We're all familiar with BYOD dangers: data breaches exploited because of a lack of proper security protocols and encryption on devices or missed operating system updates; data leakage as a result of device software not being regularly updated; malware on the device finding its way onto the corporate network. Then there are the tech savvy employees who try to bypass restrictions, or misuse Wi-Fi and the careless ones who lose these ‘always-on' personal devices.
The list goes on. However, personal devices should pose no greater danger than company-issued hardware, with one important proviso: focus your major efforts on securing the core of your system first, your network, and then work outwards with access control, authentication control and finally device control.
Here are the four essential steps to take for network security in the BYOD age:
1. Create a structured network segmentation strategy
A tiered networking structure might include a public network, a private intranet network and a network for secure limited access. This allows public and unauthorised devices to have access to the internet through the public network, while authorised devices have secure networks and for that, devices must meet your BYOD standards. The secure network should be super-tight, IP-restricted, user-limited, and behind a VPN.
2. Limit access to systems through a single point and apply fine-grained access controls
If access is always through a central point you can add role-based access to limit who has right to use to which systems and information. It's important to work on the principle of least privilege here to ensure employees only have access to the services they really need. If you can restrict by profile, you can also control who has access to what when in the office network and when outside, allowing restrictions on certain fileshares or applications to within the office network only for easier auditing, monitoring and to control data leakage.
At the very least organisations need to have a level of visibility so every item can be traced, and every user accessing for example, copyrighted data, is audited and monitored.
Increase authentication to corporate resources
Introducing Identity and Access Management (IAM) and Single Sign On (SSO) technology means that regardless of how your network and data is being accessed, you know it's being accessed securely through correct identity mapping, correct access assignments and robust authentication flows. Enterprise IAM solutions can even provide real-time, continuous risk analysis on users, detailing who has access to what, who has access to privileged resources, their activity and summarising their behaviour and access rights with a risk score per user.
Software like SSO helps separate user from device, so no matter what device they upgrade to, they must still go through strict SSO authentication. Embracing more trust-based authentication technology like SAML (Security Assertion Markup Language), which allows secure web domains to exchange user authentication and authorisation data, means there is no password to steal either should a device be stolen.
4. Manage your devices
With the network itself under control through IAM, segmented networks, VPN access and fine-grained access, managing the actual end-user device is next. This is where technology like MDM comes into play. From managing what is installed on these devices, what can continue to be installed, to auditing and monitoring their use and locking down and disabling stolen devices MDM is a vital piece of the jigsaw for effective BYOD. It can also be used to ensure that devices remain patched and up to date, reducing malware infecting the network.
The rise in BYOD is challenging for IT security professionals. By concentrating on network-based solutions and technologies, backed up with stringent security policies, the risks can be mitigated. Yet, what is becoming clear is that BYOD is just the tip of the iceberg. The growth in wearable tech (WYOD) and the Internet of Things in a work environment are two further challenges on the horizon. Decisions on how and whether to integrate a growing number of connected devices into corporate systems and how to protect the huge amounts of data generated and transmitted are likely to cause some sleepless nights in the future.
Contributed by Lee Painter, CEO, Hypersocket Software