In the latest roundtable hosted by SC Magazine, this time in association with Websense, Andrew Kellett asks security professionals how data protection and BYOD can be reconciled.
Securing data is all about devices and users
It is time for organisations to improve the way that data is protected, but with the sales of mobile devices outpacing the distribution of traditional computer hardware, as well as the ease with which we all share information via social networks and the availability of free cloud-based storage, how likely is this proposition?
Realistically, it is impossible to completely protect every device or computer, every account and every user. There are just too many variables. That said, organisations need to try harder – security breaches are increasing and taking longer to detect, and financial information and intellectual property continue to be stolen at will. Security professionals grapple with these issues on a daily basis, and should also be concerned that security is on the senior management radar when the good name of the business is put at risk.
Things must change. Everyone with a responsibility for IT security knows this and, despite their emphasis on specific areas of the market, so do the security vendors. We worry too much about becoming the latest victim of an advanced persistent threat (APT) or state-sponsored cyber crime. There are practical things that can be done to more effectively address the use/misuse of company data by employees, business partners and customers.
The corporate infrastructure has no real boundary or perimeter
Security professions know that the most effective way to protect their organisation involves the successful management of real-time data flows – controlling data flows from outside the organisation, data emanating from the company and data in transit between corporate users.
Unfortunately, these are also the goals that most senior security professionals recognise as becoming more difficult to achieve as the corporate infrastructure becomes more open. We used to talk about locking down communications systems, maintaining security controls and preventing fraud. The reality, and what it equates to today, has changed significantly. Communications systems are web-based and open, their security needs to be maintained in line with business use. Mainstream security controls have to be proportionate to the risk profile of the business, aligned with business use and the ability to operate safely. Finally, fraud prevention involves making systems harder to breach, encouraging the perpetrators to go elsewhere.
Today, we need to add in the elements of consumerisation and the ‘bring your own device' (BYOD) culture. Security professionals have major concerns about what levels of user and device control can be achieved when secure use seems to be moving away from core business platforms. Aided and abetted by should-know-better elements of senior management, BYOD and other forms of consumer-driven activity are taking over.
Show me the business case for BYOD
From a business-use perspective, every mobile device is an information container, a vehicle for delivering up-to-date business information. It should not matter what the device is, as long as company data can be kept secure and used safely. These are the security drivers, as there are clearly occasions when company data needs to be available for external business use.
Nevertheless, there are concerns among security professionals that business operations are being put at risk for no good reason. The question is being asked: What are the business drivers for BYOD? There has to be more to it than making the senior sales guys look cool at client meetings. Where is the business value? Nice to have does not cut it if there isn't a genuine business need.
Many chief information security officers suspect that the vast majority of new mobile usage requests lack substance beyond the kudos of ownership. Lack of functional business value was another argument against many of these devices. For example, many CISOs believe that few users write anything longer than an email on their mobile device, and even that level of prose does not offer the best user experience. New-generation mobiles are improving, but keyboard limitations still exist. The latest generation of ultrabooks are thin, light and extremely powerful, but even these are mostly used for show. To quote one security expert: “Nobody actually writes anything.”
We must get the security balance right
There has been a fundamental shift from the corporate IT model towards a consumer-led approach, driven by market leaders Apple, Google, Microsoft and Amazon and a supporting cast of social-media companies. Because of the predominantly consumer background of these companies, there is, at best, an absence of appreciation for corporate security requirements and, at worst, a lack of care.
Realistically, the consumer-driven takeover is not going away any time soon, therefore IT needs to address the security issues. When considering BYOD, questions need to be asked about whether the organisation can scan an individual's personal device, whether the device can be quarantined if something malicious is found, and whether items can be deleted without user permission.
Many security professionals are concerned about the amount of time it will take to regain the levels of control they need to protect their business operations. Some claim they never lost control; others say the issue of control was never that clear cut. Most accept the truth.
Going forward, one of the more interesting discussions is around business users, and the need for them to take more responsibility for their own actions. Previously, everything to do with security was centred on corporate responsibility and associated liability. The shift towards personal device ownership should extend to data ownership, a shared burden and a shared responsibility.
There continue to be differing views on what devices should be allowed to connect to corporate networks and how controls should be maintained. One area where there is general agreement is usage. If a device connects to the corporate network, it is likely to access and hold company information owned by the business.
IPads and their ilk are used to record board meetings. This type of device is likely to contain top-secret information and can put the company at risk. Data protection for company-sensitive information is seen as a fundamental requirement. Security facilities that can watch out for and stop a company's intellectual property from leaving, or being copied to non-corporate devices or cloud-based storage, are needed more than ever before. Security professionals know that better levels of protection are required, and concede that more work to control access to data, device usage and user management is essential.
Andrew Kellett is principal analyst, security at Ovum