You Have Lost Control of Your Data

I recommend that if you have anything to do with protecting cardholder data -- or any sensitive personal data -- that you read this post at Securosis. It deals with the reality that business needs will trump security any day of the week. I and others have addressed this topic lots of times in lots of places, but this one post captures the heart of the matter:

First let's point out the elephant in the room: Control. If you feel the need to control your end-user computing environment you are in the wrong profession. The good old days of dictating devices, platforms, and applications are gone -- along with the KGB interrogation lights. You may have missed the obituary, but control of devices was pretty well staked through the heart by the advent of cool iDevices. Yes, I'm talking about iPhones, iPads, Androids, and Palms. OK, Palm not so much, but certainly the others. Some smart IT folks realized, when the CEO called and said she had an iPad and needed to get her email and look at those deal documents, that we were entering a different world.

Lots of folks are calling this consumerization, which is fine. Just like anything else, it needs a name, but to me this is really just a clear indicatiion that we have lost control. But you don't have to accept it. You can try to find a job with one of the five or ten government agencies that can still dictate their computing environment (and good luck as they move all your stuff to the cloud). But the rest of us need to accept that our employees will be bringing their own devices onto the network, and we can't stop them.

Even if you don't read the whole post, just have a look at the Data Loss paragraphs. As my friend Anton Chuvakin is fond of saying, read it for "its sheer awesomeness."