Addressing the security risks of BYO device

As the ‘bring your own device’ trend continues to gain popularity, NetIQ’s manager for identity and security management, Ian Yip, discusses strategies to address the growing security risks

The head of security hastily leaves the meeting without excusing herself. Her body language indicates that it is an important call. As she walks back in, all eyes in the room subliminally pose the same question. Without further prompting, the head of security says: “The CEO wants to know why she can’t watch a YouTube video on her iPad. It’s against policy, but we have to make it happen. While we’re at it, she also wants to be able to access her email and calendar on her iPhone”. This actually happened at a large financial institution.

Bring your own device (BYOD) is a trend that will gain visibility at an accelerating pace and is inherently tied to the cloud. As such, there are many parallels when considering the implications. The proof is apparent in that most smartphones leverage the cloud in providing services to consumers. The term “shadow IT” has been used for some time, but it is especially relevant today. At no point in history has it been easier to bypass the IT department, consume cloud services and use non-standard devices on a corporate network than it is today. Like the example above, there have been cases where it has been the CEO that has gone around the IT department to procure a service in the cloud for business needs.

During the Cloud Security panel at the recent RSA Conference in San Francisco, Chief Information Security Officers from eBay, Sallie Mae, Humana and Bank of America agreed on one thing: security departments need to anticipate these needs and have the answers ready before they are confronted with the issues. In other words, there needs to be a fundamental paradigm shift in the way information security departments operate. Instead of continuing to say “no” when faced with requests that increase risk, they need to say “yes” and subsequently be creative enough to design a solution while mitigating risks.

At the other end of the corporate ladder, the next generation of workers has never known a world before social media. They are hyper-connected and will demand the ability to use their own devices. In many cases, they cite productivity and efficiency gains. In addition, they may enforce it as a pre-requisite to joining an organisation. The ability to allow this can become an incentive when recruiting candidates, or work against a company that does not.

There are also benefits to be had. Support costs decrease as users tend to research and solve their own issues on their own devices. It may also be the compelling reason for an organisation to move towards a device agnostic, service-oriented architecture; providing development, operational and maintenance cost savings in the long run.

Allowing employees to use their own devices presents many risks, but very few are new for a seasoned security professional. These devices need to be treated as partially trusted endpoints at best, or completely untrusted in the most extreme of cases. The main consideration is that risks are heightened, when it comes to BYOD. Non-standard devices can be more easily compromised by an attacker than traditional, corporate-issued devices that are locked down using far more draconian measures.

Here are some strategies to address the heightened risks introduced by BYOD:

  • Encourage a security culture. If security is not perceived as an integral part of the business, make it so. There needs to be a cultural shift to make this happen. Security must be an enabler and be embedded across all aspects of an organisation. Security cannot be seen as getting in the way of business initiatives.
  • Educate. Test. Repeat. The responsibility must be shared between the organisation and end users. At the recent RSA Conference, renowned security luminary (and former notorious hacker) Kevin Mitnick reiterated that social engineering is still the easiest way to infiltrate a company. In fact, many Advanced Persistent Threat (APT) vectors involve compromising networks through the use of Spear Phishing, which preys on a lack of security awareness on the part of employees. Do not stop at educating employees. They must be periodically tested when they least expect it (and made aware when they have failed) to reinforce the behavioural changes required.
  • Have a BYOD policy that is easy to understand. Do not rely on the user to decipher “security-speak”. E.g. “Ensure your device has our corporate mandated software installed. You can download it from this specified location and install it by following these steps.”
  • Enforce access control policies. These should rely on identity, context and policy to protect resources (e.g. data and applications). Do not allow a device to access resources if systems cannot determine the user’s identity, if it does not meet compliance standards (e.g. screen unlock passcode/PIN not enabled) or if it does not have prerequisite software installed (such as antivirus). Apply context by restricting access based on factors such as location and whether the connection is encrypted.
  • Automate the remediation process. Make it as simple as possible for the user to ensure device compliance by automating a majority of the remediation process. Do not rely on the user to know that they need to download and install a list of software. This can be done by leveraging identity provisioning and configuration management technologies.
  • Monitor with Security Information and Event Management. Monitor all devices accessing resources on the corporate network using a Security Information and Event Management (SIEM) solution that can provide auditable, actionable intelligence that can be tied to identities. In an environment filled with partially trusted, potentially compromised devices, visibility is paramount and incident response time critical.
  • Use identity federation with levels of assurance. Reduce operational overhead in environments with many identity sources in a secure, standards-based manner by federating user identities across segmented zones and rely on trust-levels to enforce access controls. As an example, consider the overlap between internal employee identities and their online identities. Users with their own devices are usually already logged in to their online accounts (such as Twitter). For ease of use and transparent single sign-on, security policies can be implemented to support levels of assurance. If an employee is already signed into Twitter, internal applications can utilise that identity, but at a lower level of trust. So, an employee can potentially use their Twitter credentials to access non-sensitive parts of the intranet. But if they want to access corporate email, they are required to provide their employee credentials thus enforcing a higher level of assurance that the employee is who they claim to be.
  • Provide secure devices. Provide employees with the devices of their choice and ensure these are loaded with the required software and controls. This presents a win-win situation for both organisation and employee. They use a device of their choice without having to pay for it and can access the corporate environment in a secure and compliant manner.
  • Control access from devices. Ensure access to sensitive data is controlled when retrieved via a non-standard device. For example, this can be done by providing remote sessions that allow the employee to work with the information, but never physically stores data on the device.
  • Encrypt sensitive data. Encrypt any data placed on a non-standard device that is deemed to be company property. This may include the employee’s corporate email.

There is no one-size-fits-all approach to addressing BYOD risks. The points listed above are intended to serve as a starting point for thought processes. They can be used independently from each other, or in various combinations that make sense for specific needs.

It should be clear by now that having a BYOD policy is not actually about mandating that employees bring their own devices while freeing the company from having to provide equipment. It is really about having a strategy to manage devices accessing corporate data in a secure manner. It is about dealing with the consumerisation of IT and the fact that employees are beginning to blend their personal and business lives on devices, whether provided by the organisation or purchased on their own.

BYOD has become the designated term used to address this consumerisation of business IT. Adoption will continue to accelerate. It will happen faster than expected and be driven by multiple factors. If an organisation is not in a position to address the risks posed by BYOD, they will be left behind.

Ian Yip is the product and business manager for Identity and Security Management across the Asia Pacific region at NetIQ Australia. NetIQ, a business unit of the Attachmate Group, provides identity, access, security and compliance management solutions.


Register Today. 

Consumerisation is inevitable.. So how secure is your data?

Hear from Rob Livingstone, Michael Barnes, Steve Quane and Dave Asprey amongst others on the Evolution. Trends, Solutions and the Future of Cloud Security, limited seats register today through CSO.

Join the CSO newsletter!

Error: Please check your email address.

More about APTAttachmateeBayetworkHumanaNetIQNetIQRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Yip

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place