YES YOU CAN BYOD - HOW ABOUT SECURITY?

BYOD (Bring Your Own Device), refers to the recent trend of employees bringing personally owned mobile devices, smartphones / tablets, items like the iPhone and iPad, to the work place, and using those devices and databases. [1]

Due to the continued consumerization of IT, customers and employees will continue to demand consumer-like experiences when interacting with corporate systems. According to a Gartner report, by 2013, more than 80 percent of enterprises will support the use of tablets. Furthermore, by 2014, more than 90 percent of enterprises will support corporate applications on personal devices. [2]

Enterprises have found that it would be almost impossible to completely stop this trend, and that it is better to manage instead of completely banning usage of mobile devices. According to Forrester Research, iPad, Blackberry, Android and more. Indications are that number’s only going to increase.[3] A BYOD lock-down could hinder creativity and impact on productivity and morale, there is a need to empower users to be able to do more and faster.

BYOD has several advantages for the Enterprise, which include, increase of employee and contractor productivity, facilitate better collaboration amongst teams, support a mobile workforce, increase user satisfaction, enhance customer service, shorten decision-making cycle times and lower costs

There are, however, security challenges presented by smart devices accessing corporate data and therefore there is a requirement to address these challenges. The two major issues to the BYOD culture are mainly:

Confidentiality of information assets: How do you ensure the security of data transmitted over personal smart devices? There is possibility of corporate data loss and leakage, as users move freely with company data corporate information and lead to compliance issues and legal liability. How about personal privacy, with the corporate data and personal data of users residing on the same device. According to the Cloud Security Alliance report on top mobile threats, the single most threat to adoption of mobile solutions is data loss from stolen, lost or decommissioned devices.[4]

Availability of resources: There is a great possibility of introduction of malware by these devices, given that device health could be unknown, since users are likely to connect them onto some other networks. As well, due to another trend of Bring your own apps (BYOA), it is likely that users could install rogue apps on these devices, consequently compromising the corporate network.

To manage the security challenges of BYOD, we consider combining two approaches: Administrative approach and Technical approach.

Administrative approach: Develop a corporate BYOD policy

Before we even begin to address the challenges to security of BYOD, one of the most important aspect to consider is who owns the device?. The device could be owned by the organization in which case, the organization can have it "locked down" and dictate how it will be configured and used. However if the user owns the device, she/he could have it configured the way she/he deems fit and install all kinds of apps, which may be diffrent from the corporate standard

The corporate BYOD policy therefore should be able to consider the following:

Employees / users should own the policy: you should include employees in the discussion and make them co-owners of a BYOD policy, developing policies which employees are not comfortable with could lead to them trying to bypass and circumvent the same rules, which cannot be good for productivity

Smart device standards and baseline should be well documented; an acceptance baseline establishes a list of acceptable smart device specifications, covering both hardware and OS.Users and procurement staff have to be guided on what devices are allowed or not, and why. In Uganda for example, there are lots of counterfeit devices and imitations, which could fail to meet corporate standards. Recently, the Uganda Communication Commission (UCC) - the communication regulatory authority in the country has indicated that it will be disconnecting counterfeit devices. In neighboring Kenya action has already been taken and over 1.5 mimllion phones switched off. [5] Therefore it's important that at the buying stage workers know the right devices and specification

User agreements have to be signed with users. BYOD introduces an element of both corporate and personal liability, the agreements have to clearly state who is responsible for what. For example are the employees willing to accept it if their employer restricts the ways in which they can use their privately owned devices. How do you recover data from a device of an employee who is leaving the organization or recover a company device from such a user? How do you handle device expenses and reimbursements, do the employees agree to secure wipe for both personal and corporate data in case the device is stolen? Etc...

Access control / Classification of data: you should be able to specify who can access information, specify how and when it can be accessed, and under which conditions. There is a need to know the data your organization has, its value and where it resides. There is also a requirement to have an accurate inventory of all IT devices – company- and user-owned.

