Identifying and mitigating the emerging threat of consumerization
By Jason Tee
It’s common knowledge that the number one concern about enterprise cloud adoption has always been security. Now, the latest consumerization trend is forcing the issue. Even if a company still isn’t on board with the cloud, employees are going to use smart devices to access cloud-based apps with or without corporate approval. The convenience and affordability of combining both types of new technology is just too tempting to resist.
The potential security pitfalls caused by rogue use of web-based services via company computers pale in comparison to the utter chaos that can be caused by BYOD. It takes everything that’s not secure about the public cloud and makes it 10 times worse. Each consumer device is like a dart with the potential to pierce a hole in the balloon of enterprise infrastructure, data, and applications. Theft or loss of data on an individual smartphone or employee-owned laptop is just the tip of the iceberg. Web enabled and cloud-connected mobile devices also create a conduit through which malware can infect the enterprise network causing disruption to every aspect of the system. The potential for mayhem is mind boggling.
You can’t always get what you want
Is it possible to adapt to the highly accessible, consumerized way of using and transmitting company data without sacrificing security? Not entirely. Michael Westen, the fictional spy on the hit TV show “Burn Notice”, offers a vivid example of the balancing act required in determining the right mix of security and accessibility. You could hide all the documents for a clean cover ID at the bottom of your septic tank. The location is highly sheltered and probably completely safe from discovery even from the most assiduous counter-spy. However, it’s not particularly handy if you need to make a fast getaway. Stick everything in a drawer by the bedside table, and your fake passport and credit cards are ready to go in a flash. But anyone can find and steal them.
In the end, organizations will have to decide how much risk is acceptable and build their security program from there. To do this right, it’s important to consider all aspects of security. Sometimes, you can build in greater user-friendly accessibility in one part of the “system” and counterbalance it with tighter controls behind the scenes elsewhere. Here’s a look at the various components that might comprise your BYOD risk mitigation program. Since this landscape is constantly changing as additional threats are identified and new solutions are formulated, this list is only partial.
Corporate data stored on an employee’s mobile device should be encrypted. Of course, the communication of data should also be encrypted in transit from the company network to the employee’s device and vice versa to be more fully secure.
Appropriate key management solutions should be in place to protect data as it moves in and out of the cloud.
Whatever data protection solution is used should be able to fingerprint data for easy scanning.
Password enforcement should be implemented and identities carefully managed to ensure that only authorized users have access to sensitive information on any device.
Access control should be used to determine what users can do with different types of data (share, download, copy, modify, etc.) and whether they can do this only on company liable devices or on their own devices. Active Directory integration may help.
Devices such as employee-owned laptops are notorious for hosting viruses and having outdated security software. Network Access Protection or Network Access Control tools such as those available from McAfee can be used to check mobile computing devices to ensure they are up to date and don’t harbor any known security risks.
There’s no telling what kind of WWW links employees will try to click on using a smartphone that’s connected to your enterprise network. Web security gateways (such as WebSense) can be implemented to create a safer mobile web usage experience and to detect and block malicious inbound traffic.
The cloud adds another layer of complexity when you are trying to keep corporate data secure –but it can also be part of the protection picture. Solutions such as Smart Protection Network™ provide cloud-client security infrastructure that may stop rapidly emerging threats before they reach endpoints and mobile devices.
Device locater services should be standard on all equipment used by employees to access, store, or transmit corporate data.
IT should be able to remotely wipe the mobile device if it is lost or stolen.
Employees should password protect their devices.
Automatic syncing on mobile devices (and removable drives) can introduce infection into corporate owned resources and confidential data onto employee’s home computers where it becomes even more vulnerable. Sync parsing and content filtering with Endpoint Data Leak Prevention (DLP) software such as DeviceLock can be used to control the type of data that can be synchronized.
Mobile Device Management (MDM) level
All of these security measures and more can be implemented with a comprehensive, appropriately customized MDM solution. This type of centralized console provides IT with the ability to:
- Identify and track the presence and status all devices
- Scan all files being transmitted to check for security violations
- Manage firewall and intrusion detection systems
- Manage both personal and corporate applications
- Enforce BYOD program rules
Employers should create an environment that actively encourages employees to follow security practices. If you can prove that your secure, enterprise-class apps are simple to use and that the security measures aren’t onerous, workers are less likely to seek workarounds. IT should highlight the behaviors that employees can follow to be safer online – including appropriate use of social sites.
Within IT as well, there’s a need for training in how to effectively use the chosen MDM solution. Having the ability to monitor what’s going on in the network of connected devices is useless if the “gatekeepers” don’t have a set of protocols to follow in using these tools. They must also understand the intent behind each rule. That’s the key to identifying emerging threat
30 Aug 2012