Companies may be embracing bring-your-own-device (BYOD) strategies at a rate of knots, but without a more holistic approach to security even managed device protections can be easily or unintentionally circumvented by employees, one security expert has warned.
“If you take out your credit card and pay for a SaaS service, you can get around security,” Ian Yip, identity, security and governance business manager with security firm NetIQ, told attendees at a recent NetIQ security seminar.
“Employees may buy it from Amazon or get it for free from Google Apps, then collaborate with colleagues using their own personal identities. But Corporate doesn’t know about it, and they’re exposing corporate information into the cloud without IT knowing about it.”
Services such bring-your-own-cloud (BYOC) reflect the difficulties inherent in locking down corporate data using conventional means, Yip said, offering as another example the ability of modern mobile operating systems to directly post data to Facebook and Twitter directly, in circumvention of conventional Web-based access controls.
“As you move down the stack to the application and then down to the operating system layer, it’s harder to do security and harder to secure,” Yip said.
“There are more holes – and more and more technically savvy people joining the workforce. They may not be part of the IT department, but they can easily spin up an Amazon Linux server and decide to build everything on top of it without the IT people necessarily being aware.”
Indeed, while most organisations recognise the need to manage employees’ mobile devices to ensure their security, Yip says many companies making BYOD investments find their efforts stymied by users’ discomfort with the idea that their activities may be controlled or monitored.
One large and well-intentioned company, Yip said, bought 15,000 licenses of mobile device management (MDM) software to support all of its employees’ smartphones, but found that only 400 were actually taken up by employees that had declined to install the opt-in software. This left it significantly out of pocket and lacking the kind of security framework it needed to make BYOD work. This sort of experience, Yip said, highlights the need for companies to look past their preconceptions about BYOD – in particular the idea that it will save money. Rather, many employees may not only introduce problems through their mobiles – but will make them even worse when the users try to fix the problems themselves.
“It’s not a cost saving,” he said. “You’re actually just shifting the cost to having to deal with this new thing you have no control over. Don’t be mistaken into thinking this is a benefit.”
To ensure that BYOD, cloud and other user-empowering trends don’t compromise security, companies need to look past the devices and ensure that the data itself is appropriately protected.
This includes the enforcement of access control policies, encryption of data in situ and in the cloud, monitoring of data access, and implementation of identity and access management (IAM) frameworks that provide federation of identities across applications both online and off.
By focusing on protection of the data rather than fostering the sense of personal empowerment that BYOD can bring, companies can both reward employees for being forthcoming about their activities, and encourage positive behaviour that comes with the privilege of BYOD.
“The lines between personal and business are blurring,” Yip said. “Know what you are protecting, monitor and know what’s going on. Policy will make it easy to understand, and make it easier for people to do the right thing. Without it, you’re flying blind.”