CIO Challenge : BYOD + Security

A big thank you to Russell Schmidt, the CEO of Extenda Communications, for his answer to our question on Quora:

What are the most effective security solutions for corporate IT departments managing a BYOD (Bring Your Own Device) mobile tech ecosystem?

“The answer depends on your risk tolerance, budget and size. My answers here are geared towards a small to medium sized business with limited budgets.

To start with, are tablets and smartphones tougher to deal with than securing laptops? Yes, and by a lot. It is easier to lose a phone or tablet, and many apps don’t authenticate. The adoption of cloud storage and SaaS delivered as native apps means that some goober could potentially get into your hosted CRM database by picking up a phone left at a Starbucks.

The major threat vectors I see in the field for a small business are the typical wireless-access-to-your-network issues, plus concerns with data integrity and versioning from devices that are not communicating in real time but are essentially doing batch transfers, and the ‘skeleton key’ issue, where some users have a lot of network access riding around in their pocket. I will lump in app access to cloud infrastructure with this last issue.

If you have higher tolerance for risk, which is to say you value convenience and mobility more than the perceived risk, I would recommend a few steps to mitigate disaster. First, rethink your folder permissions on cloud storage apps. Many of my customers just share everything, or share parent folders so permissions are inherited down the chain. File access to say dropbox from a found phone is a fingertip away. Only share what you are willing to lose, give permissions on a need-to-know, folder-by-folder basis, and give IT control over who has access to what and ideally track the permissions, even if its on a spreadsheet, so when Joe says he lost his phone, you can delete the user account in dropbox and then help management assess what is at risk. Second, enforce a passcode policy for byod-ers and make sure that at least Apple users have the ‘Find My iPhone’ app so you can wipe the devices if they are lost. Third, while wireless network security is a world unto itself, you should be regularly changing strong wifi passwords. IT can dangle the carrot of the new wifi password in exchange for a passcode check on the device if you don’t have Exchange deployed enforcing ActiveSync policies and passcodes under IT control.

Note that if you are sharing Google docs, that presents a different problem as there are a lot of apps that are resident on a phone or tablet that give one touch access to these documents without user authentication. Enforce two step authentication if your company is using Google docs. I would even consider using password authentication on MS Office docs & PDFs you really care about that are in cloud storage.

If your attitude is “trust but verify” like Reagan with the Soviets, the biggest change to make is not deploying cloud file sharing apps that do not have user authentication every time. Also, time out these user authentications. The idea is that in this scenario you are shutting off the ‘always on’ connections into your network or file sharing, but not depriving tablet or smartphone users from the option to access things they would normally be able to. Also consider encrypting your tablets.

If your attitude is, “Get that junk off my network!,” you are a network admin or work in a regulated industry. The steps I would recommend in that case are to use MAC authentication for wireless access at a minimum so IT controls exactly who is on the network. This is absolutely terrible to administer in large networks which is why a lot of large networks will instead segregate the wireless network and stick it in a DMZ so that it is outside the firewall and tablets etc can’t open a port in. Basically, in this scenario, your wireless device is using the internet connection but it is as if you are not on the network. So for devices to get network access, tablets and smartphones would have to use an encrypted VPN app to tunnel back in, and of course they should be required to authenticate every time without an option to auto-populate the password on their device and a short time-out.

An interesting solution is using virtualized desktop apps to give network access. This way, user authentication is enforced, as are timeouts, and the user inherits the same permissions they’d have anyway, as they are just looking at their desktop.

There is a ton I didn’t cover, such as email security and switching firewall security from Stateful Packet Inspection to Deep Packet Inspection (if you have the staff to manage it) but I think taking some basic precautions goes a long way."

blog comments powered by Disqus

©2010-2014 LiveCirrus Inc.