Who provides support for the smart devices and the applications your users are accessing, is it the organization’s IT team or is it a provider that the users outsource themselves. This is very important for the security of company data that resides on the user device.

Awareness training: It’s vital to provide awareness training on BYOD and the BYOD policy. You need to address issues like employees feeling that monitoring or managing their personal devices tantamount to invasion of privacy. Also awareness training helps you emphasize the need to make sure that the apps people use on their mobile devices come from a trusted reliable source, such as an app store. I have also seen Organizations that have set up an enterprise app store, with a repository of all allowed and tested apps. Users can submit their apps to IT, only when they have been tested and approved, can they be then added to the corporate app store.

Technical approach

The technical approach involves use of technology to enforce the BYOD policy as well manage the security issues of BYOD (and BYOA for that matter). Some of the technologies involved in managing BYOD issues include the following:

Mobile device management (MDM) is a comprehensive mobility management solution that combines all tools, security and technical support needed to help organizations effectively manage, support and secure their mobile environment - allowing mobile devices and content to be secured and controlled remotely. A good MDM solution should be able to provide control, and protect the enterprise end-to-end, across the device, application, network, and data layers. An MDM solution lets you manage the entire mobile device life-cycle from enrollment to security, monitoring, mobile application management (MAM), including remote install or removal of applications and support. There are also options for integration with the corporate directory service, VPN and Wi-Fi with your MDM solution. Some of the leading vendors in this arena include: MobileIron, Soti, Zenprise, Good Technology and AirWatch.

Network access controls (NAC) - help to establish exactly who and what is connecting to the corporate network and control the level of access the devices have to the corporate network. This should include as well the capability of logging and monitoring of devices and data, monitor and profile mobile network traffic and user behavior, showing in real-time all devices on your network, including devices that you don’t own. Provide alerts of device integrity status and of unauthorized access, leakage of sensitive corporate data, and mobile compliance violations. NAC solutions help to enforce compliance with security policies and ensure block jail broken iOS devices from your network.

Encryption of corporate data on mobile devices- This includes full-disk or folder-level encryption. Encryption should cover both data at rest on devices (on device memory and external cards) as well as data in motion from and to the device like e-mails, using S/MIME for example.

Remote locking or wiping of lost/stolen devices – this should allow for remote lock of the device in case it is misplaced, while a complete secure wipe of the device applies in case it is stolen. There are options for selective wipe, where only corporate data and apps can be wiped without touching personal data of the user, selectively wiping personally owned devices of enterprise data once the employee leaves the company.

Remote OS patching and/or upgrades – to ensure that the devices are up-to-date with the latest security patches and OS updates, and that these devices are not easily compromised due to unattended to vulnerabilities, which in turn could affect the corporate network. You need to ensure that these devices have the correct OS versions and applicable patches.

Application access control (Mobile) - This includes identity and authentication management of users and device, to the corporate network. The solution should be able to grant granular access to mobile apps on an app-by-app basis, and segregate critical business apps from non-compliant or potentially malicious apps. See an inventory of apps running in your enterprise, provide an enterprise app store where IT can make available or push packages of apps to devices, roles, and groups in a secure and organized way, black-list/white-list apps that negatively affect employee productivity or break with company or regulatory compliance, prevent users from opening apps that are unapproved or out-of-compliance.

Digital rights management (DRM) – is about protection for digital media and copyrights. You need to ensure that unauthorized redistribution of digital media and corporate data is minimized. DRM technology focuses on making it impossible to steal corporate content, and involves preventing unauthorized data back-ups and restricting copy and paste of corporate data.

Mobile anti-malware, anti-virus and endpoint security – to protect against malware introduced by smart devices that could compromise corporate security. Other technical measures that could be considered include, secure offline storage of data, enforced PIN codes for mobile devices, data leakage prevention and multi factor authentication

Today's employee is looking for the freedom to work in new ways and innovate, the bring your own device (BYOD) trend is one such opportunity, but the challenges that come with BYOD could be a bottle neck. However, a good BYOD policy coupled with the technology to enforce the policy could go a long way in addressing these challenges; this is because the BYOD culture is here to stay.

