Fringe case which makes all the difference

Intel is an interesting place to work as a Security professional. Everything has to be possible so you can’t say “no”. Requests like can I get email on my fridge at home are not common but we do get them.  Often in the back of your mind you think “why would anyone want that” but I have learned to be open minded (when email first came out I could not see the point in it and thought it would never take off).

My passion is kayaking, I enjoy remote rivers which challenge me and really push my risk management skills to the limit. Well November last year I was paddling in South Wales and had an accident landing me in a wheelchair for 3 months (bad risk assessment day!!).

Day one of hospital and my only communications tool is my mobile phone, which of course gives me company email, Calendar and contact information.  This is now a critical tool and my primary work device. As soon as possible I’m cancelling meetings and trying to let people know what’s going on. All of this on a 4 inch screen including the keyboard.

Right next to my bed there is a full sized keyboard attached to the hospital information system; you can pay to get internet access, movies etc. This was the obvious tool for my email.

I have often been asked about allowing employees access to email from cyber café locations and it was one of those “why would anyone want to do that” thoughts. After all they have email on their phones and most employees have laptops. The Security implications of allowing email from anywhere are really scary for what feels like little gain.

Intel at the time was running a Proof of Concept (PoC) allowing employees to connect from any terminal to get email and I had been working on the security requirements for this testing. Well I never managed to get my email working via the hospital information system, there were too many security controls in the way, both on the Intel end and website blocking at the hospital end.

My use case felt like a very rare example.  Speaking to other employees, most had a rare one off example where “Email from anywhere” would have made a big difference. This begs the question of how many one offs put together make the need for a solution?

Dynamic security policies that adjust as a user moves from device to device, changing access, are the way forward. We do this in the mobile device world and are starting to with the larger from factors but now need to think about moving this from the exception to the norm. We also need to be able to evaluate the human element. Employees with good security practises should be able to work from more dangerous places.  I trust myself to look after my company’s data, there are others that I trust but how can you make that into a system which is fair? I think we need a security merit based system for people.

As for me, well I’m now walking in a limited way and had plenty of time to come up with new ideas!