Part 2 of a 2 part blog

It is somewhat hubris in our intent to believe we can prevent end-users (permitted users) from finding ways to gain access to corporate data from their own devices. In part, this can be attributed to the demise of the eight-hour working day. We recognise that business requirements can surface anytime of the day, any day of the week. More and more frequently, companies expect their employees to be available “anytime, anywhere” to handle business needs; and those employees aren’t always in a position to grab their corporate computer and review a critical email or document. We need to be mindful that the enthusiasm with today’s end-user devices requires the ease of accessing corporate data — and the simplicity of carrying less technology resources with more power.

Hence, the education of the end-users regarding security issues is essential. No matter how good your policies are, the weakest link is not always a malicious user but often a well-intended user who takes the wrong route.

Build the right security policies, be flexible and work to provide the right blend of enablement so you have control over the critical assets of the business without stifling productivity. In many cases, a user who is not educated on process and policy, who in the spirit of trying to do the right thing, ends up exposing the company.

It doesn’t take a lot to explain why policies are in place and why they are important. Go beyond just stating, “this is our policy.” Instead, explain to employees why the policies are in place to ensure corporate data is protected. You can’t please everyone all the time, but when someone understands the rationale behind the policies, they’ll more likely stay clear of actions that could potentially harm the company and its assets.

As you develop and implement best practices to security network access, don’t forget the telecom side and the old “bricks and mortar” components of the business. Many companies are so focused on protecting their networks they forget that the more traditional “telephony” side of the business (phones, faxes and modems) present as much risk. And with the proliferation today of electronic gadgets, be mindful of refreshing (and reminding employees about) policies governing the protection of hard copies of documents and information, including hard copy plans, budgets, and paper notes taken during meetings. All too often, it’s these hard copy items that are mistakenly left behind in the seat pocket on an airplane or in a taxi or bus or hotel room.

And finally, it’s critical that you test your security processes on a regular, on-going basis. Find ways to monitor the environment to ensure that the right behaviours are taking place — and re-educate your employees continuously. Apply the right metrics to the businesses risk appetite and match that against the governance, risk and compliance aspects.

Use that data in your board level discussions to effectively raise hot spots and where focus needs to be placed. Such facts are the most valuable resource to ensuring security policies are continuously kept current within today’s business environment.

In summary:

-          Starting with the right agreement from a business perspective is key to obtaining appropriate funding and executive support for successful security policies

-          Define your risk appetite and ensure you classify your data appropriately

-          Having good policies in place enables you to drive best practices and know that as you make changes, they are applied in unison across the business

-          Educate. Explain policy so you can achieve buy-in, measure expectations and continue to educate — “tools are fool proof, fools are not tool proof”

-          Test your business practices, inspect what you expect on a regular basis and adjust to meet the changing landscape

-          Look beyond the current issues to ensure you have the entire risk environment in focus.

###

Jeff Schmidt, Executive Global Head of Business Continuity, Security & Governance at BT Global Services, is responsible for every aspect of the security-related products and services BT offers its clients — from overall business strategy, through market research and solution design to delivery and support. Previously, he managed the security side of BT’s business in the Western United States where he had full profit-and-loss responsibility for the sales and delivery of networks, managed security services, consulting services and security software. Jeff has more than 25 years of experience in leadership positions in the information technology business, including positions with Home Savings of America (now a part of JPMorgan Chase), Lucent, the California State Automobile Association (AAA), Paramount Pictures, and InCode Telecom Group (which has since become part of Ericsson). He joined BT when it acquired INS in 2007.

Part 1 of a 2 part blog

In today’s business marketplace, with the need for “anywhere, anytime” access to information, most companies are mindful of the inherent security issues – threats of attacks, individual devices connecting to the corporate network, data leakage, and other forms of malicious mal-intent.

With the “de-perameterising” of the corporate network, more end-user devices in the workplace and the proliferation of physical and virtual storage (Google, Dropbox. iDisk, etc.) — how do you keep your business “secrets” and proprietary data contained and secure within the corporate “vault”?

If you add into the mix the physical span and reach of the corporate entity from local to regional and global geographies — security challenges become even more significant and complex. So where do you begin to ensure your corporate information is secure?

The key is to start with a few simple concepts. Implementing successful strategies to secure intellectual property isn’t about swallowing the elephant, but rather taking bites out of it, one step at a time.

First, do you understand your risk appetite and how that applies to the crown jewels of your business? More importantly, are you aligned from an executive position within the company? If you are, then the starting point is to define the most critical information to protect — and what is non-critical data. For example, are there certain areas of your business that require more security and confidentiality than others?