References:

  1. Wikipedia. What is Bring Your Own Device (BYOD)? 2012; Available from: http://en.wikipedia.org/wiki/Bring_your_own_device.
  2. Gartner, Gartner's Top Predictions for IT Organizations and Users, 2011 and Beyond, 2011.
  3. Forrester Research, The Rise of Wannabe and Maverick Mobile Workers., 2011
  4. Cloud Security Alliance , C., Top Mobile Threats, 2012
  5. Mugabe, David., UCC warns over fake phones, in The New Vision 2012.

 By Thomas Bbosa, CISSP

 

 

SECURITY CHALLENGES FOR CLOUD COMPUTING

Cloud computing is here, and has been embraced by many an organization. Cloud computing as defined by the US National Institute of Standards and Technology (NIST) is "a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction." [1]. Cloud computing is basically about outsourcing IT resources just like you would outsource utilities like Electricity or water off a shared public grid.

The cloud services options include:

Software as a Service (SaaS): Whereby the consumer uses the cloud provider's applications running on a cloud infrastructure and the applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email).

Platform as a Service (PaaS): Here the consumer deploys their own applications on the provider's infrastructure. This option allows the customer to build business applications and bring them online quickly; they include services like Email Campaign management, Sales Force Automation, Employee management, Vendor management etc...

Infrastructure as a Service (IaaS): The consumer has access to processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems; storage, deployed applications, and possibly limited control of selected networking components (e.g., host firewalls).

Cloud computing has become popular because, Enterprises are constantly looking to cut costs by outsourcing storage, software (as a service) from third parties, allowing them to concentrate on their core business activities. With cloud computing, enterprises save on setting up their own IT infrastructure which would otherwise be costly in terms of initial investment on hardware and software, as well as continued maintenance and human resource costs.

According to the Gartner report on cloud security [2], Enterprises require new skill sets in order to handle the challenges of cloud security. Enterprises need to see to it that their cloud service provider has most of "the boxes ticked" and that they have their security concerns addressed. Cloud computing being a somewhat a new field of IT with no specific standards for security or data privacy, cloud security continues to present managers with several challenges.

There is need for your provider to be able to address some of the issues that come up including the following:

Access control / user authentication: How is the access control managed by your cloud service provider? To be more specific, do you have options for role based access to resources in the cloud,? How is the process of password management handled? How does that compare to your organization's Information security policy on access control?

Regulatory compliance: How do you reconcile the regulatory compliance issues regarding data in a totally different country or location? How about data logs, events and monitoring options for your data; does the provider allow for audit trails which could be a regulatory requirement for your organization?

Legal issues: Who is liable in case of a data breach? How is the legal framework in the country where your cloud provider is based, visa vi your own country? What contracts have you signed and what issues have you covered/discussed with the provider in case of legal disputes. How about local laws and jurisdiction where data is held? Do you know exactly where you data is stored? Are you aware of the conflicting regulations on data and privacy? Have you asked your provider all the right questions?

Data safety: Is your data safe in the cloud? How about the problems of Man-in-the-middle attacks and Trojans, for data moving to and from the cloud. What are the encryption options offered by the provider? Another important question to ask is; who is responsible for the encryption /decryption keys? [3]. Also you will find that cloud providers work with several other third parties, who might have access to your data. Have you had all these concerns addressed by your provider?

Data separation / segregation: Your provider could be hosting your data along with several other clients' (multi-tenancy). Have you been given verifiable assurance that this data is segregated and separated from the data of the provider's other clients? According to the Gartner report, it’s a good practice to find out "what is done to segregate data at rest," [2]

Business continuity: What is the acceptable cloud service down time that you have agreed with your provider? Do these downtimes compare well with your organization acceptable down time policy? Are there are any penalties/ compensations for downtime, which could lead to business loss? What measures are in place by your provider to ensure business continuity and availability of your data / services that are hosted on their cloud infrastructure in case of disaster? Does your provider have options for data replication across multiple sites? How easy is restoring data in case a need arises?

