BYOD: Challenges of Protecting Data - Part Three

Monday, August 06, 2012

Rafal Los


Welcome to part 3 of the 4-part series on Bring Your Own Device (BYOD). In part 1 I set up the discussion points for you and gave you a bit of a background primer.  This generated some discussion.

In part 2 I discussed the debate over one of the key pro-BYOD arguments, increased productivity. This, too, generated discussion.

This brings me to part 3 of the series, the security point-of-view (PoV).  We've generated enough discussion, and complementary blog posts on this topic to make a novel, so I'm going to try and keep this post relatively short (har, har), sane, and in my own voice.

I know lots of you out there have your own opinions and have written on this topic -so please tack those onto the comments section of this post... also leave a Twitter handle for how we can reach you.

I'm going to break this post down into 3 sections: issue analysis, technical challenges, and possible solutions.

If it's one thing I've learned through the last few days talking to people on Twitter about this (and reading the many comments posted) it's that there is absolutely no simple solution, and we're likely not going to all agree.  

With that in mind, I continue to invite your discussion, comments, and personal thoughts on this.  Most importantly I'd love to hear from those that have implemented BYOD, from the security and operations angle... how was it?

Issue Analysis

Let's take a look at the first part of this... as one of the many comments on the last point summarized (via @ScreamingByte):

"...what I think we have really arrived at is that we're not blaming BYOD for current failures - we're acknowledging that BYOD would compound current failures."

He points that out rightly, as issues stemming from employees bringing their own devices into the corporate network just compound the problems we have masked today by locking down corporate productivity gear.  The thinking appears to be that if IT can lock down the corporate laptop and not let employees browse content, participate in social media, load their own software that will somehow translate into a 'secure' laptop.  Dead wrong, and we have proof littered through the media to demonstrate this case.

At the heart of all of this I believe is that we (I'll include myself in this, since I was not so long ago a sleeves-rolled-up practitioner in big corporate IT) have not actually figured out that there is no such thing as secure.  Therefore, while chasing the myth we've been struggling with the question of how to get to a place we can never reach - I see a problem here, simply on principle.

Another point is that corporate-owned devices aren't the enemy of productivity - a highly restrictive technology platform is.  Employees should be able to work in what ever manner keeps them the most productive while keeping them generally content or happy. In the push for some obscure vision of security, IT organizations have failed to serve their number one customer - the user.  By the way, if you fail to understand that security serves the user... I think you're short-changing yourself.

So there we have it, we're back to basics ... again.

I don't think the sky is quite so dark though, as I may have led you to believe... IT Security isn't just a pack of rabid monkeys pushing random policy and yelling at users... at least not all the time.  In many cases security is highly fractured and broken as a response to the irrational business requests and requirements - and sometimes you just can't help it.  Been there, I can show you the scar.

Whatever the case is, we can agree that BYOD is going to take the many, many potentially small holes in your environment and drive a semi truck through them... blowing a hole the size of a Buick in what security we have now.  This requires a full-scale mobilization... and it's not just because BYOD is going to happen whether you like it or not - but it's mainly because we need to fix this train wreck we call corporate security.

Technical Challenges

Let's acknowledge that the reason IT Security has even a remote grip on IT risks right now is that we've had a relatively easy go at it.  Face it, when you can enforce a lock-down policy on your devices (such as laptops) and turn off so many features that you've decreased the attack surface drastically - and in the process made that piece of equipment as much fun as a two-by-four to the back of the head - it's at least conceivable that you can claim to be able to manage your technical risks.

When someone brings their own, fully operational, fully functional devices with a bright shiny attack surface that you haven't had a chance to lock down... your defensive paradigm falls over.  Unless you're doing smart security at many different layers including the data layer you're about to be in way, way over your head... so that's technical challenge number one - loss of ability to "lock down" mobile endpoints.

Technical challenge number two is a response to number one... the desire to push and enforce policies, software and patches to non-managed endpoints (BYOD devices).  A technical nightmare, wouldn't you agree?  Let's just take the dozens of flavors of Android tablet devices out there - all at different operating system versions, with different features turned on/off by each manufacturer, and with varying levels of securability (I think that's a word?)  

Can you secure all of these variants when they all request to access your corporate MS Exchange server?  Maybe, no guarantees.  Oh, right, then we get to yet another problem - rooted devices.  I have absolutely no idea how many of these feature-enhancements for managing mobile endpoints handle a rooted device which could potentially subvert policy enforcement.  Just though I'd throw that one out there... if you have any technical expertise or experience with this, please do speak up!

