The head of security hastily leaves the meeting without excusing herself. Her body language indicates that it is an important call. As she walks back in, all eyes in the room subliminally pose the same question. Without further prompting, the head of security says: “The CEO wants to know why she can’t watch a YouTube video on her iPad. It’s against policy, but we have to make it happen. While we’re at it, she also wants to be able to access her email and calendar on her iPhone”. This actually happened at a large financial institution.
Bring your own device (BYOD) is a trend that will gain visibility at an accelerating pace and is inherently tied to the cloud. As such, there are many parallels when considering the implications. The proof is apparent in that most smartphones leverage the cloud in providing services to consumers. The term “shadow IT” has been used for some time, but it is especially relevant today. At no point in history has it been easier to bypass the IT department, consume cloud services and use non-standard devices on a corporate network than it is today. Like the example above, there have been cases where it has been the CEO that has gone around the IT department to procure a service in the cloud for business needs.
During the Cloud Security panel at the recent RSA Conference in San Francisco, Chief Information Security Officers from eBay, Sallie Mae, Humana and Bank of America agreed on one thing: security departments need to anticipate these needs and have the answers ready before they are confronted with the issues. In other words, there needs to be a fundamental paradigm shift in the way information security departments operate. Instead of continuing to say “no” when faced with requests that increase risk, they need to say “yes” and subsequently be creative enough to design a solution while mitigating risks.
At the other end of the corporate ladder, the next generation of workers has never known a world before social media. They are hyper-connected and will demand the ability to use their own devices. In many cases, they cite productivity and efficiency gains. In addition, they may enforce it as a pre-requisite to joining an organisation. The ability to allow this can become an incentive when recruiting candidates, or work against a company that does not.
There are also benefits to be had. Support costs decrease as users tend to research and solve their own issues on their own devices. It may also be the compelling reason for an organisation to move towards a device agnostic, service-oriented architecture; providing development, operational and maintenance cost savings in the long run.
Allowing employees to use their own devices presents many risks, but very few are new for a seasoned security professional. These devices need to be treated as partially trusted endpoints at best, or completely untrusted in the most extreme of cases. The main consideration is that risks are heightened, when it comes to BYOD. Non-standard devices can be more easily compromised by an attacker than traditional, corporate-issued devices that are locked down using far more draconian measures.
Here are some strategies to address the heightened risks introduced by BYOD:
- Encourage a security culture. If security is not perceived as an integral part of the business, make it so. There needs to be a cultural shift to make this happen. Security must be an enabler and be embedded across all aspects of an organisation. Security cannot be seen as getting in the way of business initiatives.
- Educate. Test. Repeat. The responsibility must be shared between the organisation and end users. At the recent RSA Conference, renowned security luminary (and former notorious hacker) Kevin Mitnick reiterated that social engineering is still the easiest way to infiltrate a company. In fact, many Advanced Persistent Threat (APT) vectors involve compromising networks through the use of Spear Phishing, which preys on a lack of security awareness on the part of employees. Do not stop at educating employees. They must be periodically tested when they least expect it (and made aware when they have failed) to reinforce the behavioural changes required.
- Have a BYOD policy that is easy to understand. Do not rely on the user to decipher “security-speak”. E.g. “Ensure your device has our corporate mandated software installed. You can download it from this specified location and install it by following these steps.”
- Enforce access control policies. These should rely on identity, context and policy to protect resources (e.g. data and applications). Do not allow a device to access resources if systems cannot determine the user’s identity, if it does not meet compliance standards (e.g. screen unlock passcode/PIN not enabled) or if it does not have prerequisite software installed (such as antivirus). Apply context by restricting access based on factors such as location and whether the connection is encrypted.
- Automate the remediation process. Make it as simple as possible for the user to ensure device compliance by automating a majority of the remediation process. Do not rely on the user to know that they need to download and install a list of software. This can be done by leveraging identity provisioning and configuration management technologies.
- Monitor with Security Information and Event Management. Monitor all devices accessing resources on the corporate network using a Security Information and Event Management (SIEM) solution that can provide auditable, actionable intelligence that can be tied to identities. In an environment filled with partially trusted, potentially compromised devices, visibility is paramount and incident response time critical.
- Use identity federation with levels of assurance. Reduce operational overhead in environments with many identity sources in a secure, standards-based manner by federating user identities across segmented zones and rely on trust-levels to enforce access controls. As an example, consider the overlap between internal employee identities and their online identities. Users with their own devices are usually already logged in to their online accounts (such as Twitter). For ease of use and transparent single sign-on, security policies can be implemented to support levels of assurance. If an employee is already signed into Twitter, internal applications can utilise that identity, but at a lower level of trust. So, an employee can potentially use their Twitter credentials to access non-sensitive parts of the intranet. But if they want to access corporate email, they are required to provide their employee credentials thus enforcing a higher level of assurance that the employee is who they claim to be.
- Provide secure devices. Provide employees with the devices of their choice and ensure these are loaded with the required software and controls. This presents a win-win situation for both organisation and employee. They use a device of their choice without having to pay for it and can access the corporate environment in a secure and compliant manner.
- Control access from devices. Ensure access to sensitive data is controlled when retrieved via a non-standard device. For example, this can be done by providing remote sessions that allow the employee to work with the information, but never physically stores data on the device.
- Encrypt sensitive data. Encrypt any data placed on a non-standard device that is deemed to be company property. This may include the employee’s corporate email.
There is no one-size-fits-all approach to addressing BYOD risks. The points listed above are intended to serve as a starting point for thought processes. They can be used independently from each other, or in various combinations that make sense for specific needs.
It should be clear by now that having a BYOD policy is not actually about mandating that employees bring their own devices while freeing the company from having to provide equipment. It is really about having a strategy to manage devices accessing corporate data in a secure manner. It is about dealing with the consumerisation of IT and the fact that employees are beginning to blend their personal and business lives on devices, whether provided by the organisation or purchased on their own.
BYOD has become the designated term used to address this consumerisation of business IT. Adoption will continue to accelerate. It will happen faster than expected and be driven by multiple factors. If an organisation is not in a position to address the risks posed by BYOD, they will be left behind.
Ian Yip is the product and business manager for Identity and Security Management across the Asia Pacific region at NetIQ Australia. NetIQ, a business unit of the Attachmate Group, provides identity, access, security and compliance management solutions.
Consumerisation is inevitable.. So how secure is your data?
Hear from Rob Livingstone, Michael Barnes, Steve Quane and Dave Asprey amongst others on the Evolution. Trends, Solutions and the Future of Cloud Security, limited seats register today through CSO.