Cloud services providers have increased their efforts in addressing some of the most pressing issues with cloud security. In response to cloud security challenges, an umbrella non-profit organization called the Cloud Security Alliance (CSA) was formed, some of its members include: Microsoft, Google, Verizon, Intel, McAfee, Amazon, Dell, HP, among others, its mission is “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing” [4]

As more and more organizations move to the cloud for web-based applications, storage, and communications services for mission-critical processes, there is need to ensure that cloud security issues are addressed.

References:

  1. T. Laboratory, Editor. 2009.
  2. Gartner (2008) Assessing the Security Risks of Cloud Computing
  3. Rittinghouse, J.W. and J.F. Ransome, Cloud Computing: Implementation, Management, and Security. 2009., New York: Auerbach Publications.
  4. Alliance, C.S. Cloud Security Alliance. 2011; Available from: https://cloudsecurityalliance.org/

By Thomas Bbosa, CISSP

User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active

THE RISE OF THE CYBER SECURITY MILLENIAL

As the number of cyber-attacks, threats and criminal activities rapidly inflate at a horrific rate, who are you going to call onto for help when you realize that you are unbelievably a victim of a once sci-fi movie playwright?

As a Chief Executive of a company, your nerves are tense and your forehead is dripping beads of sweat wondering how on earth you are going to explain this to the board of Directors? All your intellectual property has been illegally tampered with and stolen like a horrific ugly storm take down the neighborhood housing infrastructure in Katwe or downtown Kampala suburb. This is when you think to yourself and say “I wish I had listened to my Head of Information security ….”

"Millennials are described as the Millennial Generation or Generation Y, abbreviated to Gen Y are the demographic cohort following Generation X. There are no precise dates for when the generation starts and ends; most researchers and commentators use birth years ranging from the early 1980s to around 2000." (Wikipedia, 2016). They are the solid youthful foundation of our current information security growth as they are eager to learn and take on any subject topic that comes their way. The need to grow and develop these young generation individuals into the next world-wide recognized business information systems guardians is of paramount essence. With their brains so brutally equipped with the zeal to capture this wealth of knowledge, our nation can potentially become a force to reckon with as is with the youthful Cyber-Talented of the USA, Russia, Great Britain and many more.

Currently the (ISC)2 is embarking on a major initiative to promote cyber security amongst the youth and the general society on how to be more pro-active towards security awareness. The need to have the security awareness is of profound necessity as more and more companies are being tricked into becoming victims of malicious practices.

The same approach should be mirrored in the Ugandan society by targeting our very own millennials. Schools and societies need to embrace the fact that systems hacking, data theft and breach of data privacy is for real. But alas it is never too late, the newly founded (ISC)2 Uganda Chapter is actively constituting a way forward to mentor and spear-head an project for our very own Ugandan school children to embrace information security and its rewards.

The (ISC)2 Global Foundation has introduced an exciting addition to the Safe and Secure Online Program, one directed to meet the online needs of senior citizens too. Safe and Secure Online, which has provided training in online security and protection to thousands of children, parents and teachers, is now offering this learning to seniors who may be new and unfamiliar with the technologies that are now everyday tools. “Seniors are often prime targets of fraud, malware, social engineering tactics and other forms of malicious online behavior,” says (ISC)2 Foundation director Julie Franz. “It is our intent, through Safe and Secure Online for seniors, to equip senior citizens with the knowledge they need to enjoy a safe online experience.” For information on the new senior citizens’ program, go to https://www.isc2cares.org/Senior_Citizen_Page

 

Brian Mwine Rutebemberwa, CISSP

SECURITY RISKS IN THE AGE OF SOCIAL MEDIA

Every one is joining in the social media craze, even the public figures of our times. I was recently watching a program on MTV base, where some youth interview some of the influential people of today, and I remember in two of them where president Kagame of Rwanda and Virgin Group’s Richard Branson mentioned using Twitter from time to time. With hundreds of millions of users, from school going teenagers to presidents, to footballers and musicians, from small and medium companies to large corporations, many people use at least one of the various social media, like Facebook, Twitter, linked in, my space, YouTube among others, to either connect with friends, network and make friends, for promotion and public relations and for marketing purposes, among other benefits.