Start by defining the right structure, policy and processes and then apply that information to the use case scenarios within your organisation.

Apply best practices in how data is treated across the business, including external entities that you may use to support your business. In simple terms, having good IT practice in how you communicate, store and move data is essential — not only within the enterprise, but as it extends to those you do business with as well.

Next — address the security issues relating to access by end-user devices, a concept that’s expected to continue to mature. As we see the proliferation of end-user devices, both personal and professional, we must be able to apply to their use the right security framework while creating  translucent processes that are user aware but don’t necessarily require user intervention.

Keep checking for the second part of Jeff’s blog later this week

The accelerating growth of threats in cyberspace is such that the conventional security strategies of the previous decades are undergoing a rapid and radical transformation just to keep up.

For example, the conventional fortress mentalities of old are undergoing a renaissance as concepts such as clearly defined corporate parameters are blown away by new trends such as BYOD mobility and cloud computing.

The focus now is shifting from protecting the fort to protecting the data itself and detecting the associated data activities and dynamics irrespective of where it is located.

With the great diversity of smart phones and devices that are now being used both inside and outside the corporate boundary comes a huge increase in exposure to new forms of cyber-attacks.

The one we focus on here is the potential to turn your new smartphone into a spyware utility.

Some of the many hundreds of thousands of mobile apps that you can download today contain malware such as rootkits that can take over control of your smartphone.

Location-based mobile apps and games all pose potential vulnerabilities. The risks include access to information such as physical location and contacts lists, as well as the ability for the apps to download malware, such as key loggers or programs that eavesdrop on phone calls and text messages.

Consider this scenario as an illustration. CEO Able Gull uses his smart phone at work having earlier downloaded a few nice apps. He attends a board meeting to discuss the dire Q4 results of his company, well before any public announcement is due. One of the apps he downloaded earlier contains a rootkit that has set up spyware. As a result spyware on the smartphone monitors the meeting by activating the smart phone microphone, records the meeting and sends information on financial performance to Bad Guys Inc. along with voice mails, emails, etc. Bad Guys Inc. then sells the information to players in the financial markets.

A better outcome would have been achieved if, for example, in line with corporate security policy the CEO Able Gull had made an initial connection to his corporate network with his new smartphone.

An access policy is created, he can access email and internet, but IT policy restricts intranet access. Once connected, he notifies IT of the smartphone purchase.

IT sends the CEO an email with a link to the Mobile Device Management (MDM) application that is available on the vendor’s app store. The CEO installs the application and completes the registration.

Once installed, IT can remotely manage his smartphone and monitor its compliance with IT security policy.

Also, IT provides the CEO with access to the company’s private app store, which includes both company-developed and third-party applications that are approved by IT.

MDM protects the device from malicious apps. Of course this is just risk mitigation. The company’s IT would also provide threat monitoring to detect any anomalous behaviour or data flows that might indicate a security breach.

The spyware threat associated with smartphones and associated devices are quite significant. If you leave your smartphone on next to your laptop, spyware can in theory use the microphone on the device to monitor your key strokes sounds and analyse these to determine which key pairs were entered, and therefore what was being typed.

For insider threat actors it is an ideal tool to steal sensitive data and IPR from well protected corporate systems e.g. by use of the on-board high resolution camera.

It is something to think about when considering the implications of employees bringing their own smart phone devices into work.

We have entered the “application age” which has been a blessing for business productivity when organisations effectively manage their users and application usage. But it has also created security gaps.

The increased use of apps and virtualisation, a growing mobile workforce and more sophisticated threats have all played a role in driving IT security innovation and changing how we manage and secure the disappearing gateway.

Next-Generation Firewalls (NGFWs) represent the latest advances in gateway security, but while they provide you with more granular control, they also increase the complexity of your policies.

AlgoSec recently conducted a 2012 State of Network Security survey and while 84% of respondents believe that NGFWs have improved their security, 76% noted that these devices added significant management burden.

We all know that when it comes to IT security, complexity is not a good thing, so how can we take advantage of the clear benefits of next-generation firewalls without adding significant administrative burden and risk?

Next-generation firewalls go beyond traditional firewall traffic filtering of ports and give you more control by providing the ability to filter by application type and user identity.

With this added granularity you can define what groups of users can do with a particular application, allowing for better security and ultimately a business advantage (i.e. a marketer such as myself has a business need to be able to post to Facebook, but a developer does not).

