BYO computing: if you can't beat 'em, secure 'em

The trend towards bring-your-own computing is being driven by executives who not only insist on connecting their personal devices to the company network – but refuse to hand over control of those devices to security managers despite exhortations that it's necessary to ensure data integrity. Faced with an explosion in mobile devices and already hurtling towards the cloud, what's a humble IT security specialist to do?

It's a difficult challenge made even more complex because so many consumers are already linking their mobiles to mainstream cloud services like Google's Gmail, Apple's iCloud and various social-media services. The net result: consumerisation is bringing with it all the dangers of cloud environments as well as all the traditional security issues associated with mobile devices. Yet with those devices now comprising part of the cloud itself, the old issues are taking on a whole new meaning.

"The bottom line is that the people who have control over your budget are now insisting on consumerisation," Dave Asprey, vice president for cloud security with Trend Micro, told attendees at the recent Evolve.Cloud conference in Melbourne.

"We have these mobile devices, and they just keep evolving and getting better. So companies are no longer going out and saying 'I'd like to buy a laptop for everyone in my company'; they're going out to say 'I'd like to manage a laptop for everyone in the company'. And this is how consumerisation is happening."

Despite user enthusiasm about using mobile devices, he added, many users are blind to the companion risk that they introduce. Since so many consumers are already using mainstream cloud services like Google's Gmail, Apple's iCloud and various social-media services, the introduction of mobiles into the enterprise is an ipso facto introduction to the risks and exposures of public cloud services – and that's a completely different risk profile.

"Cloud and mobile are already completely mixed up in the minds of the people who use these devices," Asprey explained. "When you hear about consumerisation and BYO device strategies, it includes cloud as an integral part of that. And as mobile continues to penetrate throughout the population at large, 'cloud' stops meaning 'in a data centre' and it starts meaning 'elsewhere'."

This presents a completely new challenge for security practitioners, for whom the shift away from tightly-managed internal devices represents a major change in security posture. And in this new world, Asprey said, malware authors have the most experience – as evidenced by their successful establishment of self-managing global networks that tap into millions of mobile and fixed computers around the world.

Such networks represent the future of cloud environments as the proliferation of mobile devices is taken to its natural conclusion: the cloud of the future will be made of nodes everywhere and anywhere, connected through common links and reallocating computing and storage capacity on the fly.

As this model takes over, Asprey warned, security practitioners must modulate their expectations: in a globally distributed model, the key to performance security cannot by definition be "to know everything" that's going on inside your network.

"Since you're managing the devices that connect all over the place, it makes more sense to host the management of the cloud in the cloud itself," he explains. "Your traditional performance monitoring is not going to work: when you're managing a cloud of distributed devices, some of them aren't going to answer your performance monitoring queries. You'll end up using statistics way more than you do now, and job scheduling will become more ad-hoc."

Cloud-based storage will complicate things further, since increasingly distributed models of data storage mean data will end up being distributed far and wide across internal networks and external public-cloud services. This presents technical, security and – particularly importantly – regulatory challenges as governments increasingly reconcile their privacy and policy objectives with the increasingly distributed nature of the cloud.

Asprey calls this future model of the cloud an 'ambient cloud', and said the key to keeping it under control is to focus on securing the myriad devices coming into the business. "If you want to secure the cloud, you need to secure your mobile devices," he explained. "They are the access points to the cloud – and from an end-user perspective, the difference between the cloud and the mobile phone is lost."

"If someone loses their phone and it has all their cloud credentials, your cloud is penetrated unless the phone is protected," he continued. "Even though it's so much cheaper to move things into a decentralised model, and it's more available than it is in a decentralised model, you'll be making budgetary decisions over the next few years that drive you to decentralise when you can – but to still maintain visibility and control like you have today."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleetworkEvolveGooglemobilesTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts