Tech Insight: Bringing Security To Bring-Your-Own-Network Environments

[Jason Sachowski is a security professional at ScotiaBank. His content is contributed through the auspices of the (ISC)2 Executive Writers Bureau.]

Most security professionals are wrestling with the bring-your-own-device (BYOD) phenomenon, in which end users introduce their own mobile devices -- and a new range of security risks -- to the corporate network. Increasingly, however, the BYOD security environment is further complicated by another emerging phenomonon: bring your own network (BYON).

The BYON security problem is a by-product of increasingly common technology that enables users to create their own mobile networks. These Dynamic Area Networks (DAN), usually created through mobile wireless hotspot capabilities, necessitate a new approach to security in which not only are internal devices treated as untrusted, but internal networks may be untrusted as well.

Like BYOD, the BYON security issue is not solved simply through point solutions. It requires the right combination of people, process, and technology.

Before the BYOD wave occurred, organizations defined a network perimeter and architected their intranets accordingly. Today, however, organizations must accept the reality that all networks -- and all devices -- should be treated as hostile, regardless of how many technical security controls you have in place.

There is no single cause to this hostility. Some of it is due to the declining effectiveness of signature-based technologies as new threats evolve. Some of it is a function of the growing mobility of users, who must now simultaneously connect to both internal and external networks.

In the world of BYOD and BYON, enterprises must create new service models that assume networks are hostile, devices are unmanageable, and data will be consumed from a variety of technology platforms.

The enterprise must have people on-site who can help implement this new approach to security. There also must be a well-defined set of processes -- including policies, standards, directives, and guidelines -- that can support both BYOD and BYON. Not only do these processes have to consider data elements -- what data requires protecting, where security controls will be enforced, and how data will be protected --– but they must define acceptable business conduct when it comes to BYOD/N technologies.

Traditionally, IT's assumption has been that employees will use systems managed by the organization. So where do the unmanaged BYOD and BYON systems fit in? There must be an approved BYOD process that defines how an organization will address unmanaged system.

In a 2012 article titled "Prepare For Anywhere, Anytime, Any-Device Engagement With A Stateless Mobile Architecture," Forrester Research discusses the concept of an "extended enterprise," where organizations must control access to critical resources regardless of the connecting device, networks being crossed, or data repository.

In order for organizations to adapt to the current state of user mobility or its subsequent evolutions, Forrester says, they must focus their security controls on the data, not the network or device, exposing only what it required for employees to conduct business.

As with BYOD, there is no single point technology that can be implemented as the overall solution for BYON. As a starting point to a suite of technical controls, the first step is to build a data-centric security model. Data-centric security has been around for quite some time and, through such trends as BYOD, is a forerunner in enabling organizations to provide user mobility by collapsing network controls around data repositories and building the appropriate security controls into the application layer.

The next step is shifting away from network security controls throughout the infrastructure and moving them inbound, creating a perimeter to protect the data repositories. This approach helps organizations eliminate the anxiety of data sources co-existing on the same hostile network as the unmanaged devices.

Having collapsed the network perimeter around the data sources -- as a data-at-rest control -- we can now turn our attention to data access methods -- the data-in-transit controls. One way to take this step is by implementing next-generation firewalls (NGFW).

Traditional firewalls can only enforce security controls up to the transport layer; they do not understand the context who is accessing the data and how it is being accessed. With a NGFW, organizations gain extended visibility into data usage, including application type and the user identity. This makes it easier to give mobile users access anywhere and anytime, while simultaneously filtering out the anomalous or malicious content.

The final piece of the puzzle is designing, developing, and deploying applications that can support anywhere, anytime access --- data-in-use controls. There are two approaches an organization can take when deploying mobile-ready applications.

The first approach is to expand on industry best practices for secure software development by embedding additional layers of security filtering controls into the application, such as data masking or role-based authentication.

The second approach is to use application virtualization software to secure data inside of a mobile container that is not concerned with risks of unmanaged devices or hostile networks.

By following either of these approaches, organizations can allow data to be accessed anytime and anywhere, with the assurance that the data will be used in its intended context, stored in its intended locations, and transferred through approved methods.

BYOD and BYON are here to stay -- they will continue to create business and IT environments that are unmanageable and increasingly hostile. As security professionals, we must re-evaluate traditional security practices and create service models that offer secure data access -- regardless of the device, network, or source.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.