Firewall policy decisions are no longer black or white.

When setting policies at an application level, you must understand each application, its business value to different users and any potential risks that come with it.

More granularity leads to more rule sets and more rule sets lead to more complexity, so you need to have a plan and make sure that all involved teams are on board with it.

When deploying more granular, next-generation firewall policies, here are some tips to think about:

• Run your NGFWs in a “learning mode” so you can get visibility of what apps are being used in your environment and by who. This can provide you with critical information in starting to define more granular policies, which you can continue to build out over time in a methodical fashion.
• Streamline and automate the management of your next-generation policies in tandem with your traditional policies. While NGFWs provide more details and more control, for productivity and operational efficiency, you will want to make sure you can add, update, change and delete policies across all your firewall estate in a normalised way.
• Run risk queries against specific applications as another security check, and leverage third party risk databases to provide actionable recommendations of potential things you may want to change in your policy.

Next-generation firewalls certainly provide some additional benefits over traditional firewalls, but in order to truly reap the benefits (without adding to complexity and in turn increased management burden and risk) you must map out a plan in advance of your implementation and have a process to manage these policies over time in the context of your broader network environment.

… hard on the outside but soft on the inside.

Organisations tend to focus on keeping threats out, but once their external defences have been breached the perpetrators can access pretty much anything they want.

Compared to the way financial institutions secure data as it’s on the move, there are huge differences in operating principles.

In such organisations even relatively low-volume activities like payments processing and post-trade securities processing get heavyweight security applied to them, and communications are expected to be encrypted and tamper-proof with non-repudiable proof of delivery.

At the other end of the scale, high-volume activities such as pre-trade market data delivery and trading activities tend to have almost no security applied to them.

The approach is one of prioritisation.

In a business world of finite resources, it’s not possible to protect everything, so it’s important to make sure that you focus on securing data and traffic that is particularly sensitive.

In a recent interview in “Wall Street & Technology”, Lou Steinberg, CTO of TD Ameritrade, said:

“Knowing my favourite flavour of ice cream is not the same as knowing my Social Security number, and so different levels of protection get assigned to different levels of information. If you try to protect everything, you protect nothing. What we’d rather do is classify our information and assign our best controls — our best protective measure — against the most important, most sensitive data.”

Protecting information when it moves outside your organisation is vital, but there are now an increasing number of ways for outsiders to penetrate a company’s internal systems.

Protecting those systems is now the big issue for IT departments.

The risks are extended still further with the rise of BYOD. 

Protecting information from intruders looking to breach your external defences is a more critical issue than many IT people imagine, and it’s time to put some thought into how to do it.

Key themes at Infosec 2012 included the security aspects of BYOD and remote/mobile working, making Virtual Desktop Infrastructure (VDI) a hot topic.

VDI deployments have been growing. Today we’re working in a diversified market where full-blown solutions are offered alongside more niche ‘point functionality’ products. But what customers really want right now from a VDI solution is the power to use secure, single sign-on access for users accessing applications and data stores over remote connections.

So here’s the problem — today, when a user signs in to a VDI offering, there are as many as four login processes to pass:

1. Device login
2. Remote access login
3. Login to the VDI solution
4. Login to the VDI desktop itself.

This scenario is annoying (some would even say unacceptable) given the needs of modern mobile workers. But while this process must be capable of being governed by a single sign-on option, security must remain of paramount importance.

Operation needs to be seamless and transparent, i.e. anything which feels clunky or suffers from poor usability will not wash with the demanding users of today. A key part of successfully rolling out a VDI solution involves providing users with something that they can be ‘bothered’ to use properly, following the required security process controls.

Allied to these usability concerns is performance, i.e. if a VDI solution’s applications suffer from latency over a reasonably good network connection, they won’t be successful in the long term. This means that a VDI should also offer tools to determine how much bandwidth a given implementation will need. BIG-IP Application Delivery Controller technology from F5 works to offer application delivery tools that optimise network traffic for a particular VDI installation.

Running on F5’s TMOS operating system, BIG-IP Local Traffic Manager (LTM) improves the performance of all networked applications. VDI installations use more network communications than most networked applications, so BIG-IP LTM does more to improve their performance. Adding in the advanced capabilities of BIG-IP add-on modules for security, WAN optimisation and web acceleration can significantly reduce the need for additional infrastructure.

As obvious as it may sound, you can’t implement a VDI solution that runs at a level lower than the current installation already in place; so any newly-adopted VDI offering needs to not only be a step forward, it also has to physically perform its central function effectively and be able to work remotely.

