The BYOD (Bring Your Own Device) trend is pressuring CIOs and IT managers into bad decisions. Many organizations aren’t happy with their mobile security options, so they’re trying to wait for the BYOD storm to pass.
“If you just say, ‘No,’ creative people will find workarounds to make their lives easier,” said Chris Herndon, Managing Director and Chief Technologist in MorganFranklin’s National Security Solutions business unit. “It’s what creative, tech-savvy people do, and it’s part of why they’re so valuable to your organization.”
Organizations can’t come down too hard on these employees, because these are the people who consistently find new ways to add to the bottom line. But you can’t let them become security risks just because you don’t want to tamp down their innovative ideas.
On the other hand, companies that go looking for a silver-bullet BYOD security solution will be disappointed to find that the promised all-in-one solutions are often anything but.
Before you worry about any particular technological solution, you have to get your mobile policies straightened out first. “Policy is so critical,” Herndon said. “It’s painful for me to say, but so many large data breaches have been the direct result of the poor implementation of a technology that promised to solve the problem. Without a policy to guide how you deploy and manage the security solution, you will only incrementally – if at all – lower risks.”
If a big data breach hits just after you’ve just convinced your CIO or CEO to invest in, say, an expensive MDM (Mobile Device Management) solution, whose job do you think will be on the line?
Is the Concept of BYOD Part of the Problem?
Bring Your Own Device – it’s a phrase that is simple to wrap your head around, yet it carries the notion that employees are now in charge.
And as any security pro knows, employees are the weakest links in the security chain. So why would you trust them with so many security responsibilities?
“I really wish the term BYOD would go away,” Philippe Winthrop, Managing Director of the Enterprise Mobility Foundation. “It’s poorly conceived. It’s often mismanaged, and it leads to dumb decisions.”
Winthrop prefers the concept of COPE, or Corporate Owned, Personally Enabled. “The security mindset has to change,” he said. “We need to move away from protecting perimeters and towards a risk-management mindset.”
In other words, there will always be risks. In a mobile age, we can’t lock down everything, but we can take reasonable steps to reduce risks. Then, if a breach happens and your boss comes for your head, you’ll at least have a much easier time pinpointing what went wrong and why.
Being able to point out that you followed mobile security policies and deployed the appropriate technologies to enforce them may – you hope – be enough to keep you from getting fired.
With a risk-management mindset, certain types of data will be classified as ones that employees will want to access from mobile devices. That information should, then, be stored and served up differently than data typically accessed from an in-house PC. Simply classifying data as “mobile” may mean that employees can only view it on a secure web page, but not download or modify it. Other data may be manipulated on the end device, but only if secure partitioning is in place.
The concept of COPE sets the bar higher, but there’s also a key concept within this phrase, too, and it too is easy to overlook: “Corporate Owned.” Mobile risks are so high that smartphones and tablets that enter the enterprise should probably be purchased by the organization. Anything else introduces too much risk, at least at this early stage in the BYOD adoption cycle.
If nothing else, maintaining device ownership means that if IT completely wipes a device, and in the process, accidentally wipes personal data, such as photos, this is perfectly within the organization’s rights. It’s the organization’s device, after all.
If it is the employee’s device you are wiping clean, however, don’t be surprised if you get serious pushback, even a lawsuit, if important personal information is erased along with sensitive corporate data.
From a risk management perspective, isn’t it smarter to just sidestep this snakes’ nest?
And if you accidentally wipe a senior executive’s personal data from that person’s personal device, do you think the excuse of “I was following the policy” will work to save your skin?
Mobile Endpoint Security Shouldn’t Be Left to End Users
One of the problems with pairing BYOD with solutions like MDM is that those solutions only do so much, yet are often advertised as all-in-one complete solutions. MDM is essential, but it’s only part of the puzzle. For instance, mobile antivirus and firewall features are too often left to the discretion of end users.
So, how does IT know if end users have AV turned on? Whether it is up to date? Whether or not critical patches in place?
“Unlike the PC world, which is dominated by Microsoft, in the mobile world, each platform has its own software development environment. A security vendor developing mobile security apps will have to replicate the effort across various platforms. Further, some platforms such as Apple iOS do not allow traditional anti-virus apps on their platform,” said Amit Sinha, CTO of Zscaler, a cloud security company.
Under a BYOD frame of mind, organizations have little choice but to leave mobile AV up to end users. IT may point users to preferred products, but will they take the next step to purchase and manage mobile AV for their entire mobile workforce? Probably not, and that creates serious risks.
It’ll come as no surprise that Sinha advocates moving mobile AV to the cloud, where device constraints can be sidestepped. Cloud-based mobile AV also has the advantage of removing the updating and patching requirements out of the hands of end users.
Lack of Visibility Equals Poor Mobile Security
IT has been doing its best over the years to get a better sense of what exactly is happening within their networks. What kinds of traffic eat up the most bandwidth? Which apps open the riskiest ports? Why on earth is a printer in HR taking requests from strange IP addresses in Russia? Today, these things are easy to find out.
However, with mobile, IT is once again in the dark.
“The problem with BYOD is that most organizations have scarce knowledge of each device type . . . limited control over the devices’ security posture because device owners have administrative rights and can add or remove programs; lack of visibility into what the device is doing on the internal network and how confidential data is moving around; and little understanding of the impact of the device on the network,” said Chris Smithee, Network Security Manager for security monitoring firm Lancope.
According to Smithee, the only viable solution to the BYOD challenge is to obtain visibility into every single thing a mobile device is doing on the network. Without that, it is impossible to effectively ensure that the device is not accessing confidential, privileged data or carrying malware that could spread to other assets.
“The best way to regain this total visibility is to utilize the existing network,” he said. “The network knows about every transaction crossing it, and it can provide this information in the form of flow data such as NetFlow, [a protocol developed by Cisco for collecting IP traffic info].”
NetFlow is already built into most routers, switches and other network infrastructure devices, so the use of flow data to monitor network and host activity offers a cost-effective solution for analyzing the behavior of mobile devices.
“With flow data, organizations can proactively detect issues stemming from any device on the network without having to install additional software on the devices or deploy expensive probes. Flow-based monitoring can detect both externally-launched, zero-day attacks such as botnets, worms or advanced persistent threats that bypass perimeter defenses, as well as internal risks such as network misuse, policy violations and data leakage,” Smithee added.
If you go to your CIO or CEO and suggest that you repurpose an existing technology in order to get a better handle on your mobile problems, you’ll be applying a risk-management mindset to your own job security. Who ever got fired for saving the company money while also improving security?