Home / Blogs

BYOD Woes and Worries

Gunter Ollmann

Like the scene of a movie in which a biblical character holds back the mighty sea and is about to release the tide against his foes, BYOD has become a force of nature poised to flood those charged with keeping corporate systems secure.

Despite years of practice hardening systems and enforcing policies that restrict what can and can't be done within the corporate network, businesses are under increasing (if not insurmountable) pressure to allow a diversifying number of personal devices to connect to their networks and be used for business operations. Bring your own device (BYOD) is the most intrusive trend that security teams have had to face for quite some time.

Unlike other business changes over the years that caused security teams to reevaluate their policies (such as allowing remote users to VPN in to the corporate network or enabling webmail facilities for roaming users), BYOD is being driven by all levels of the corporate hierarchy simultaneously. And it's forcing new changes in the way organizations conduct business and seek to secure themselves.

BYOD is directly forcing the hand of security teams; and those that don't (or can't) accommodate the change are in for a very rough ride indeed.

Organizations that have embraced the approach — allowing employees to bring in their personal devices and engage with business systems — appear to have reaped rewards ranging from increased productivity, through to a lowering of capital expenditure within their IT departments. BYOD is affecting all walks of life. For example:

  • Out-of-hours system monitoring and alerting through Android applications that can be trivially loaded on to an employee's Smartphone.
  • Larger pockets being added to medical staff's lab coats and smocks to accommodate the iPads they're increasingly carrying around.
  • Shared use of cloud storage facilities as employees jump back and forth between personal and corporate devices throughout the day.

Not all businesses have embraced a BYOD culture the same way. In the majority of organizations I deal with, the general security strategy is to treat the device as "untrusted" — typically only allowing the user of the device to connect to the Guest or dirty wireless networks and limiting access to those services or business applications that can ordinarily be accessed remotely (e.g. through a VPN). Meanwhile, a handful have gone 'whole hog' as it were, and are doing away with corporate supplied computing devices; instead they're offering to subsidize the employee's purchase and provide a list of "minimum" security standards for the device.

We are in a transitional period with respect to BYOD strategies and there is a lot of experimentation as organizations strive to achieve a new balance between security and convenience. As such, the security posture of an organization needs to take into account the continuous change going on about it. While it's been a common declaration within the security community that you can't protect the end-point from a determined attacker, as device ownership slips from the hands of the corporate entity into the hands of the employee, so too does the onus for protecting it.

For many organizations the frontline in security for the last two decades has been protecting computers with host-based defenses. Sure, there's been investment in perimeter defenses, but the war between the cybercriminals and their prospective victims has been happening with the operating systems, web browsers and applications of the end device. As such, with control of the end-point device slipping out from control and oversight of corporate security teams, an added emphasis is being placed upon two critical security approaches — securing the core (centralized) intellectual property and data of the organization, and rapidly identifying devices that have already been compromised.

Organizations with a mature security strategy flexible enough to accommodate BYOD demands have pursued an approach in which it is assumed that the user's device is likely (if not already) compromised and under control of an external criminal entity. As such, they have myopically focused their attention on securing the servers that really matter to the business and are securing the system and repositories that govern or track the data itself. In parallel, they've deployed systems that alert and identify devices that are acting suspiciously or are positively identified as being usurped by professional crimeware, and take immediate, automatic steps to restrict and cauterize the threat.

BYOD has forced a paradigm change in the way businesses approach and enforce security within their organizations. Security teams within organizations that continue to resist the adoption and use of personal devices (whether they be personal laptops, Smartphones, tablets or X-Box) are fooling themselves if they think they can hold back the tide. Security consolidation and threat alerting are the ropes they need to grasp.

By Gunter Ollmann, Chief Technology Officer at IOActive. More blog posts from Gunter Ollmann can also be read here.

Related topics: Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

We are trying to move to a Phil Howard  –  Apr 10, 2012 12:56 AM PDT

We are trying to move to a model where personal devices stay just that, and devices for use with business purposes stay just that.  We've just about reach the point of issuing a company laptop to all employees (with the policy rule to do company work only on the company laptop, and only company work on it).  Now we need to do tablets and probably many phones.  I think that will soon happen.  But it can be cumbersome for people to carry around two smartphones.  We'll probably try to go with something smaller for company work, and probably limited to sales people and critical support techs.  Developers may want to keep the laptops.  It may just come down to "pick one" and "you can change it later".

But there are risks (varying by industry) letting people use personal or home devices for company work.  You don't want to be browsing customer accounts or accessing the DNS server on the same home PC that also gets used by kids that download games from everywhere in the world.  There has to be a limit.

And certainly there are places within certain three letter government agencies where personal devices will never be allowed.  And many business (not just government contractors) will need to do likewise.  Still, a tablet can be a great tool within the company to do things like data center maintenance work.  Embrace, but be smart.

Silos of data David A. Ulevitch  –  Apr 10, 2012 8:21 AM PDT

Phil — Separating devices does not work. Human nature tells us that the workers will find the shortest path to accomplishing their work.  If they have a contact they need to email on their personal device, they will just email them from their personal email.  What results is an ecosystem where you are stuck with the security upper-bound being based on the path of least resistance.

Might be worth a read - IBM's BYOD Suresh Ramasubramanian  –  Apr 12, 2012 9:18 PM PDT

http://www.infoworld.com/d/consumerization-of-it/how-ibm-manages-80000-bring-your-own-devices-189504

https://www-304.ibm.com/connections/blogs/ibmmobility/entry/bring_your_own_device_byod_the_new_movement_in_mobility?lang=en_us

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Why Managed DNS Means Secure DNS

Rodney Joffe on Why DNS Has Become a Favorite Attack Vector

Motivated to Solve Problems at Verisign

Diversity, Openness and vBSDcon 2013

Neustar's Proposal for New gTLD Collision Risk Mitigation

IT Project Management: Best Practices in Small-Scale Engagements

DDoS Attacks in the United Kingdom: 2012 Annual Trends and Impact Survey

7 Keys to Professional Services Value: A Client-Side Perspective

Sponsored Topics