Naturally, the VDI market will change as it matures; new vendors will enter, old vendors will evolve, and new operating systems may even fold in (at the OS level) some functionality that is currently offered only by VDI vendors.

F5 ADCs are vendor-agnostic and will continue to support top-tier VDI vendors such as Microsoft, VMware and Citrix with devices that are knowledgeable in the overall network and application ecosystem.

As the number of non-enterprise-owned mobile-based devices increases in the workplace, the ever-present issue of security raises its head.

Sensitive data on company networks is becoming increasingly vulnerable as users access data via their mobile devices. An issue that will only increase as mobile technology improves.

So how do organisations overcome the security issues that arise around BYOD and access to resources from the mobility cloud?

There are numerous answers to this, but perhaps the most important thing is to realise that restricting the types of mobile device that employees use is not a feasible solution.

It is not the device that is the issue, it is the level of security employed to protect the host network.

People want to use their own devices so organisations should take into account the varying nature of mobile devices and be prepared for them all. They’ll need to use a range of tactics to prevent security breaches amid the rise of BYOD.

One step is to protect resources with a combination of authentication factors. This approach looks at the value of resources and classifies them in order of potential impact, should a breach occur.

Once classified the appropriate level of protection can be established and put in place.

Strong credentialing on mobile platforms is another tool organisations can use to ensure resources are protected.

These include establishing proof of possession, leverage cryptography and keys to prove that the user’s identity is assured.

The best practice for strong credentialing is to leverage secure key storage within what is called a Secure Element (SE) — basically a smart card chip that includes a certified secure execution environment that has secure application and key storage.

What began as a trickle of smartphones, tablets and other mobile consumer devices into the workplace has surged to a flood, with no end in sight. These devices seem to seep through every crack in IT protocols and controls.

But there’s no holding back the tide; employees continue to push, pull and smuggle their own choice of technology into work. Every large organisation must face the reality of the situation, accept what is happening and start to lead. Now is the time to stop worrying and start developing policies and practices that will allow you to enjoy the benefits of consumerisation while keeping your network and data secure.

Companies that have not yet addressed this trend may have no idea of the security, liability and compliance risks to which they are being exposed. Yet on the flip side, there are advantages to employees using their preferred devices: greater productivity, business continuity, and improved talent attraction and retention. While no one policy will fit all organisations, here are some questions you should consider as your organisation deals with the rising tide.

Think procurement and liability

In setting policy it’s important first to segment your workforce to identify different types of users and determine the best ownership model by user type. This involves defining the range of applications employees need access to, from simple internet browsing and email access to the full corporate environment.

For employees who absolutely need mobile access to corporate applications, or who hold or access sensitive data (such as senior executives, legal staff and others), a model of corporate provision and corporate liability is advisable. This lets you impose the highest levels of corporate security and provides a fast-track route to restore any faulty devices, minimising downtime for key people, by completely wiping a lost or stolen device and rebuilding the replacement.

For occasional mobile users whose main mobile requirement is access to corporate email, a personally owned device with employee liability may be appropriate, as long as it fits with the company’s strategic goals, regulatory requirements and overall mobile policy.

Your organisation’s mobility policy should accommodate both corporate and employee-owned devices, and clearly define ‘acceptable use’. It’s good practice to review the policy annually.

Think security

Many organisations lack adequate security to protect mobile devices and corporate data: only 50 per cent enforce a password policy for mobile devices (according to Forrester), and as many as 21 per cent of employees let their family use their work laptop to access the internet, according to a BT study. A formal, enterprise-wide and process-driven approach is needed, which includes educating users about their responsibilities and the risks of non-compliance with mobile security policy and practice.

Questions to consider include:

• How do users learn about protecting their device/data?
• How do you enforce acceptable use?
• How do you secure confidential and sensitive data?
• How do you protect devices?
• How do you prevent downloads of unauthorised apps/illegal downloads?
• How do you support different classes of user?
• What happens when someone leaves your organisation?

Think cost management and control

Even if employees are bringing their own mobile devices to the workplace, cost issues remain. In fact, spending on mobile services is now greater than landline voice expenditures for most organisations. But simply implementing strong corporate mobility policies and tools that actively reduce usage can typically deliver savings of between five and 20 per cent. Third-party telecom expense management services can deliver improvements in mobility strategy that generate savings of up to 30 per cent.

