Trends like BYOD, mobility and increased usage of cloud apps are resulting into unwiring the enterprise.
Here’s what my colleague Ken told me recently when I asked him if he would prefer to bring his own computer to work. He said, “When travelling, I use YouTube to watch news, post updates on Facebook for my friends and family, check out the latest scores on Sports sites. So I don’t want any restrictions when I am on the road. And I want a fire wall between my personal life and corporate data/apps”. He insisted on clarifying the value or incentive for employees to bring their own devices to work. These kinds of demands are already posing many challenges (and headache) for IT and InfoSec teams. On one hand, it seems like a great proposition to have employees to use their own personal devices to conduct business and reduce procurement or maintenance costs; it also poses unprecedented risks to the enterprise data that is on the move.
There is a need to create a robust approach so that information residing on personal devices is guarded against malicious intent or loss. No doubt that there will be increased employee dissatisfaction if there are more controls that restrain them but at the same time the Board, Shareholders and the Customers will have serious concerns for the business risks due to the absence of the same.
The last decade has seen a massive proliferation of mobile devices. Introduction of low cost smartphones changed the way we started interacting with each other. The handheld devices powered with applications give users never ending possibilities and access to information. The world is now massively appi-fied and we are using it for social media, banking, finance, entertainment and even as personal assistants.
Cyber security trends have risen alarmingly in importance in the recent years. Exploits like malwares, ransomware, adware, Trojans and surveillance-ware are everywhere. With the dawn of BYOD and changing work culture, the gaps in security are wide open. Apparently, the security aspects are ignored due to various reasons such as employee demands, simplification, ease of access etc. But corporate can no longer focus on the old school security models and continue to allow employees bring their own devices to work. They will have to redefine the approach to cater to these issues. Enterprise Mobility Management solution can act as very good option since it gives power to the IT teams and flexibility to the end users. What needs the highest level of vigilance and diligence is the world of application development and the APIs. Developers must put more emphasis on filling these missing gaps. That is where the real enemy resides.
So, given that these BYOD and mobility trends are going to stay around and more apps will be accessed from cloud than ever before, it is time for the CISOs and CIOs to prepare for the challenges ahead and consider new investments in IT and Information Security. A product or two alone will not solve this problem. There should be an end to end multi-device, multi-protocol, multi-channel Information Security strategy.
The Balancing Act: Intense Complexities, Intense Simplicities
The fundamental end-to-end strategy should consist of the following:
● Know Your User
• Prevent unauthorized and rogue devices from connecting to the corporate wireless network
• Renew access lease at a regular frequency; enforce password reset
• Develop management policies to remotely wipe enterprise data
• Use cloud for the robust encrypted backups
• Update corporate’s policies such as Acceptable Use, Monitoring and Separation
● Protect Data
• Create multi-factor authentication to allow access to sensitive data
• Monitor API and Micro-services consumption
• Deploy web filtering and data leakage prevention solutions
• Create different access privileges for personal devices & corporate devices
• Watch trends and patterns 24x7. Develop analytical insights for forensics
● Regulate Environment
• Create policies for BYOD and Cloud Apps
• Restrict network access; deny by default
• Reconsider ACL approach
• Create zones in the architecture using layers
There isn’t going to be a ‘silver bullet’ to solve all the problems. Several companies in the information security area are working to provide solutions to various problems associated with the trends mentioned here. And these solutions will evolve to cover wider spectrum of threats and management strategies over time.
Having said this, the most fundamental solution is largely in the hands of the employees who are bringing their devices to the workplace. In summary, organizations should look at adopting these new trends as a new culture and not just as a new technology. Self-awareness of information security threats and confidentiality requirements should be in the ethos of this new cyber security focused culture.