Views from the Inside: A successful BYOD policy is not just about security

The BYOD trend shows no sign of abating as more and more organizations recognize the potential benefits in terms of cost and convenience. According to a recent surveyby Good Technology, 76 percent of enterprises are now supporting BYOD and the majority of those that still don’t are planning to do so in the near future. When we look closer, we find that 75 percent of those supporting BYOD employ at least 2,000 people, and 46 percent have 10,000 or more employees.

Large organizations and companies can be impatient to adopt new trends, especially when they potentially offer a competitive edge, but patience is a virtue. A rush to roll out BYOD without proper consideration of the impact can end in disaster.

Security is not the only concern

Most conversations about BYOD tend to focus on the specter of security as the main obstacle to overcome, but for large organizations there is another major hurdle. A recent Brocade White Paperfocusing on BYOD policies found that “50 to 90 percent of BYOD projects fail or suffer significant delays due to a singular focus on security.” The cost is realized in help desk calls, user complaints, network issues, and an inevitable drop in morale.

So, what is being overlooked? Inevitably it’s the increased demands on the infrastructure. You wouldn’t buy thousands of new computers and expect to hook them up to your existing network without some impact on your bandwidth, but that’s exactly what large organizations are doing when they open up access for thousands of employee-owned smartphones, tablets, and laptops. You will need to add more wireless bandwidth.

The key to BYOD success

There are two steps to ensure your new BYOD policy is launched successfully. Start with the infrastructure. It needs to be able to handle the increased workload reliably, and your IT department must have easy access to manage it. This will involve learning new skills for your IT staff and may encompass sophisticated corporate governance solutions. The important thing is to devise a strategy and take the time to implement it properly before you go live.

When you have a plan for the infrastructure, you can move onto security and consider user and device identification and authentication, MDM tools and policies, and any compliance issues that may crop up. If you can bake your security strategy into the overall design, rather than apply it on top as a separate layer, then you’re likely to feel the benefit down the line. This will also make it easier to monitor and enforce your policy.

Infrastructure challenges to consider

There is a lot to think about when you are developing a BYOD infrastructure. Your IT department must be able to monitor your network bandwidth and scale it as needed based on current and projected usage. Application and desktop virtualization will make the whole system more manageable for the IT department and help to deal with compatibility issues which can arise with a range of different devices and platforms. If resources can be compartmentalized on the network then it’s easier to restrict access and maintain security standards.

NAC (Network Access Control) is one of the most important pieces of the puzzle because it allows the IT department to monitor all of the devices connected to your network and provide relevant access after devices and/or users have been identified and authenticated. Depending on your organization, it may also be important to consider guest access and how that might be handled. Network segmentation with central oversight and control will ensure that no one has access to anything that they shouldn’t.

Embrace the challenge

Like so many challenges in business, the earlier you address the problems presented by BYOD and devise a big picture strategy, the greater your chances of building a smooth running and successful system that offers a consistently good user experience. By carefully considering infrastructure and security together, you can achieve a scalable solution that will cope with the future demands of your growing business, not just your current needs.

Security is a vital part of any BYOD strategy, but you ignore infrastructure at your peril.

By Michelle Drolet, founder and CEO, Towerwall
Special to Boston Business Journal

This article was recently published in Boston Business Journal

Is Your Business Taking the Threat of Mobile Malware Seriously?

Don’t underestimate the damage that malware proprietors can unleash if the right security policies aren’t in place.

Bring-your-own-device (BYOD) programs and cloud computing — two of the biggest enterprise trends from the last couple of years — go hand in hand. Employees want to be given the latitude to use their smartphones for work, and they want to have round-the-clock access to data and applications.

For businesses, there are obvious advantages to both cloud computing and BYOD programs in terms of cost savings, schedule flexibility and improved efficiency — but there is also risk. CDW’s 2013 State of the Cloud Reportindicates that 46 percent of the IT decision-makers polled have concerns about the security of proprietary data or applications.

Despite those concerns, the consumerization of IT shows no signs of slowing. A recent Gartner survey found that 70 percent of survey respondents are planning to create BYOD policies within the next year.

Dionisio Zumerle, principal research analyst at Gartner, points out that just as BYOD transforms the enterprise, it must also transform the mobile-security mindset.

“Shifting from an enterprise-owned mobile device fleet to having employees bringing their own devices has a major impact on the way of thinking and acting about mobile security,” he says. “Policies and tools initially put in place to deal with mobile devices offering consumer-grade security must be revised to deal with these devices being under the ultimate control of a private user, rather than the organization.”

Isn’t Mobile Malware a Consumer Problem?

Predictions about the growing threat of malware in mobile computing have been consistent, but it has largely been perceived as a consumer threat.