Technically it should be possible to manage most of the soon-to-be-inbound devices from some sort of automated tool or platform.  BYOD has existed for a long time so there must be tools out there to do this... which brings me to another sticking point... privacy.

So @BrianHonan who lives out in the EU (Ireland, specifically) made a big stink about privacy when we first started talking about the idea of pushing and 'owning' BYOD devices.  He feels, and rightly so, that if the device is YOURS the corporation shouldn't be able to snoop into your private text messages, photos and what-not.  But where do you draw the line?  

I don't believe the technology exists today across all devices which can effectively create a full sandbox separation between your corporate space and your private space on your personal device.  Then there's just the creepiness factor of knowing that at any time the company can read and control everything on your device... all because you wanted to use your iPad to read corporate email.

I still think the biggest technical challenge is that many organizations I know, and you probably do too, would have to completely re-architect their environments to accommodate BYOD in a sane fashion.  

What I mean by this is architecting component-level and even data-level security into their environments.  Technically - this is virtually a non-starter... I can't even begin to imagine the work effort this would require.  Identifying where your data lives, classifying it, securing your applications, auditing your user roles and permissions ... this seems like too big of an Everest.

The final point here before I move on is something we've tackled in the previous post ad nauseum so I'll just re-start it briefly - support.  I can't even imagine the IT support nightmare that happens when someone is allowed to bring their very own device into the corporate sphere... 

Possible Solutions

My first and primary recommendation for not only surviving but maybe thriving a BYOD reality is going back to basics.

  • Understand your data - It's been said before but security starts and ends with protecting data.  Knowing what's critical to your organization, where it is, who uses it and how is key.  If you can't do this very, very basic thing expect the waters to keep rising around you as you bail with a thimble.  I recognize that in many very large organizations there is no prayer in Hades that you'll identify all of your data ... but that's no excuse not to try, or at least make it a priority to find the most super-duper-critical in the very least.  Find it, understand it, understand how it's used and how it moves... decide whether encryption is enough, or dynamic data masking (DDM), or something virtual desktop or... you get the idea.  It starts and ends with data, period.
  • Secure your applications - You have so many applications in your organization that are poorly secured, and that probably house some fairly critical business functions.  Whether these applications are accessed by some random Internet-based user, or your "inside the firewall only" corporate user - it won't matter anymore because your applications should be resistant to attack and tampering no matter who the user is.  Get rid of the silly notion of applications that are "inside the firewall"... and let's just finally integrate security into development, testing, deployment and the rest of the life-cycle of your applications.
  • Understand your user - I bet right now most of your users have way, way too much access on your network, systems, and applications.  I am not talking about users having local admin on their workstations or laptops, I mean at the file-server level, at the application level or at the data store level.  In a previous life when auditing a database for a group it became apparent that while only 30% or so of their employees had access to the big corporate database, once you authenticated to the database you could select/update/delete from any table, any time... how silly is that?  It's time to review your user access rights, across your environment and really do some IdM (Identity Management).
  • Increase visibility - It's time to stop wasting all of those logs your systems and applications are generating.  Plug it all into an analysis engine that can make sense of it, pulling in context from your change-management database, your asset inventory so you can see threats in a near-real-time fashion which gives you a chance to spot that obscure needle in the stack of needles... be honest with yourself, would you even know if someone plugged in a foreign object into your network today?
  • Have a good policy - Policy, it's more important than we care to admit.  While it may be just some words on a page - once you've educated your employees on the freedoms they have and what happens when they abuse those freedoms, and what responsibilities they have for protecting the company and themselves it's a powerful tool.  Policy can be enforced with incentives as well as negative reinforcement if necessary - the key here is that if you don't have a well-written policy you've got no legs to stand on.

There we have it - part 3 is a wrap.  I'm sure this will generate some discussion too.  Mainly I'm interested in hearing how you're coping with these challenges (and hopefully thriving) and where my presentation of the security PoV differs from your thinking.  

If you're going to leave a comment, please also leave your Twitter handle (if you have one... you have got one don't you?) so we can take the conversation to the community of practitioners, managers, and thinkers who are all working to put a fence around this issue.

Thanks, I look forward to hearing from you - and stay tuned for part 4 ... coming soon!

Cross-posted from Following the White Rabbit

Possibly Related Articles:
PDAs/Smart Phones
Information Security
Enterprise Security Application Security Data Classification Data Loss Prevention Mobile Devices Employees Mobility Policies and Procedures IT Security BYOD
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.