Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:30 AM
Connect Directly

Consumerization Of IT: Security Is No Excuse

At most companies, you can't just say "no" to consumer devices. Here's a plan to take the lead on information security issues.

Sorry to break this to you, but if you're looking to use security as the reason to keep consumer technologies out of your company, you'll have quite an uphill battle. Not because the security risks aren't real (they are), and not because you can guarantee the data security on the devices (you can't). It's because, as with virtualization, the business benefits significantly outweigh the security risks. As I heard one CIO say recently: "Consumerization is a parade. You can either get out in front of it to stop it and get trampled, or you can grab the baton and lead the parade."

Consumer devices are taking hold quickly in enterprises in part because it's easy to access company data without having to get IT involved. Any employee with ActiveSync access to corporate email can get that email on their personal smartphone or tablet in less than a minute.

The first challenge in securing personal smartphones and tablets is knowing when those devices are being added and removed from the company network, and knowing if they adhere to company policy. Bob the engineer could connect with to his corporate email with a BlackBerry today and a brand new Android phone tomorrow. The problem is your company's email server most likely can only push a security policy to BlackBerry or Windows Mobile devices. Without proper management, you don't even know that Bob is no longer adhering to company policy.

Don't despair. Securing the unknown starts with a tried-and-true technique: default deny. Through the use of mobile device management tools such as MobileIron, you can prevent devices your IT team hasn't researched or approved from connecting to company resources. Heck, you can even make it so that any device needs your mobile application installed on it before it can receive a single corporate email. These mobile device management applications can prevent unwanted applications from being installed, can force removal of certain apps, and can even remotely wipe devices, even if your email platform doesn't support security policies on those devices. If a device is rooted or jail broken, you can prevent it from connecting to your infrastructure altogether.

Oh, great, you're thinking: This guy thinks I'm going to default deny and then spend my life managing a whitelist of every single Android smartphone variation and every firmware variation.

But that isn't the point of this type of whitelisting. The goal of preventing unauthorized devices from connecting isn't about figuring out if the device is capable and secure enough to connect to the company's network; it's about identifying who is connecting that device to the network. Wouldn't you rather focus on whether the CFO, who has critical earnings data in his email, is trying to connect email to his new tablet, instead of worrying whether iOS 4.2.1 is on the approved list? I would. Focus your consumer IT security strategy around people and their roles, not around products.

Focusing on people relates to another major risk of these new devices: the speed at which people replace them.

Think about how many employees are changing or upgrading their smartphones--some as often as twice a year. That can mean the SD cards and internal memory stored on their old phones are sitting at some store or have been resold.

Mobile device management (MDM) software can prevent device churn from affecting security by letting only one device connect per user. When the new device is provisioned--since you have a default deny policy, you'll have to approve it--you can disable and wipe the old device without having your IT team physically touching the device. MDM is gaining steam mostly because it lets companies offer employees a large range of devices, because most MDM technologies implement security policy using a custom-built application that's loaded on the device. You no longer have to plead with Apple or Google to implement a new security feature in the next OS release. Most MDM vendors support BlackBerry, iOS, Android, and Windows Mobile.

Those companies that can't afford MDM software need to look at data flows to these devices and pick the points they can secure. In our experience reviewing mobile risks, the most critical and confidential data is stored within the email app on the device, followed by the calendar, contact list, and any apps the user has to write notes, such as Evernote. Start with the basics: Force devices to be locked when not in use, and encrypt the email stored on the device if possible.

It's unlikely that an attacker will access critical, confidential data in an enterprise application other than email, calendar, and contacts. There are just too many variations of enterprise apps and devices to make it worth most attackers' time to write malicious code to get at data from those other apps.

chart: How do you nsure security of end user devi es that may contain company data?

Value In What You Already Own

Your existing security technologies inside the firewall also can help cope with consumer tech, since the email, calendar, and contacts sync with the corporate infrastructure. You can use capabilities such as data loss prevention and attachment monitoring to keep critical or confidential data from reaching employees' mobile email boxes. Still, that approach isn't as effective as combining data loss prevention with MDM.

When you start looking at the data flow, you'll see that most devices can't access the company's file server or intranet without setting up VPN access. Most of these new smartphones and tablets do support VPNs out of the box, but hopefully your VPN software can prevent access from unauthorized devices. If not, see if you can update the software so that it performs a check before any device accesses the internal network, and then blocks VPN access from devices that don't meet security policies.

However, any time you block access, be sure to also offer ways to let people securely do their work with mobile devices. Otherwise, they're more likely to just download their own apps and work around you. For example, we recommend giving employees remote desktop access to a secure and locked-down desktop via one of the many remote access apps, at the same time you're blocking VPN access from mobile devices. This approach prevents files from being copied to the device but lets the worker read and view documents. If done properly, this approach removes the risk of rogue apps and Trojan horses because company data won't be on the device in the first place.

The companies we have worked with that embrace consumer tech are getting a great side benefit: centralization of security controls. If you take our remote access example, this is actually an opportunity to provide more robust controls on a virtual desktop, while still giving employees what they want. You get the ability to audit, monitor, and prevent data loss without having to worry about the device the user is coming from--the perfect opportunity for a give and take. You give mobile computing and anywhere access, in exchange for more security controls. Remote desktop client apps are available on all major device platforms, including Android, iOS, and BlackBerry.

So get out and lead the parade. Doing so will require some assessment of devices, software security tools, and MDM software. Do these assessments even if you don't have a company policy governing consumer devices, or if your policy is to flat-out ban them. In our experience, when employees feel like IT is embracing change, they're much more likely to work with you rather than against you.

Michael A. Davis is the CEO of Savid Technologies, a technology and security consulting firm based in Chicago. Write to us at [email protected]

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...