Facing the BYOD challenge
Don Thomas Jacob provides BYOD risk management advice.
BYOD adoption in the enterprise has increased significantly over the last couple of years and the trend is here to stay. While BYOD has been incorporated into some enterprises’ organizational strategy, there are numerous organizations where BYOD has been initiated by the employees themselves and many network administrators are still working out how best to manage the trend.
It is only with practical experience that network administrators can fully understand the problems associated with BYOD and the best methods to solve them. Many organizations are looking for immediate answers and most IT and network admins do not have the time to experiment with various technologies and solutions or research for the right tool to use in the network for BYOD monitoring or management.
Enterprises often begin implementing BYOD strategies by having additional authentication mechanisms, a separate VLAN and a wireless network for handhelds. While this may seem to be the quickest method to adopt BYOD, it also brings with it numerous problems. In addition to the everyday upkeep and maintenance of the enterprise network, IT admins have to take care of mobile device management, bandwidth issues and most importantly keep an eye on possible security issues. In fact, BYOD leaves the network open to a plethora of security issues.
Here is a look at security issues that BYOD can bring into the network beyond your IDS (Intrusion Detection System), firewalls and access control lists.
Device loss = Data theft
There is nothing new with users losing or misplacing their smartphones or tablets. But with BYOD, sensitive enterprise data can often be stored on such devices. So, when a device is lost or stolen, corporate emails and business data is lost too.
Data reaching the wrong hands can spell out trouble – monetary loss, tarnished image, loss of business, and in the worst case a hacker might even be able to enjoy uninterrupted access to the corporate network over VPN.
Vanishing network perimeter
Users often connect their mobile devices to public hot-spots or connect to open wireless networks during a conference or in a hotel. With no IDS or firewall in place, the user might be at risk of downloading malicious content, picking up malware, becoming a victim of a man-in-the-middle attack and/or being hacked. Either way, the door to your network is now wide open and your business could be next to make headline news.
What was the app name again?
We are witnessing an explosion in the mobile application eco system which includes the likes of Apple, Android and Windows. Gartner estimated that there were 102 billion application downloads in 2013 - no one can even keep a track on the number of applications available for download from various app stores. Users install any application that catches their eye and among them can be non-business, bandwidth hogging, malware infected applications. We might start seeing mobile versions of peer-to-peer applications, which hog enterprise bandwidth and spread malware.
Patching enterprise systems to block vulnerabilities is now a common task for the IT admin. And just like your desktop and server OS and applications, your smart phone and tablet’s OS and applications can have vulnerabilities too. It will only be a matter of time before a hacker begins to look for unpatched mobile devices and leverage mobile vulnerabilities to gain access to user devices for data theft or attacks.
The weakest network link...
‘They’ do not enable a password lock, they leave their devices anywhere, they connect to any wireless network, they download what they wish, they do not read security warnings, they click ‘OK’ for any on-screen message and bring in the malware. ‘They’ are the end-users and your employees; the weakest link in your highly secured enterprise network. As the saying goes “Given a choice between dancing pigs and security, users will pick dancing pigs every time.” (1) Users will continue to ignore security warning messages they see on the screen anytime, and end up being the cause for malware reaching your network.
There is no one stop solution to the security issues outlined above. But using a combination of security and log tools and pro-active network monitoring in addition to your regular security mechanisms can go a long way in securing your network.
The first step is to ensure you have specific wireless networks for guests and employee handhelds and to separate them on your core switch via different VLANs. Add RADIUS or AD based authentication mechanisms for all users and consider implementing options designed specifically to provide better control over data while supporting remote access and BYOD.
You must also make use of MDM (mobile device management) and security tools that include remote lock and wipe and can trace the location of a lost or stolen device. If your MDM tool can also take care of mobile patch management, even better. Another tool you must consider using is a user device tracker. A user device tracker can help find the location of a rogue or unapproved device, alert you about unknown devices, create whitelists or even block ports on finding rogue devices connected.
Finally, educating your users on why data loss and data theft are serious problems for both the organization and themselves and what they can do to help secure the network, especially when using a mobile device within the enterprise network is vital. With a combination of security tools and proactive monitoring you can take on whatever challenges BYOD may throw at you.
(1) Gary McGraw and Edward Felten: Securing Java (John Wiley & Sons, 1999; ISBN 0-471-31952-X), Chapter one, Part seven.
•Date: 3rd March 2014 • World •Type: Article • Topic: ICT continuity