The launch of any new product from Apple or its Android-based competitors is always a trigger point that can send employees in their droves to seek out their colleagues in the IT department in the hope of getting a new device — it could be a PC, smartphone or tablet — connected to the corporate network.
For those in your IT department, and specifically the security team, this is creating a much larger challenge than downloading emails onto multiple devices. In years gone by, a pool of company resources such as laptops and mobile phones ensured the IT department could keep relatively close control over company data security. But gone are the days when staff feels it’s acceptable to carry around two of everything in their corporate briefcase. Increasingly, the expectation is that personal mobile devices should be used to their maximum potential, enabling work emails to be accessed alongside personal ones on the same device and corporate documents to be stored externally and accessed from anywhere.
This much-discussed current trend, termed bring your own device (BYOD), is one fraught with risk which is only set to increase. Employees are no longer satisfied with simply adding their email, calendar and contacts, instead there is a growing desire to access more of the corporate network such as Web applications, desktops and native organisational applications. By adopting some simple strategies, CIOs can feel confident in maintaining the delicate balance between enabling business continuity and empowering the mobile workforce while maintaining the ability to assess and manage corporate risk.
Enabling the business
Security should never stand in the way of a business reaching its full potential, instead it should support and enable new technologies and embrace new ways of working. In terms of supporting BYOD, it is important that CIOs work with their security teams to establish a network of trust, that is to say enabling connectivity from multiple devices but allowing only trusted users’ devices and communication. This network of trust is then maintained by:
Protecting corporate data. People need to use, store and share data. But data has become more mobile than ever. It travels faster, is more transparent and much more accessible, not only through removable storage devices and email, but also through automatic synchronisation tools such as iCloud, Dropbox, Box, Windows Live and more. These technologies open new paths for unauthorised people to get access to corporate data. For protection there are three steps to be taken. Protect access to these tools, increase encryption and reduce data mobility. By preventing unauthorised access, making it harder to break into the data and making certain data ‘stay put’ you immediately increase your security barriers without limiting data access.
Preventing threats. Mobile devices are exposed to threats, whether they are ‘on’ or ‘out’ of the network. When ‘on the network’ (i.e. on corporate LAN) these devices are protected behind the corporate security layers, such as Web security, network desktop, IPS, AV, Anti Bot and DLP. However, when ‘off the network’ (e.g. at home, coffee shop, hotel) some of those security layers ‘disappear’. In some other scenarios, even when ‘on the network’, the network security layers will not be able to prevent attacks, these include everyday situations such as writing data to a removable media, running an application from a CD, or having a worm on an adjacent machine that exploits the vulnerability of your operating system. To prevent this, it requires security protection to be installed directly on those devices.
A typical policy that enables secure access from different machines and different users to corporate resources might include: Strong factor authentication; strong ability to verify that the machine is fully protected; locking with a passcode; a corporate certificate — making sure that end-users don’t try to access from multiple devices at the same time; and partner and consultant access to specific corporate data using SSL VPN portal or Check Point GO.
Managing and controlling devices. Keeping a handle on what each device is doing may sound like a mammoth task but the key here is simplicity and consolidation. Look at easy-to-use tools that work within the framework that you’ve already got. Better still, if you have an existing management tool then use it. Your aim should be to create an over-arching security policy that fulfils the need to have flexibility for departmental specific caveats, as well as clear visibility of the security picture at any given time.
Enable the mobile workforce
It is fair to say that safeguarding a mobile workforce is an ongoing headache for CIOs, especially with the pace at which technology evolves and hackers become more sophisticated. But there are some guiding principles that can help enable an organisation to maintain a secure mobile workforce. These include:
Defining a clear and understandable security policy. There are four layers to this. In the first instance you need to establish user access. Define who can connect to the corporate network and why. Then, consider your device access. What sources are available for each device? Once this has been decided you need to consider what and how data can be stored on those devices. Finally, you need to consider how to prevent threats, that is to say what controls should be enabled when on or off the network?
Engaging and educating users. Educating users about the security policy is important, especially in terms of how they use their devices to access and interact with company data. The most important point to make about internal education is that you explain why you have a corporate policy. Illustrate what you are trying to achieve, how to perform the required operation and how to access a document that is encrypted. Don’t simply deny access but explain why it might be limited and how the user can work within the realms of the security policy to gain the information required. If your users understand why security controls are in place they are much more likely to support and uphold policies and become accountable.
Control, enforce and monitor endpoint and mobile devices. The most essential elements of your security plan are controlling access and managing your endpoints. By limiting and safeguarding access and taking a unified approach to endpoints that encompasses user as well as machine security, an organisation can have much more visibility as to what information is being accessed and how it is being treated by users. This places control back into the hands of your organisation.
Also important is to introduce and enforce a simple and understandable organisational policy. If you make it clear and easy for employees to know when, why and how they can access data then there can be no misinterpretation. It is also important to ensure that sensitive information is shared securely. This requires multiple layers of security with password protection and encryption as a bare minimum. For remote access it steps up to user authentication, VPN, and security verification. Further layers are introduced for data and malware.
We are incredibly lucky to be operating in such a technologically advanced world. As an information rich society we have more opportunities that any previous business era. Ensuring that we protect assets while operating in this environment may be a challenge for CIOs but it is also a huge advantage. Enabling mobility unlocks these opportunities, whilst ensuring business continuity and increasing productivity. The businesses that support the appetite for BYOD, offering unified remote access and introducing multilayer data protection and threat prevention are the ones that stand to gain the most. Those that don’t stand to lose it all.
Scott McKinnel is managing director of Check Point Software Technologies Australia and New Zealand