Some questions to consider in determining your policy and controlling costs:

• Who pays for hardware and monthly service? The organisation? The employee? Is an allowance given to the employee to defray the cost? How is this managed?
• How do you know that users have the right hardware and service for their needs?
• How do you ensure that billing is accurate?
• How do you define reasonable usage?
• How do you separate personal from business usage costs?

Stemming the flood

There’s still a lot to learn as we attempt to fathom this new environment. While it’s clear that policies must be established and supported by education and training, a light touch may be advisable at first, as opposed to draconian measures. Build floodgates to regulate the flow, not levees to keep all the water out. In the end, the organisation should strive to encourage good practice and aim for user self-management.

For more on this topic, see the BT White Paper, ‘Living with the genie: The consumerisation of workplace technology: A guide to developing policy and practice’

Stephen Bruce is responsible for assisting the various country and vertical business units within BT Global Services to prepare for, introduce, and support BT One (BT’s global unified communications portfolio), with a focus on how effectively to support the needs of large multinational organisations that come to BT for a comprehensive and consistent global service.

Demand to use tablets, personal smartphones and other mobile technology has increased dramatically since the release of the original iPhone and iPad. These devices captured senior executives’ attention and, predictably, they all wanted to use them at work. The speed of growth we’ve seen in enterprise usage of these devices was unexpected and IT departments are scrambling to keep up.

Cisco predicts over 15 billion network-connected devices will be in use by 2015; the average US citizen will own seven.

Any device really means any device, from a free mobile phone to a critical enterprise server. ‘Anywhere’ encompasses both real-world and electronic location; it includes internet, extranet, mobile, customer, partner, and all other connection types, access points, and even the phone in your pocket.

So the days of rigid mobile technology are over. How can businesses prepare themselves for the onslaught of platforms, upgrades, and support challenges?

Old thinking was to control the whole information supply chain: the devices you used, the applications you ran, the network you crossed, the resources you accessed. This was very expensive and prone to failure.

New thinking is to accept you can’t control the device or the public network, but you can control the gateways and the policy. Policy, in turn, drives exactly what and how you can access things, and what you can do once you have information on your device.

Vendors have so far managed basic things like encryption and remote-wipe, but an integrated suite of tools, built within a framework which links to existing enterprise security programmes, is essential for any mature enterprise.

Trying to prohibit the use of certain devices or certain ways of using those devices is a non-starter. There’s also a good chance that by seeking to place limits on the way technology is used, you will also place a limit on people’s effectiveness and on their ability to innovate.

“. . . there’s no beating back the tide as employees continue to push, pull and smuggle their own choice of technology into work,” wrote Stephen Bruce, portfolio partner, Unified Communications and Mobility, BT Global Services, in a recent Forbes article. “Every large organization must face the reality of the situation: accept what is happening and start to lead. This is the time to stop worrying and start developing policies and practices that will allow you to enjoy the benefits of consumerization while keeping your network and data secure.”

Companies on the leading edge of that movement are crafting “Bring Your Own Device (BYOD)” policies to establish how employees can access corporate information with their personal iPad, iPod, Smartphone, Kindle, Nook or Blackberry device. Many are currently offering access to email only, but are developing programs that allow for customer interaction using iPads and other smart devices.

That makes sense, given that within the next two years there will be almost 2 billion smartphones used across the globe. It makes more sense to create policies now than to try to keep these devices completely out of the workplace.

IT departments are finding that the push comes from executives who are used to using their mobile devices on the road and don’t want to be denied access to work-related information while they travel, particularly when it is for business. So, in setting these types of BYOD policies, there are several things to consider:

• What types of devices will your company allow to access corporate data?
• What types of applications will be allowed, from browsing to email to the full corporate environment?
• What policies will you need to protect against lost data should a device be lost or stolen?
• What security do you currently have in place to protect corporate data on personal mobile devices? Forrester claims that only 50 percent of organizations enforce a password policy for mobile devices.
• What is acceptable use and how do you plan to enforce it?
• How do you prevent downloads of unauthorized apps or illegal downloads on a mobile device?
• What happens when someone leaves your organization?

In addition, companies will have to consider policies surrounding payment for services, apps, etc.  This will be a huge learning curve for some companies, and will, frankly, be one that is ongoing due to the ever-changing nature of mobile devices and the fickleness of end users. Companies will do best to follow the example of the leading edge companies, set BYOD policies and prepare to review policies annually.

For more on this topic, see the BT Whitepaper, “Living with the genie: The consumerization of workplace technology: A guide to developing policy and practice.”