Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

11/23/2011
12:23 PM
50%
50%

Five Ways To Secure The Consumer IT Invasion At Work

Companies have had to deal with increasing amounts of worker-owned device in the networks

Companies are increasingly seeing an influx of employee-owned mobile devices on their networks, a trend that will likely accelerate during the coming holiday season.

The influx of personal devices into the workplace -- more formally known as the consumerization of IT -- offers solid gains to companies in terms of productivity and allowing workers to be more flexible in how they do their jobs. The downside is that workers' devices can carry with them security threats and expose the business network to compromise.

Companies need to better deal with the security impact of employee-owned devices because the benefits are too great to dismiss, says Sanjay Beri, vice president of Juniper's security and Pulse businesses.

"This is something that every company is dealing with," Beri says. "Companies should embrace it. It is definitely the right thing to do to empower your employees."

The landscape has changed in the past year, as well. In 2010, the majority of new devices were Apple products -- iPhones and iPads -- but this year companies also need to be prepared for Android devices, a much more complex ecosystem than the stringently controlled Apple platform, says Ojas Rege, vice president of products for MobileIron.

"Companies have to get themselves educated on Android," he says.

Here's what you can do now to protect your network from the coming wave of employee-owned mobile devices:

1. Don't ban devices.
In the past, many companies have balked at providing access to their networks to consumer-owned devices. Yet the productivity gains from such technology are significant, according to a recent report commissioned by IT infrastructure firm Citrix.

The survey found that businesses are seeing productivity gains of up to 36 percent from employees who use both corporate and personal devices for work. Because of the increased productivity, a third of businesses are pushing their IT teams to allow more flexible workplace practices, including allowing consumer devices to connect to corporate resources.

"Most companies see how good these things can be for their business, so they are backing away from the knee-jerk reaction of locking out personal-owned devices," says Elizabeth Cholawsky, vice president of IT services for Citrix.

2. Find what's connecting to the network.
The first step for most firms needs to be identifying the scope of the threat by monitoring which devices are connecting to the network, says MobileIron's Rege. Device management software, historically used to manage corporation-owned devices, has a wide variety of features to set policies on devices and ensure that users are abiding by the policies.

"Companies need to have full visibility into what's connecting," he says. "When a device first comes in, they need to make sure that they can identify it and monitor it."

Most mobile device management software firms, such as MobileIron, require that devices connecting to the corporate network run their clients to help manage the security of the device.

3. Conscript network-analysis tools to identify threats.
Many companies already have technologies that can manage the threat of mobile devices and other consumer-owned technology that enter the network. Network-performance monitoring systems detect anomalous activity that could be a sign of a breach or an untrusted device attempting to expand its foothold in the network, says Steve Shalita, vice president of marketing at NetScout Systems, which makes service management products to optimize networks.

"Performance issues can often be security issues," Shalita says. "Looking for cyberthreats, which impact the network, are something that these systems already do."

Such systems can push anomaly information to security information management systems, which can help the information cross the common divide between IT management and IT security.

4. Push policy to devices.
One benefit of personal devices that run corporate device management clients is that the business can help set appropriate policies for sensitive data, Juniper's Beri says. Based on the identify of the user and the status of the phone, the company can take action.

"You can let them on the network based on who they are, as well as the status of their device -- such as whether the device is jailbroken or running a rogue app," he says.

Many companies take a "block all" policy, allowing only devices that can be identified or go through a vetting process. Others take an "allow all" policy, putting the devices on a virtual network separated from corporate resources unless they devices are authorized.

5. Establish privacy policies.
While improving the security of employee-owned IT, companies have to make sure they are also protecting their workers' privacy. Running mobile device management software on phones and tablets can reveal a lot of information about individuals if not limited by corporate policy.

"It is the right time for organizations to put their first draft of a privacy policy in place for these devices," Rege says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16649
PUBLISHED: 2019-09-21
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the...
CVE-2019-16650
PUBLISHED: 2019-09-21
On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the se...
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.