-workers in retail, manufacturing or hospitality who tends to stay put and manipulate data from their desks and either have meetings in a nearby conference room or one or two offices with their healthcare counterparts. Envision doctors making rounds in a hospital where they move room to room to visit patients.
This is not say that mobile devices in healthcare do not present a wide range of security challenges, but they are just that: challenges. IT security teams typically deal with nothing other than security, which leaves them a rather skewed perspective on reality. Security is critical, but it must never be seen as more critical than running the business.
Let's go back to that hospital setting. Biometric two-factor authentication is a much better approach, for example, than going back to a server-centric model. Why not permit that medical professional—or an assistant—to download all of the CAT scan, EKG and other test files for all patients to be seen that day into the physician's mobile device once? Then they can be accessed instantly and easily when they are needed.
A server-centric approach simply isn't practical in today's mobile-obsessed business world. There are some very good reasons why the industry initially moved off a server-centric model. Even with extremely fast bandwidth, the constant re-downloads of the same files across the network imposes unnecessary bandwidth demands, especially at peak times. Ultimately, this will result in slower response rate.
Wait a second, you say. Has the industry indeed backed off of server-centric computing? Isn't that what cloud computing is all about? Not at all. Cloud Computing it generally about storage of data for an extended period of time. The perimeter mobile model is about saving limited copies of actively needed documents where it is needed in the field.
Truth be told, the whole concept of perimeter no longer makes much sense. The approach now is storing all data where it is most cost-effective and flexible (think cloud) and allow local access for the data wherever it is needed the most. In that sense, there is no perimeter any more than there's a center. At Walmart, Exxon, Toyota, General Electric or JP Morgan Chase, where is the network's center? Is it at global HQ? A regional headquarters? A server farm handling a region of locations?
In the cloud, which specific servers handle data from any section of the planet routinely shift around. That's what makes data sovereignty so interesting and maddening. But it also makes the point that a network's center has as little meaning as the network's periphery. In the mobile model, where data is housed shifts as often as where workers need to access it. In short, there no longer is a perimeter.
There is something self-destructive about some enterprises—especially the very largest—and the way they handle their infrastructure. As much as I am fond of IT operations, it is a support department. It is a support department right alongside maintenance, human resources (by the way, is it possible for that department's name to be any more offensive to employees? Are we being differentiated from trashcans and chairs?), investor relations, public relations and facilities. HR is a critical department, but should a company hire only the people that make life easiest for HR employees? Should a company only make strategic move that current IR people can explain well? Should a building be purchased because it's cheaper and the company has a prior relationship with that real estate firm, even if it serves the company far less well?
Presumably, you agree that making the job of support departments easier has to take a subordinate position compared with advancing the company's primary strategic objectives, as defined by the current board of directors and CEO. The same is unfortunately—but necessarily—true for IT, which includes IT security. Thinking of the network having a perimeter allows you to think that centralized support would be cleaner, neater and more secure, which would be true.
But IT must let company business managers do their magic and then come up with the best ways to defend what they need to do. Today's mobile-fueled data-where-it-is-most-needed reality is more difficult for IT, but that's the only way this will work.
There are plenty of appropriate ways to properly secure data wherever it lives and wherever it's needed. But restructuring the data to make IT security's job easier isn't one of them.