Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:30 AM
Connect Directly

Tech Insight: Bringing Security To Bring-Your-Own-Network Environments

Bring-your-own-network phenomenon complicates security in bring-your-own-device environments

[Jason Sachowski is a security professional at ScotiaBank. His content is contributed through the auspices of the (ISC)2 Executive Writers Bureau.]

Most security professionals are wrestling with the bring-your-own-device (BYOD) phenomenon, in which end users introduce their own mobile devices -- and a new range of security risks -- to the corporate network. Increasingly, however, the BYOD security environment is further complicated by another emerging phenomonon: bring your own network (BYON).

The BYON security problem is a by-product of increasingly common technology that enables users to create their own mobile networks. These Dynamic Area Networks (DAN), usually created through mobile wireless hotspot capabilities, necessitate a new approach to security in which not only are internal devices treated as untrusted, but internal networks may be untrusted as well.

Like BYOD, the BYON security issue is not solved simply through point solutions. It requires the right combination of people, process, and technology.

Before the BYOD wave occurred, organizations defined a network perimeter and architected their intranets accordingly. Today, however, organizations must accept the reality that all networks -- and all devices -- should be treated as hostile, regardless of how many technical security controls you have in place.

There is no single cause to this hostility. Some of it is due to the declining effectiveness of signature-based technologies as new threats evolve. Some of it is a function of the growing mobility of users, who must now simultaneously connect to both internal and external networks.

In the world of BYOD and BYON, enterprises must create new service models that assume networks are hostile, devices are unmanageable, and data will be consumed from a variety of technology platforms.

The enterprise must have people on-site who can help implement this new approach to security. There also must be a well-defined set of processes -- including policies, standards, directives, and guidelines -- that can support both BYOD and BYON. Not only do these processes have to consider data elements -- what data requires protecting, where security controls will be enforced, and how data will be protected --– but they must define acceptable business conduct when it comes to BYOD/N technologies.

Traditionally, IT's assumption has been that employees will use systems managed by the organization. So where do the unmanaged BYOD and BYON systems fit in? There must be an approved BYOD process that defines how an organization will address unmanaged system.

In a 2012 article titled "Prepare For Anywhere, Anytime, Any-Device Engagement With A Stateless Mobile Architecture," Forrester Research discusses the concept of an "extended enterprise," where organizations must control access to critical resources regardless of the connecting device, networks being crossed, or data repository.

In order for organizations to adapt to the current state of user mobility or its subsequent evolutions, Forrester says, they must focus their security controls on the data, not the network or device, exposing only what it required for employees to conduct business.

As with BYOD, there is no single point technology that can be implemented as the overall solution for BYON. As a starting point to a suite of technical controls, the first step is to build a data-centric security model. Data-centric security has been around for quite some time and, through such trends as BYOD, is a forerunner in enabling organizations to provide user mobility by collapsing network controls around data repositories and building the appropriate security controls into the application layer.

The next step is shifting away from network security controls throughout the infrastructure and moving them inbound, creating a perimeter to protect the data repositories. This approach helps organizations eliminate the anxiety of data sources co-existing on the same hostile network as the unmanaged devices.

Having collapsed the network perimeter around the data sources -- as a data-at-rest control -- we can now turn our attention to data access methods -- the data-in-transit controls. One way to take this step is by implementing next-generation firewalls (NGFW).

Traditional firewalls can only enforce security controls up to the transport layer; they do not understand the context who is accessing the data and how it is being accessed. With a NGFW, organizations gain extended visibility into data usage, including application type and the user identity. This makes it easier to give mobile users access anywhere and anytime, while simultaneously filtering out the anomalous or malicious content.

The final piece of the puzzle is designing, developing, and deploying applications that can support anywhere, anytime access --- data-in-use controls. There are two approaches an organization can take when deploying mobile-ready applications.

The first approach is to expand on industry best practices for secure software development by embedding additional layers of security filtering controls into the application, such as data masking or role-based authentication.

The second approach is to use application virtualization software to secure data inside of a mobile container that is not concerned with risks of unmanaged devices or hostile networks.

By following either of these approaches, organizations can allow data to be accessed anytime and anywhere, with the assurance that the data will be used in its intended context, stored in its intended locations, and transferred through approved methods.

BYOD and BYON are here to stay -- they will continue to create business and IT environments that are unmanageable and increasingly hostile. As security professionals, we must re-evaluate traditional security practices and create service models that offer secure data access -- regardless of the device, network, or source.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Jason is an Information Security professional with over 10 years of experience. He is currently the Director of Security Forensics & Civil Investigations within the Scotiabank group. Throughout his career at Scotiabank, he has been responsible for digital investigations, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...