Social Media has changed the way we interact and communicate; we can now stay in touch through Facebook with friends, fans and clients. We can pass on information quickly in a way we have never done before through Twitter. Through social media we can reunite with lost family members and friends. Some might have heard of the famous story, of father-daughter reunion between Tony McNaughton and Frances Simpson of the United Kingdom, who had not seen each other for nearly 48 years. The father had separated with the mother of the daughter, when she was about 1 year old; they reunited via Facebook.

I am a user of social media, mostly Facebook, and I would not like to be a killjoy, but as well am aware of the inherent risks it has. So what are these risks that come with social media and how can we guard against them? For individual users of Social media, the biggest challenge is that People drop their guard and share personal information and secrets on Facebook, including details they would not easily shout out in the streets, share on national TV or Radio. Within their social networks, they feel safe surrounded by people they know, like and trust, like friends and family. This opens possibilities for identity theft and could be used as an avenue for Social engineering - a practice of gathering information on someone for future criminal use. There is also the threat of Cyber stalking, where a user can be electronically harassed or abused, as well as issues of solicitation of minors for sex, or gathering information on an individual in order to harass them later with that information.

There is also a web of trust built between social network users so much that any information posted by “a friend” is taken as gospel truth. Recently a Facebook friend of mine was a victim when his Facebook account was compromised, most probably because he was using a weak password that was easy to guess by the attacker. The perpetrator was able to post some information on his “wall” – claiming how “he” was stranded in a foreign country and how he had lost his luggage and had no money on him. The masquerader even gave details of where and how to send help, needless to say, some people on his Facebook friends list, fell for it and sent some money. This and many other incidents warn us to be a little bit more alert when using social media.

For Enterprises and corporations that have internet access and allow use of social media by employees on the corporate network; the risks could be even bigger. While social networking has become pervasive across organizations, there are very few security restrictions governing its usage. Not only could uncontrolled use of social media lead to misuse of internet resources, but could as well lead to productivity loss, as employees spend more time on social networks, instead of carrying out official work. Social networks could be used to introduce malware like computer viruses, on corporate networks. For example in September 2010, "onMouseOver" the Twitter-based worm pummeled users with pop-ups, spam and pornographic tweets and then re-tweeted them to everyone on their contact list.

Social networks can also be a route for data leakage, where they can be used to leak company trade secrets, and lead to confidential/sensitive data loss or leakage. What’s more, there’s a disconnect between traditional information security practices and the demands of an increasingly youthful workforce that feels entitled to use personal technology and social networking in the office. So what can be done to curb the risks of social media usage and enjoy its benefits with fewer worries? To begin with, there is need for social media users, to be vigilant and not share any information they could not easily share with the general public. On top of using stronger password that can’t easily be guessed, we should take advantage of the options available within the social media themselves to assist with reducing on the risks.

Major social networking sites now support identity management functionality. For example, a security application called mysafeFriend gives Facebook users a way to validate the identity of potential friends. Parents need to guide their children on safe usage of the internet and appropriate behavior when online. Just like you would not let your children chat with any stranger in the streets, why should you allow them to freely connect with cyber strangers, who could be closer than you think? For Organizations there is need to have an administrative and technical approach to the problem.

Companies should come up with internet usage policies at the work place that have a component dedicated to social media usage, for example specifying what time employees can access social network sites, so that employee productivity is not affected. There should be awareness training for staff as well on risks involved. Companies could make use of available technology to assist with web content filtering against malware like viruses and infected links shared through social networks.

As social networks become popular, there is need for individuals and corporations to be aware of the risks, and of the fact that Scammers and cyber-criminals today have their sights trained on users of social networks.

 

By Thomas Bbosa, CISSP