|Issue:||North America 2013|
|Topic:||Security for BYOD|
|Author:||Karl Driesen & Brian Tokuyoshi|
|Title:||Karl Driesen: VP EMEA – Brian Tokuyoshi: senior product marketing manager|
|Organisation:||Palo Alto Networks|
Karl Driesen is VP EMEA for Palo Alto Networks; he has over 20 years’ experience in enterprise technology throughout the EMEA region. Mr Driesen previously served as VP EMEA at Infoblox; he also held senior management positions at Netscreen Technologies, Xylan and Cisco.
Karl Driesen holds a B.Sc.in Telecommunications from VTS Antwerp.
Brian Tokuyoshi is a senior product marketing manager at Palo Alto Networks; he has over 15 years of experience working with identity management and security organisations. Mr Tokuyoshi previously worked as a product marketing manager for Symantec’s PGP Corporation, overseeing the PGP Encryption Platform; he also served as product marketing manager for ActivIdentity’s smart card management systems and strong authentication solutions. Mr Tokuyoshi also helped developing Sun Microsystem’s original identity management platform, and served as the senior market analyst for The Radicati Group, covering the PKI and Directory Server markets.
Brian Tokuyoshi holds a Bachelor of Science degree in Computer Engineering from California State University- Chico.
More than half of North American companies believe the risks of BYOD outweigh the benefits; BYOD runs contrary to traditional IT security practices. Nevertheless BYOD is a rapidly growing, seemingly unstoppable, trend so new security policies and procedures are needed to keep the data and networks of user organisations secure. To mitigate the risk, organisations must start by assuming that any unknown traffic, user or endpoint is risky. Strong security for access to applications and resources makes BYOD acceptably risk free.
Take a second to picture the carefully groomed, meticulously chosen set of policies that govern the selection, purchase, use and audit of technology inside the average business.
Now picture those guidelines thrown out the window.
Bring your own device (BYOD) allows the use of new devices to interact with enterprise IT – without following the traditional process for vetting, monitoring and auditing equipment for proper use. Instead of IT mandating what employees’ can use, BYOD lets employees, themselves, decide the technology they want to use.
Whether it’s a laptop that’s lighter and sleeker than the boring, heavy corporate-issued fare, a tablet or a smartphone an employee’s uses for both personal and business matters, it’s the employees, as consumers, deciding what they use. Employees purchase devices for personal use, and incorporate them into their work environment, with or without the support of the IT department.
According to recent research by ISACA (Information Systems Audit and Control Association), 36 per cent of North American companies have policies that allow BYOD. A further 30 per cent prohibit it completely, so almost a third of the companies in this region have yet to decide , so users are deciding for themselves, and selecting the tools they find that are the most appropriate for their job. Typically, then, the employees use their personal devices, so questions of device security and remote access are raised.
The uncontrolled use of personal devices raises several types of security issues:
Network traffic protection – Personal devices connected to corporate networks may place company data at risk. Without protection, information on a network is about as private as a postcard – open to anyone to read if they make the effort to look.
Protecting network traffic – Managed devices benefit from endpoint protections standards that provide a line of defence against malicious content. Unmanaged devices may or may not meet those standards, and may not have adequate protection independent of the network.
There are two important issues: first, the endpoint may need better security to protect against dangerous content and, second, network security measures may not be able to effectively protect the user’s device.
Enforcing application policy – Organisations have applications they need to protect. They need to control which users can accesses data centre applications and from where. An organisation might restrict access only to corporate-issued laptops. Such controls ensure data centre protection by assigning appropriate levels of access to each specific device.
Enforcing device policy – The mobile device’s operating system may have security features, but it is not easy to guarantee its proper use when it is not corporate owned. Organisations are increasingly taking measures to ensure device policy compliance by means of such technology as Mobile Device Management. Mobile Device Management can turn an unmanaged employee-owned device into a managed device.
