Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

11/23/2011
12:23 PM
50%
50%

Five Ways To Secure The Consumer IT Invasion At Work

Companies have had to deal with increasing amounts of worker-owned device in the networks

Companies are increasingly seeing an influx of employee-owned mobile devices on their networks, a trend that will likely accelerate during the coming holiday season.

The influx of personal devices into the workplace -- more formally known as the consumerization of IT -- offers solid gains to companies in terms of productivity and allowing workers to be more flexible in how they do their jobs. The downside is that workers' devices can carry with them security threats and expose the business network to compromise.

Companies need to better deal with the security impact of employee-owned devices because the benefits are too great to dismiss, says Sanjay Beri, vice president of Juniper's security and Pulse businesses.

"This is something that every company is dealing with," Beri says. "Companies should embrace it. It is definitely the right thing to do to empower your employees."

The landscape has changed in the past year, as well. In 2010, the majority of new devices were Apple products -- iPhones and iPads -- but this year companies also need to be prepared for Android devices, a much more complex ecosystem than the stringently controlled Apple platform, says Ojas Rege, vice president of products for MobileIron.

"Companies have to get themselves educated on Android," he says.

Here's what you can do now to protect your network from the coming wave of employee-owned mobile devices:

1. Don't ban devices.
In the past, many companies have balked at providing access to their networks to consumer-owned devices. Yet the productivity gains from such technology are significant, according to a recent report commissioned by IT infrastructure firm Citrix.

The survey found that businesses are seeing productivity gains of up to 36 percent from employees who use both corporate and personal devices for work. Because of the increased productivity, a third of businesses are pushing their IT teams to allow more flexible workplace practices, including allowing consumer devices to connect to corporate resources.

"Most companies see how good these things can be for their business, so they are backing away from the knee-jerk reaction of locking out personal-owned devices," says Elizabeth Cholawsky, vice president of IT services for Citrix.

2. Find what's connecting to the network.
The first step for most firms needs to be identifying the scope of the threat by monitoring which devices are connecting to the network, says MobileIron's Rege. Device management software, historically used to manage corporation-owned devices, has a wide variety of features to set policies on devices and ensure that users are abiding by the policies.

"Companies need to have full visibility into what's connecting," he says. "When a device first comes in, they need to make sure that they can identify it and monitor it."

Most mobile device management software firms, such as MobileIron, require that devices connecting to the corporate network run their clients to help manage the security of the device.

3. Conscript network-analysis tools to identify threats.
Many companies already have technologies that can manage the threat of mobile devices and other consumer-owned technology that enter the network. Network-performance monitoring systems detect anomalous activity that could be a sign of a breach or an untrusted device attempting to expand its foothold in the network, says Steve Shalita, vice president of marketing at NetScout Systems, which makes service management products to optimize networks.

"Performance issues can often be security issues," Shalita says. "Looking for cyberthreats, which impact the network, are something that these systems already do."

Such systems can push anomaly information to security information management systems, which can help the information cross the common divide between IT management and IT security.

4. Push policy to devices.
One benefit of personal devices that run corporate device management clients is that the business can help set appropriate policies for sensitive data, Juniper's Beri says. Based on the identify of the user and the status of the phone, the company can take action.

"You can let them on the network based on who they are, as well as the status of their device -- such as whether the device is jailbroken or running a rogue app," he says.

Many companies take a "block all" policy, allowing only devices that can be identified or go through a vetting process. Others take an "allow all" policy, putting the devices on a virtual network separated from corporate resources unless they devices are authorized.

5. Establish privacy policies.
While improving the security of employee-owned IT, companies have to make sure they are also protecting their workers' privacy. Running mobile device management software on phones and tablets can reveal a lot of information about individuals if not limited by corporate policy.

"It is the right time for organizations to put their first draft of a privacy policy in place for these devices," Rege says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12280
PUBLISHED: 2019-06-25
PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element.
CVE-2019-3961
PUBLISHED: 2019-06-25
Nessus versions 8.4.0 and earlier were found to contain a reflected XSS vulnerability due to improper validation of user-supplied input. An unauthenticated, remote attacker could potentially exploit this vulnerability via a specially crafted request to execute arbitrary script code in a users browse...
CVE-2019-9836
PUBLISHED: 2019-06-25
Secure Encrypted Virtualization (SEV) on Advanced Micro Devices (AMD) Platform Security Processor (PSP; aka AMD Secure Processor or AMD-SP) 0.17 build 11 and earlier has an insecure cryptographic implementation.
CVE-2019-6328
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6329.
CVE-2019-6329
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6328.