Android, Google’s mobile platform, is the main target because its market share is over 70 percent, according to Strategy Analytics. Google’s open-door policy with its Google Play store has allowed many unsavory proprietors to spread their malware across the Android ecosystem. Unfortunately, the belief that the risk of malware infiltration has been exaggerated has led to a boy-who-cried-wolf indifference to the mobile-malware threat.

But no business should get too comfortable, because a diverse, evolving wave of new malware is emerging, intent on mobile espionage and privacy invasion.

While many malware proprietors are still focused on the desktop, they’re not ignoring the BYOD trend. The possibility that the wolf will show up in your company should be taken seriously.

Is Your Business Safe?

Without a sensible usage policy in place, and mobile device management software to actually enforce it, businesses may unnecessarily expose themselves to risk.

For starters, are your employees using password security on their devices? Is there a lock-screen time-out or a limit to the number of times a wrong password can be entered? Employees may visit dubious websites or inadvertently install apps that contain malware. Does your company use any malware-detection or antitheft tools to sniff out intruders?

Businesses should maintain ownership over company data that is on an employee’s device. Remote lock and remote wipe functionality, if a device is lost, are two good features to start with on that front. However, the legality of wiping an employee’s device is still being questioned, and strictly targeting business data for deletion can be difficult.

What Is the Malware Threat to the Enterprise?

Device theft and loss are obvious concerns for any company, but a hacker can use malware to collect all of the details needed to access your network. They may not even use the device itself as a gateway, but merely leverage it as a way of obtaining the keys to the kingdom. This kind of data theft could go unnoticed until there has been a substantial loss.

That’s why it is critical that businesses first recognize the threat and then assess their exposure and deal with it by educating staff and implementing a solid mobile device management policy.

By Michelle Drolet, founder and CEO, Towerwall
Special to Biz Tech Magazine

This article was recently published in Biz Tech Magazine

Free Security Tools, Apps, and Widgets

Our friends at Trend Micro offer a range of free tools, apps and widgets to protect your devices and help you manage your online activity.

You can check them out and download them for free on our Security Tools, Apps, and Widgets Page.

Please Join Towerwall at the Information Security Summit 2013

Please join us for this timely forum on what you need to know about the latest security issues, threats, and technologies that will help you protect your business!

 

May 30, 2013  8:00AM – 1:00PM

MassBay Community College

50 Oakland Street  | Wellesley Hills, MA 02481

$45

Pre-registration required.

To register visit: http://tinyurl.com/ITsecuritysummit

 

Information Security Summit 2013 - Thursday May 30, 2013 from 8:00 AM to 1:00 PM

DEFENDING YOUR DATA

Content is the lifeblood of every organization. The way we create, consume and communicate has radically changed in the last several years – and so must the security systems we use to defend it. Today, attacks on company data are more sophisticated and targeted, and most are aimed at stealing precious data. Every channel of communication is vulnerable; from email and mobile computing devices to a multitude of web-enabled technologies. If it’s hard for large, sophisticated businesses to keep up with the latest security challenges, it’s an even more daunting task for smaller and medium sized businesses.

Please join us for this timely forum on what you need to know about the latest security issues, threats, and technologies that will help you protect your business!

Featured Topics:

  • BYOD
  • Risk/Compliance
  • Application Security
  • Current Threats

DOWNLOAD INFORMATION SHEET

 

Top Ten Malicious Lists

Top Ten Malicious URLs

Top 10 malicious URLs blocked by the Trend Micro™ Smart Protection Network™ infrastructure in 2012

1	 trafficconverter.biz:80/4vir/antispyware/loadadv.exe	Distributes malware, particularly DOWNAD variants 2	trafficconverter.biz:80/	Distributes malware, particularly DOWNAD variants 3	www.funad.co.kr:80/dynamic/adv/sb/searchnqpopu.html	Poses security risks for compromised systems and/or networks 4	deepspacer.com:80/y2x8ms42fge0otk4y jhmzwu4ztu5y2e4mtfjngewztqxnjmyodczfdmxm a==	Hosts malicious URLs, the registrant of which is a known spammer 5	tags.expo9.exponential.com:80/tags/burstmediacom/audienceselectuk/tags.js	Engages in the distribution of malicious software 6	www.trafficholder.com:80/in/in.php	Traffic site known for distributing malware 7	mattfoll.eu.interia.pl:80/logos.gif	Distributes Trojans 8	www.funad.co.kr:80/dynamic/adv/sb/searchnq_popu.html	Poses security risks for compromised systems and/or networks 9	96.43.128.194:80/click.php	Distributes Trojans 10	am10.ru:80/code.php	Hosts adware and pop-ups that redirect to phishing sites

Top Ten Malicious URLs

Top 10 malicious URLs blocked by the Trend Micro™ Smart Protection Network™ infrastructure in 2012.

