4 steps to securing the BYOD world
By Lorna Hardie, HP Enterprise Security Product Sales Manager, Southern Africa
You can’t secure every device, and the day of limiting devices and platforms has passed. Don’t focus on devices – focus on the data, the apps and the users.
The bring-your-own-device era poses a massive security challenge: all those different devices and platforms. Mobile Device Management (MDM) solutions were designed to help tame the chaos, but may not accommodate every device that will touch your corporate network or, worse, invade your users’ privacy. That lack of comprehensive support leaves you with unmitigated risks.
Rather than dream of a turnkey solution to lock down all devices, focus on solid best practices for securing enterprise data. Taking the emphasis off of device-level protection lets your security teams tackle security with a methodical, layered approach. Such a strategy can equally protect mobile devices, laptops and wired clients, regardless of the devices your employees need to be productive.
A robust, data-centric enterprise security strategy has these four dimensions:
1. Know your users. We’ve moved past the days of fixed IP addresses. Today, a single employee might use a mobile smart device; connect to the corporate network using her own WiFi; log on from a coffee shop via an unsecured WiFi; use a badge reader to enter the physical campus; and sign in to salesforce.com, SAP and other enterprise apps. In one day, one employee can generate a dozen or more different IDs. Multiply that by total headcount, and it's easy to lose track.
To manage all these IDs and link them to the person they represent, you need one single view of the user. Consider consolidating user-rights monitoring into a single engine, such as a Security Information and Event Manager (SIEM). This offers a comprehensive picture of a user's activities from the time they badge in to work (whether virtually or physically), as well as each system, application and piece of data they access and how they use it.
2. Secure your apps. Employees use a wide variety of applications to get their jobs done, and only some of those apps reside on your enterprise servers. Thus, your app ecosystem comprises personal apps, third-party apps and SaaS apps in addition to enterprise apps. These apps can be thick-client, installable binaries, mobile apps or something browser-based. You need to understand the risks that each brings.
Some will need a full-scope SDLC (software development lifecycle)-based review process, while others will need governance and auditing to see that they meet compliance requirements. Make sure you have application monitoring and scanning tools, including manual processes where necessary, in place to help identify security defects in code written by third parties.
3. Secure your network. As you diligently track the IDs of every user interacting with your network, be equally diligent about whom (and what) you let in. At the airport, TSA agents authenticate people's travel documentation and screen both people and items for known risk factors. They also utilise behavioural monitoring to look for patterns that could indicate a threat. Bring similar strategies to your method for vetting users attempting to access your network. Put controls in place to keep out anyone whose behaviour triggers an alert.
4. Have good visibility. Monitor activity across the enterprise to track and prevent negative events and breaches. Close performance monitoring is vital, as anomalies in network throughput and overall utilisation can be clues to a security breach. When suspicious activity is detected, analyse all the digital fingerprints to identify the cause of the problem. Changes to configuration settings are a particular concern as this is a common hackers' tactic. Make sure you can track the origin of all configuration changes and have a system of alerts for unexpected changes as part of a strong change-management culture.
Bring your own...anything
BYOD is about saying yes – to whatever mobile devices and platforms your employees prefer. By taking your security strategy back to basics using these four perspectives, you can take the anxiety out of saying yes, as well as change the perception of IT in general, and IT security in particular, as the buzz-killing department of no.