Like the scene of a movie in which a biblical character holds back the mighty sea and is about to release the tide against his foes, BYOD has become a force of nature poised to flood those charged with keeping corporate systems secure.
Despite years of practice hardening systems and enforcing policies that restrict what can and can't be done within the corporate network, businesses are under increasing (if not insurmountable) pressure to allow a diversifying number of personal devices to connect to their networks and be used for business operations. Bring your own device (BYOD) is the most intrusive trend that security teams have had to face for quite some time.
Unlike other business changes over the years that caused security teams to reevaluate their policies (such as allowing remote users to VPN in to the corporate network or enabling webmail facilities for roaming users), BYOD is being driven by all levels of the corporate hierarchy simultaneously. And it's forcing new changes in the way organizations conduct business and seek to secure themselves.
BYOD is directly forcing the hand of security teams; and those that don't (or can't) accommodate the change are in for a very rough ride indeed.
Organizations that have embraced the approach — allowing employees to bring in their personal devices and engage with business systems — appear to have reaped rewards ranging from increased productivity, through to a lowering of capital expenditure within their IT departments. BYOD is affecting all walks of life. For example:
Not all businesses have embraced a BYOD culture the same way. In the majority of organizations I deal with, the general security strategy is to treat the device as "untrusted" — typically only allowing the user of the device to connect to the Guest or dirty wireless networks and limiting access to those services or business applications that can ordinarily be accessed remotely (e.g. through a VPN). Meanwhile, a handful have gone 'whole hog' as it were, and are doing away with corporate supplied computing devices; instead they're offering to subsidize the employee's purchase and provide a list of "minimum" security standards for the device.
We are in a transitional period with respect to BYOD strategies and there is a lot of experimentation as organizations strive to achieve a new balance between security and convenience. As such, the security posture of an organization needs to take into account the continuous change going on about it. While it's been a common declaration within the security community that you can't protect the end-point from a determined attacker, as device ownership slips from the hands of the corporate entity into the hands of the employee, so too does the onus for protecting it.
For many organizations the frontline in security for the last two decades has been protecting computers with host-based defenses. Sure, there's been investment in perimeter defenses, but the war between the cybercriminals and their prospective victims has been happening with the operating systems, web browsers and applications of the end device. As such, with control of the end-point device slipping out from control and oversight of corporate security teams, an added emphasis is being placed upon two critical security approaches — securing the core (centralized) intellectual property and data of the organization, and rapidly identifying devices that have already been compromised.
Organizations with a mature security strategy flexible enough to accommodate BYOD demands have pursued an approach in which it is assumed that the user's device is likely (if not already) compromised and under control of an external criminal entity. As such, they have myopically focused their attention on securing the servers that really matter to the business and are securing the system and repositories that govern or track the data itself. In parallel, they've deployed systems that alert and identify devices that are acting suspiciously or are positively identified as being usurped by professional crimeware, and take immediate, automatic steps to restrict and cauterize the threat.
BYOD has forced a paradigm change in the way businesses approach and enforce security within their organizations. Security teams within organizations that continue to resist the adoption and use of personal devices (whether they be personal laptops, Smartphones, tablets or X-Box) are fooling themselves if they think they can hold back the tide. Security consolidation and threat alerting are the ropes they need to grasp.
By Gunter Ollmann, Chief Security Officer at Vectra
Related topics: Security
|Data Center||Policy & Regulation|
|DNS Security||Regional Registries|
|Domain Names||Registry Services|
|Intellectual Property||Top-Level Domains|
|Internet of Things||Web|
|Internet Protocol||White Space|
Minds + Machines
Afilias - Mobile & Web Services