BYOD, Bring-Your-Own-Device & Cloud Systems:
More secure than your desktop
The BYOD (Bring-Your-Own-Device) phenomenon is causing big waves in big business, particularly in the financial services sector. CIOs are concerned that BYOD allows users to have too much control of the data they can access, which could lead to serious security breaches whether intentional attempts to hack and defraud or unintentionally leaving confidential, critical data in open view of the stranger behind you while you’re catching up on that report in a coffee shop .
It’s a trite, overused phrase, but BYOD really is a huge paradigm shift. Historically, in closed business systems security has tended to win the battle against usability, with companies erring on the side of caution and preferring safer, locked-down, but ultimately harder to use systems and a ‘like-it-or-lump-it’ attitude with respect of their employees that use them. But with the proliferation of smart devices and the general public finally being delivered a level of technological usability on an every day basis that requires little-to-no learning curve, usability is starting to win the battle.
Of course this battle carries major security implications. Show me the end-user who given a choice would choose to have a username and password (twice over in my case) and I’ll show you a liar! From CEOs to low-level employees and especially the teenagers you will be looking to hire in a few years – no one wants to fuss with a log-on of any type. Most of them will accept security measures, but only as long as it doesn't get in their way. What we may see as a minor inconvenience at the expense of security is perceived as constant nag and waste of time by the average user.
Your CEO, in his seemingly impenetrable office might well (and probably has) ask you to remove login boxes, antivirus popups, etc. to allow him to get on with his work. But ask the same CEO if he wants his systems left unrestricted and open to anyone who gets to a machine on the network, which is exactly what he is asking for himself in essence, and the request will quickly swing in the other direction.
And it is this area of security – the lack of data restriction – that is really the major issue now. Whilst external attacks are ever-present and still occasionally create international headlines, your biggest threats today are on the inside.
In last year's “Cyber Security Watch” survey from Deloitte, 46 per cent of respondents said insider attacks were more costly to their organization than external attacks. While the incidence of insider incidents has stabilized over the past few years, the opportunities have increased because of greater use of third-party contractors, the bring-your-own-device phenomenon, and the intermingling of personal and business data, spurred by the popularity of smartphones and tablets.
‘Threats’ in itself may also be a little misleading, conjuring images of shady data theft and corporate espionage with ‘men on the inside’ but one of the biggest ‘insider threats’ is no more or less mundane than employees unintentionally causing a data leakage incident due to the massive increase of the need/desire to work remotely or on-the-move.
Employees generally need access to work documents if they are on the move. But if staff are not office-bound, yet working together, how are files shared?
A new study has broached the question. Sponsored by SkyDox, the research was conducted between April 16 and April 30 2012, with over 4,000 respondents comprising employees from UK and U.S. based companies.
The survey asked how employees are working with mobile devices and consumer-based applications, as well as whether staff turn to free file-sharing platforms to make their lives a little easier - and if their IT departments were aware of this.
Many respondents stated that mobile working is becoming extremely important in the modern enterprise, and 77 per cent said that they required access to documents outside of the office. In marketing functions, 92 per cent wanted access, 92 per cent in finance, and 80 per cent in sales. Only 35 per cent in administration required access to corporate documents at home.
Free file sharing application used to share corporate documents is at a very high level - 66 per cent across the board - and many employees stated they did not report their use of free file sharing platforms to their IT departments. In turn, it was suggested that many IT departments do not provide a secure application for corporate files to be shared and edited by employees outside of the office.
Considering the issues that arise from taking corporate information from networks and placing them on potentially less secure and public platforms, from IP protection, data security to compliance, this issue needs to be addressed.
So how can we balance the need to keep up with end-user interface trends and tech, but still keep that all important confidential data confidential? Fortunately, the answer is being formulated from every conceivable angle by a number of developers and startups around the globe. In this article we’ll take a look at some of the most interesting:
The standard security assessment framework
Roger Grimes, a Principal Security Architect at Microsoft and author of eight books on computer security, believes that taking a fresh approach to permissions that accounts for multiple factors, beyond simply the right username and password, can give multiple layers of access, taking out the increased risk of mobile devices.
“The framework is intended to help companies assess the relative risks of BYOD hardware and the level of access they should have to different types of data. In so doing, companies can codify their level of risk tolerance as it applies to BYOD.
As one example, at Microsoft, we consider the following four broad categories: the device and its security, session origination location, identity/authentication, and the data/service/application being accessed.
Each component of the first three factors is given an assurance rating, from least secure to most secure. For example, IDs authenticated using simple PINs with no account lockout are among the least secure authenticators. Log-ons using smartcards or tokens with PINs and with account lockout would be among the most secure. Complex passwords, biometrics, and finger-swipe log-ons would all be ranked along the security continuum under the identity/authentication factor. IDs belonging to internal employees might be more trustworthy than global IDs or third-party vendors -- and so on.
Bromium, a security startup co-founded by executives from Citrix, Xen.org, and Phoenix Technologies have devised a new technology that employs virtualized containers to isolate malware and prevent it from infecting the underlying operating system or other members of the enterprise network.
The goal of these so-called "micro-VMs," is to stop attacks in their tracks at the endpoint, going on the assumption that you can't prevent users from mistakenly clicking a malicious link or opening an infected document and that the bad guys are bypassing perimeter defences, so they are already inside the user endpoint, either via the browser or email inbox, for example. The micro-VM takes the infected area out of the equation and kills it off before it can harm the rest of the system.
BYOD is becoming commonplace due, in part, to the rush to cloud-based infrastructure that we have seen in the last three to five years. Online storage, backup and collaboration is no longer in the hands of the rich and technologically advanced – consumer apps such as Google Docs, Dropbox and Crashplan have brought innovations that only a few years ago would have cost thousands, down to a price accessible to all.
But cloud systems are going much further than mere file storage, with the invention of devices such as the Chromebook, Google’s entry into the world of notebooks has done away with the need for an internal operating system altogether, instead storing you’re your applications in cloud servers.
The fact is that most business do not need physical ownership of their data – the actual magnetic elements on disk, tape or chip. The ownership only needs to be what those ones and zeroes represent. By placing all the data in secure cloud servers the ownership of the data is absolutely not legally that of the cloud owner as much as the manager of a lockup does not own the contents of the lockers he rents out.
The beauty of the cloud model extends beyond simply being virtual, it leverages the power of masses – that means superfast hardware that is managed by a dedicated company, with top-end security protection for your data which can be totally divorced from the applications given permission to access that data.
Even the apps themselves no longer need to be individual installations. Cloud based apps are evermore increasingly no more than access licences, rather than complete, unique copies. Effectively you are leasing usage, which means control over access to your apps, which can be the only apps with permission to access your data, which, through virtualisation, can be run on virtually any device.
There still is a balance that will need to be resolved while users demand the fully integrated feel that their home media centres, smartphones, tablets and other devices offer them in the domestic domain, but a cloud-micro-virtualization hybrid goes a long way to resolving that, giving companies the security they need to protect their interests, while allowing completely remote working by staff on their device of choice.
Now if only there was an app to stop people leaving documents in coffee shops…
The rise of BYOD and the security solutions around it will be one of the key topics under the spotlight at Information Security FS - The only information security conference for financial services professionals.
With a proven track record in conferences for the financial services industry, Information Security FS is brought to you by the organisers of TradeTech and FIMA conferences.