I spent a few days at ConSec ’12 this week and heard a lot about Bring Your Own Device (BYOD). It is a rapidly growing phenomenon that enterprise security experts are grappling with. BYOD is becoming accepted by many companies of all sizes. Interestingly, it often begins when a senior executive pops by IT with an iPad or a Mac and insists on using that device instead of a corporate standard. Then the floodgates open. People tend to like the freedom of choice and the convenience of BYOD.
Security risk with BYOD
Did you know that when you access corporate email on the mobile device you own, there are countless security risks? For example, if your phone is stolen, it is surprisingly easy to gain access to all the data on the device. If you have the email password stored, well, all of your email is available to the hacker. They can steal anything and even worse yet, – impersonate you. In fact, a good hacker in possession of your device, can decrypt your stored passwords in a matter of minutes.
If you think that a remote wipe will take care of this – think again. A remote wipe requires that the device is powered on. So, if the bad guy powers it off and removes the SIM card –remote wipe won’t be wiping anything.
If you use your device for personal purposes, you might download some fun apps and games. There is nothing that guarantees these applications are not malware. And it’s possible they behave well for 6 months and then become malware.
Employee-owned devices are extremely difficult to control or trust. The key seems to be to develop a strategy where the device is known and expected to be EVIL. Enterprise IT needs to focus on protecting what really matters – the corporate network, applications, and most of all, business-critical data.
Monitor for anomalies
Enterprises need to focus on monitoring for anomalies that can strike its key assets:
- The corporate network
- Business-critical applications
- Business-critical data
With BYOD, the risk of network contamination and information leakage significantly increases due to poorly developed or malicious apps, the increased attack surface of all of these devices and fun-loving human nature. Ixia is in the business of providing network visibility with products such as the Anue NTO, which can really help secure production networks.
In the past, IT managed users with a work-owned device, which was most likely configured and locked down. Today, IT is faced with users with as many as three devices- laptops, iPads and Phones/smartphones- all out of their control. That is triple the devices, and all present a tasty attack surfaces plus an increase in in network bandwidth requirements. Oh dear.
So, you might develop a policy that IT must control and monitor all devices that are used for business purposes. Good luck on that – the privacy and legal issues in the US get sticky. In EMEA and other regions with stricter privacy policies for their citizens, forget about it. Scenario: you have a security incident and you need to force wipe out an employee’s iPhone – and you wipe out the last picture of grandpa before he died. The jury would tear up right there.
And do you really want to deal with the drama around confiscating an employee’s personal device and invading his privacy and finding scantily-clad pictures of his fiancée? Oh dear.
The answer is to focus on securing what really matters: enterprise data, network and applications. Lock down and monitor what really counts to your business. Expect employee-owned devices to be Evil, and you will not be disappointed.
Having said all that, there is a new category of products called Mobile Device Management (MDM) that can enforce device policy, encrypt local data and secure contained partitions. It is a nascent category, but there are already over 40 companies moving in to solve mobile device security concerns. In addition, at ConSec ’12 AT&T was talking about a new technology to provide a “toggle” feature, where there are two settings – one for work purposes and one for personal purposes. With this, you might be able to effectively carry out information security practices for the device.
More to come soon…