Mobile devices will turn IT security model 'stateless', says Forrester
The fixed management model is doomed
By John E Dunn | Computerworld UK | Published: 13:30, 05 July 2012
The IT security model that has admins tending mobile devices such as laptops and smartphones using fixed security firewall and gateway infrastructure is obsolete and should be replaced by a new 'stateless' approach, a Forrester report has suggested.
According to Prepare For Anywhere, Anytime, Any-Device Engagement With A Stateless Mobile Architecture, the stateful model made sense when computers sat in defined locations and could be managed using conventional network infrastructure, but mobility has changed the game.
This 'stateful' approach is management-heavy, expensive and inconvenient, propped up by quick fixes such as inefficient mobile VPNs, the report said. Worse, a growing band of devices – the BYOD dimension - were sneaking past management altogether, creating holes in the security posture of organisations.
Related Articles on Techworld
In Forrester's use of the term, 'stateless' means not making any assumptions about the device based on its type, location, apparent privileges to demand services and application access; these parameters should always be assessed anew each time the devices connected, said Forester.
In a sense, then, management is abolished to be replaced by device inspection, based on dynamic device inspection and 'zero trust'.
Where such assessment happened was also worth looking at, with cloud security services such as single sign-on (SSO) a good option as these approach authentication in a stateless manner that made no assumptions about such trust.
If this sounds abstract, the premis of the analysis is essentially plausible; security architectures must take account of mobility because eventually almost all business devices will to some extent be mobile.
“Mobility holds the promise of fostering new innovations, reaching new audiences, and most importantly, creating never-before-seen user experiences and business opportunities,” said report author, Chenxi Wang.
"A stateless architecture will engender big changes in IT operations and expectations of control, but the end result will be a coherent strategy that allows IT to provision services to any device dynamically."
The reality is that for today's networks and admins the attractive vision of abandoning device management for a more dynamic security model is still some way off – networks encompass generations of legacy systems so ditching the stateful model is a long-term issue.