Protecting data on the device – Should BYOD devices be allowed to store enterprise data? What measures are in place to secure data, or destroy data in the event a device is lost or stolen? Some see this as a question of containment – such as using partitioning and application containers to limit where the data goes. Some see this as a matter of data protection – such as data-level or device-level encryption. Another approach is to consider what applications and data the device can have permission to access in the first place – such as using virtualisation to remotely access an application or desktop without putting the application data itself on the device.
These are just a sample of the technical issues that come into play with BYOD; there are, in addition a number of legal issues as well. With all this to think about, there’s a natural tendency to blame non-compliant users and devices as the source of the problem.
BYOD exposed an existing issue, namely that enterprises often do not have the control they need over who can access particular applications, and what traffic they can secure regardless of who owns the device. There are deeper issues at play:
• Trust – Just how much access should you provide to someone connecting to your applications from a remote location or with an unknown device?
• Protection – When you don’t own the device, can you properly protect it or secure it?
• Control – How can you enforce compliance with corporate guidelines when the user is on the move?
Within this context, it is easier to understand why organisations are apprehensive of BYOD. Over half, 51 per cent, of North American companies believe the risks associated with BYOD outweigh the benefits. Businesses find it difficult to establish trust, provide protection and enforce control of their managed devices, much less their unmanaged ones. That’s why the issue is so much wider than the device itself; BYOD has to return to something the enterprise can control.
In order to shore up control, organisations need to understand what they want their network to do. Controlling access to applications by specific users and finding threats are fundamental problems for security teams. Until these issues are resolved, the challenge of dealing with broader groups of devices cannot be properly dealt with.
Many organisations in America overly trust their users and, almost by default, authorise traffic and files of an unknown nature, perhaps carrying unidentified dangers. For example, traffic arriving on a valid port, but of unknown nature, will slip through standard port-based firewalls. Files that do not match a known malware signature are assumed to be good rather than unknown. Many organisations do not know who is using a particular IP address, and identity verification is not part of their policy. Instead of strengthening overall security, these assumptions all demonstrate unwarranted trust. Automatically assuming that unknown elements might be risky, offers greater protection when authorising access to company data or network resources and helps resolve BYOD issues as well.
When we look at the risks the network can miss, the difficulties of controlling BYOD become clear. The network is the fundamental link between enterprise applications and the user, so it needs to play a decisive role in determining access to critical applications.
Beyond the endpoint
Endpoint security is a measure of last resort, but with BYOD it’s sometimes the only resort. If network security is not filtering out dangerous content, then endpoint security is the only remaining protection.
BYOD adds a couple of new vectors to the issue of endpoint protection – device and location. First, a personally owned device is a wildcard – you don’t know if it has proper endpoint security measures installed. The only things you can count on with BYOD are the network’s own security measures.
Location is also a wildcard; BYOD devices are often used outside the organisation, sometimes using unsecured, coffee shop, WiFi networks. To improve network traffic security requires addressing the risks of unsecure locations.
The next generation of BYOD security
By first securing the network and providing the means to connect to it, then other pieces of the puzzle start to make sense. Organisations that want to block unauthorised devices can do with NAC (network access control). By first authenticating and authorising users, organisations can provide a richer workspace for network users with a wider variety of content and functionality.
By integrating mobile device management (MDM) solutions with next-generation firewalls organisations can enforce usage policies and better manage devices and connections to the corporate network.
Organisations can tackle both sides of the issues together, the network and the device, for greater visibility and control of network activity and risk.
The lines between IT-managed and employee-owned will continue to blur in the years ahead. Getting a grip on what the security needs are starts by identifying the users and the applications they use, examining the content, scanning for risks and incorporating device and location into policy enforcement.
By creating stronger core security for safer access to applications and resources, the other issues that surround BYOD become easier to handle. It is important to know who’s using a particular resource, so start by being able to identify and trust the users, know which devices they are using and establish policy controls to make it all manageable. This applies to both the IT-managed and the BYOD world, because without consistent policy enforcement, the security issues become more complex. Experience shows that complexity is the undoing of any good security programme.
A recent Gartner survey shows that 70 per cent of organisations plan to have BYOD policies in place within the next 12 months .