Almost by the day, enterprises are becoming more receptive to the consumerisation of IT and introduction of mobile devices and platforms into their environment.
Introducing smartphones, netbooks or newer technologies such as the iPad and e-readers, can pose security issues to an organisation — and to any customer or business included in the data held on the devices.
Threats such as Trojans and drive-by-downloads which attack and exploit unpatched vulnerabilities in software installed on an endpoint, rogue security applications, spyware, botnets, worms, viruses and phishing attempts are all threats that apply as much, if not more-so, to consumer devices as office-bound PCs.
And once commercial data makes its way onto an employee’s device, which is often unmanaged, the enterprise can no longer control its spread or usage.
“Additionally, consumer platforms such as Mac and iPhone are becoming an increasingly attractive target to attackers due to their explosive growth – the more there are out there, the more potentially unprotected endpoints there are to attack,” regional product management manager APAC and Japan at Symantec, Josh Simmons, says.
IT managers must also bear in mind that while employee devices perform a dual role — as a personal device and a company device — the protection of any organisational data held on the devices is totally up to the company, says senior marketing manager for Websense, David Brophy.
“Organisations must not only bear the expense of fines and remediation if they suffer a data loss, they also risk the resulting loss of shareholder and customer confidence,” he says. “This can have an adverse impact on reputation, brand, stock value, and even the potential for criminal prosecution against company executives.
“It doesn't matter whether breaches are accidental or deliberate; what matters is that the organisation is seen to have failed in its responsibility to care for personal and confidential information.”
It’s pretty clear that consumer IT in the enterprise is risky, but if banning or limiting devices isn’t an option, what can you do?
Managing the risks of consumer IT
To begin managing the risks of consumer IT, Gartner Research vice president, Leslie Fiering, suggests one of the first places to start is in reassessing security policies so that when an employee-owned device attaches to the enterprise network, the security policy’s assumption should be that the device is “hostile until proved otherwise”.
“The response must be a series of network access controls (NACs) that include strong authentication, and scan and block functionality, as well as network behaviour analysis,” she says. “A variety of methods can be used to identify specific devices, their physical and virtual locations, and their usage history.”
Such device ‘fingerprinting’ can help organisations determine whether a user is connecting from a managed company device, from a personal device that has been registered with the organisation's technical support group, or from a completely unknown system such as a kiosk in a coffee shop. Further tests can also determine the security posture of the device, and whether it has been recently scanned for malicious software.
Designing a robust, scalable and secure remote-access strategy is the next step. In essence, if a device does not conform to the policy, it is quarantined to a protected part of the network for remediation.
IT managers should also consider multiple levels of access based on trust, bearing in mind that unmanaged and uncontrolled platforms are more likely to contain keystroke monitors, worms, remote-access Trojans and other malware than managed platforms.
After that, establish application and data requirements which weight application delivery and remote access against the trust level of the target PC to determine the level of data leakage risk.
You should also isolate the enterprise’s digital assets from whatever other applications and data are on the employee-owned device, further protecting enterprise or customer data and intellectual property.
“Ideally, there is absolutely zero data leakage between corporate-and personal-owned devices,” Fiering says. “This means that malware on the employee's system cannot get to the enterprise data and applications, and the enterprise data cannot be copied onto the user's system or an external medium. It is also critical that whatever enterprise digital information resides or runs on the employee-owned system can be totally removed without leaving any traces, such as temporary files.”
Many Trojans doing the rounds are designed to bypass endpoint protection software and head of security practice, BT Australia, Harry Archer, also stresses the importance of behaviour analysis techniques and strong policies. “Having [endpoint security] software is not in itself effective,” he says. “It has to be controlled by security policies and combined with centralised management, with security monitoring, including auditing of the devices. End point devices need to be protected with tamper proof security agents.”
Managing director at Sybase ANZ, Dereck Daymond, says there are four areas every organisation should assess: How to deny access to unauthorised users; how to manage the loss of a device containing company data; how to remove corporate data from a personal when an employee leaves the organisation; and protecting confidential data from prying eyes.
“For starters, establish a mandatory security policy requiring employees to set a strong password on their mobile device and to change it every three to six months,” he says. “Mobile management systems can help IT administrators enforce such policies automatically, without the need for user involvement.
“You’ll also need mobile management software offering remote lock and remote wipe capabilities enabling administrators to temporarily ‘freeze’ a device that may simply have been misplaced or remotely erase data from a lost or stolen mobile device… or when an employee leaves the company.”
The development of a clearly stated Acceptable Use Policy (AUP) that highlights what information is made available to whom and when and that is made known to all employees is also a good step to take, says, vice president APAC for M86 Security, Jeremy Hulse.
“Information should only be accessible to those who need it. There should be different levels of information protection in place and verification systems for those accessing the data. Critical information should also be encrypted to limit its chances of falling into the wrong hands,” Hulse says.
“This is an issue that needs to be closely considered in small and medium enterprise in particular. In such businesses, more trust is placed with employees and there is a tendency for employers to consider protection of data as a secondary priority.”
IBRS Advisor, James Turner, adds that while endpoint security threats are evolving, maintaining tight standard operating environments (SOEs), anti-malware clients, whitelists and greylists are good habits, however organisations must also focus on what they’re doing with their applications.
“The more they can secure those — with secure coding and authentication — then they can start streaming that as a Web service or as something that synchronises with a client on a smartphone,” he says. “Focus on what the users are doing, rather than what they’re doing it on.” Next page: The smartphone dilemma