Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/25/2011
09:30 AM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Consumerization Of IT: Security Is No Excuse

At most companies, you can't just say "no" to consumer devices. Here's a plan to take the lead on information security issues.

Sorry to break this to you, but if you're looking to use security as the reason to keep consumer technologies out of your company, you'll have quite an uphill battle. Not because the security risks aren't real (they are), and not because you can guarantee the data security on the devices (you can't). It's because, as with virtualization, the business benefits significantly outweigh the security risks. As I heard one CIO say recently: "Consumerization is a parade. You can either get out in front of it to stop it and get trampled, or you can grab the baton and lead the parade."

Consumer devices are taking hold quickly in enterprises in part because it's easy to access company data without having to get IT involved. Any employee with ActiveSync access to corporate email can get that email on their personal smartphone or tablet in less than a minute.

The first challenge in securing personal smartphones and tablets is knowing when those devices are being added and removed from the company network, and knowing if they adhere to company policy. Bob the engineer could connect with to his corporate email with a BlackBerry today and a brand new Android phone tomorrow. The problem is your company's email server most likely can only push a security policy to BlackBerry or Windows Mobile devices. Without proper management, you don't even know that Bob is no longer adhering to company policy.

Don't despair. Securing the unknown starts with a tried-and-true technique: default deny. Through the use of mobile device management tools such as MobileIron, you can prevent devices your IT team hasn't researched or approved from connecting to company resources. Heck, you can even make it so that any device needs your mobile application installed on it before it can receive a single corporate email. These mobile device management applications can prevent unwanted applications from being installed, can force removal of certain apps, and can even remotely wipe devices, even if your email platform doesn't support security policies on those devices. If a device is rooted or jail broken, you can prevent it from connecting to your infrastructure altogether.

Oh, great, you're thinking: This guy thinks I'm going to default deny and then spend my life managing a whitelist of every single Android smartphone variation and every firmware variation.

But that isn't the point of this type of whitelisting. The goal of preventing unauthorized devices from connecting isn't about figuring out if the device is capable and secure enough to connect to the company's network; it's about identifying who is connecting that device to the network. Wouldn't you rather focus on whether the CFO, who has critical earnings data in his email, is trying to connect email to his new tablet, instead of worrying whether iOS 4.2.1 is on the approved list? I would. Focus your consumer IT security strategy around people and their roles, not around products.

Focusing on people relates to another major risk of these new devices: the speed at which people replace them.

Think about how many employees are changing or upgrading their smartphones--some as often as twice a year. That can mean the SD cards and internal memory stored on their old phones are sitting at some store or have been resold.

Mobile device management (MDM) software can prevent device churn from affecting security by letting only one device connect per user. When the new device is provisioned--since you have a default deny policy, you'll have to approve it--you can disable and wipe the old device without having your IT team physically touching the device. MDM is gaining steam mostly because it lets companies offer employees a large range of devices, because most MDM technologies implement security policy using a custom-built application that's loaded on the device. You no longer have to plead with Apple or Google to implement a new security feature in the next OS release. Most MDM vendors support BlackBerry, iOS, Android, and Windows Mobile.

Those companies that can't afford MDM software need to look at data flows to these devices and pick the points they can secure. In our experience reviewing mobile risks, the most critical and confidential data is stored within the email app on the device, followed by the calendar, contact list, and any apps the user has to write notes, such as Evernote. Start with the basics: Force devices to be locked when not in use, and encrypt the email stored on the device if possible.

It's unlikely that an attacker will access critical, confidential data in an enterprise application other than email, calendar, and contacts. There are just too many variations of enterprise apps and devices to make it worth most attackers' time to write malicious code to get at data from those other apps.

chart: How do you nsure security of end user devi es that may contain company data?

Value In What You Already Own

Your existing security technologies inside the firewall also can help cope with consumer tech, since the email, calendar, and contacts sync with the corporate infrastructure. You can use capabilities such as data loss prevention and attachment monitoring to keep critical or confidential data from reaching employees' mobile email boxes. Still, that approach isn't as effective as combining data loss prevention with MDM.

When you start looking at the data flow, you'll see that most devices can't access the company's file server or intranet without setting up VPN access. Most of these new smartphones and tablets do support VPNs out of the box, but hopefully your VPN software can prevent access from unauthorized devices. If not, see if you can update the software so that it performs a check before any device accesses the internal network, and then blocks VPN access from devices that don't meet security policies.

However, any time you block access, be sure to also offer ways to let people securely do their work with mobile devices. Otherwise, they're more likely to just download their own apps and work around you. For example, we recommend giving employees remote desktop access to a secure and locked-down desktop via one of the many remote access apps, at the same time you're blocking VPN access from mobile devices. This approach prevents files from being copied to the device but lets the worker read and view documents. If done properly, this approach removes the risk of rogue apps and Trojan horses because company data won't be on the device in the first place.

The companies we have worked with that embrace consumer tech are getting a great side benefit: centralization of security controls. If you take our remote access example, this is actually an opportunity to provide more robust controls on a virtual desktop, while still giving employees what they want. You get the ability to audit, monitor, and prevent data loss without having to worry about the device the user is coming from--the perfect opportunity for a give and take. You give mobile computing and anywhere access, in exchange for more security controls. Remote desktop client apps are available on all major device platforms, including Android, iOS, and BlackBerry.

So get out and lead the parade. Doing so will require some assessment of devices, software security tools, and MDM software. Do these assessments even if you don't have a company policy governing consumer devices, or if your policy is to flat-out ban them. In our experience, when employees feel like IT is embracing change, they're much more likely to work with you rather than against you.

Michael A. Davis is the CEO of Savid Technologies, a technology and security consulting firm based in Chicago. Write to us at [email protected]

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12505
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW07 allows an attacker to change some special parameters without authentication. This issue affects: WAGO 750-852 version FW07 and prior versions. WAGO 750-880/xxx-xxx version FW07 and prior versions. WAGO 750-881 ve...
CVE-2020-12506
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW03 allows an attacker to change the settings of the devices by sending specifically constructed requests without authentication This issue affects: WAGO 750-362 version FW03 and prior versions. WAGO 750-363 version ...
CVE-2020-4629
PUBLISHED: 2020-09-30
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.