 

1	trafficconverter.biz	Distributes malware, particularly DOWNAD variants 2	info.ejianlong.com	Downloads malware 3	deepspacer.com	Hosts malicious URLs, the registrant of which is a known spammer 4	mmi.explabs.net	Page DROPPER Trojans request access to 5	www. funad.co.kr	Poses security risks for compromised systems and/or networks 6	www.trafficholder.com	Traffic site known for distributing malware 7	serw.clicksor.com	Associated with the proliferation of pirated applications and other threats; posts annoying pop-up messages 8	install.ticno.com	Engaged in malware distribution 9	172.168.6.21	Distributes X97M_LAROUX.BK, XF_HELPOPY.AW, XF_NETSNAKE.A, X97M_LAROUX.CO, and X97M_LAROUX.CE

Top Ten Spammers

Top 10 spam-sending countries in 2012.

Rank Country
1 India
2 Saudi Arabia
3 United States
4 South Korea
5 Peru
6 Vietnam
7 Turkey
8 Brazil
9 Russia
10 Indonesia

Verify the Security of your Mobile Apps

Network World – The enterprise is increasingly turning to mobile app developers for solutions to leverage interest in BYODGartner estimates that 70% of mobile professionals will conduct their work on personal smart devices by 2018. The app development boom has fostered a competitive environment for developers and there is a focus on speed. But In the rush to deploy enterprise apps and start reaping the benefits, it is easy to overlook key security risks that could cause irreparable damage to your business.

As developers create apps to run on multiple platforms and plug into existing ERPsystems, vulnerabilities grow. From insecure data storage to improper session handling, from side channel data leakage to weak server-side controls, there are many risks to consider and robust penetration testing is an absolute must.

[ RELATED: The 10 most common mobile security problems and how you can fight them ]

Start at the beginning

Security should not be an afterthought. If you place too much emphasis on speedy delivery then pressured developers are liable to sideline security concerns. They may have the expertise to create the functionality you need, but all too often developers lack the knowledge to deliver enterprise-standard security that stands up to regulatory compliance standards. The earlier in the process that security is factored in, the more time and resources you’ll save down the line.

There are also major differences between the main mobile platforms and the level of security they offer for app developers. It’s worth considering operating system-based points of attack when you make your choice, whether it’s jailbreaking on iOS, rooting onAndroid, or known vulnerabilities in encryption mechanisms. [Also see: “U.S. lawmaker introduces bill to legalize cellphone unlocking“]

With a focus on security implemented at the start of development you can alleviate doubt when it comes to deployment. You should think about automated unit testing, regular code reviews, using standardized libraries with security credentials wherever possible, and insisting on penetration testing as part of the QA process. Do your due diligence and get assurances about your security concerns at the outset, before development begins.

Cracking the cloud

The majority of mobile applications are going to connect to Web applications and exchange data so developers cannot afford to forget the Web application layer. Developers need to consider the services that mobile apps are using in the cloud and ensure that encryption covers the data on every step of its journey. Storing sensitive data like unencrypted passwords in data cache files is all too common. In the cloud, in transit and on the local device, there must be encryption and protection at all times. Integration is at the core of the issue. You can’t focus on the mobile app to the detriment of remote authentication or the cloud platform. Third-party services and systems must be assessed in terms of their security as well as their utility. A chain is only as strong as its weakest link.

It’s vital that attempts to break that chain are not half-hearted. Only a third-party organization with no vested interest in the development can provide the peace of mind you need when it comes to thorough security testing.

Testing techniques

One of the reasons that secure development for mobile apps is so challenging is the lack of established standards and the scarcity of useful tools and resources. Security expertise on one platform does not guarantee expertise on the next. Threats must be modeled and a methodology is required for security testers on each platform.

Without an expert understanding of potential weaknesses it is very hard to verify the security of a mobile app. A glance at the Open Web Application Security Project gives you some idea of the enormity of the task. It is a serious challenge, but not an insurmountable one. Attacks can be focused on the browser, the device, the app, the platform, the network, or even your web server and database. In order to uncover vulnerabilities and expose loopholes you need several rounds of expert mobile security testing.

Fixes during development can introduce new issues so don’t engage one test cycle, plug the gaps and then assume the app is secure and fit for deployment.

The good news is that secure development for mobile apps is achievable and it can be done at a fraction of the cost of a major security breach for your company.

Drolet is founder of Towerwall, a data security services provider in Framingham, Mass., with clients such as Bose, Middlesex Savings Bank, Raytheon, Brown University and SMBs. You may reach her at michelled@towerwall.com.

 Download our free eBook “Beware of BYOD”.

 

By Michelle Drolet, founder and CEO, Towerwall
Special to Network World

This article was recently published in Network World