Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:30 AM
Connect Directly

Consumerization Of IT: Security Is No Excuse

At most companies, you can't just say "no" to consumer devices. Here's a plan to take the lead on information security issues.

Sorry to break this to you, but if you're looking to use security as the reason to keep consumer technologies out of your company, you'll have quite an uphill battle. Not because the security risks aren't real (they are), and not because you can guarantee the data security on the devices (you can't). It's because, as with virtualization, the business benefits significantly outweigh the security risks. As I heard one CIO say recently: "Consumerization is a parade. You can either get out in front of it to stop it and get trampled, or you can grab the baton and lead the parade."

Consumer devices are taking hold quickly in enterprises in part because it's easy to access company data without having to get IT involved. Any employee with ActiveSync access to corporate email can get that email on their personal smartphone or tablet in less than a minute.

The first challenge in securing personal smartphones and tablets is knowing when those devices are being added and removed from the company network, and knowing if they adhere to company policy. Bob the engineer could connect with to his corporate email with a BlackBerry today and a brand new Android phone tomorrow. The problem is your company's email server most likely can only push a security policy to BlackBerry or Windows Mobile devices. Without proper management, you don't even know that Bob is no longer adhering to company policy.

Don't despair. Securing the unknown starts with a tried-and-true technique: default deny. Through the use of mobile device management tools such as MobileIron, you can prevent devices your IT team hasn't researched or approved from connecting to company resources. Heck, you can even make it so that any device needs your mobile application installed on it before it can receive a single corporate email. These mobile device management applications can prevent unwanted applications from being installed, can force removal of certain apps, and can even remotely wipe devices, even if your email platform doesn't support security policies on those devices. If a device is rooted or jail broken, you can prevent it from connecting to your infrastructure altogether.

Oh, great, you're thinking: This guy thinks I'm going to default deny and then spend my life managing a whitelist of every single Android smartphone variation and every firmware variation.

But that isn't the point of this type of whitelisting. The goal of preventing unauthorized devices from connecting isn't about figuring out if the device is capable and secure enough to connect to the company's network; it's about identifying who is connecting that device to the network. Wouldn't you rather focus on whether the CFO, who has critical earnings data in his email, is trying to connect email to his new tablet, instead of worrying whether iOS 4.2.1 is on the approved list? I would. Focus your consumer IT security strategy around people and their roles, not around products.

Focusing on people relates to another major risk of these new devices: the speed at which people replace them.

Think about how many employees are changing or upgrading their smartphones--some as often as twice a year. That can mean the SD cards and internal memory stored on their old phones are sitting at some store or have been resold.

Mobile device management (MDM) software can prevent device churn from affecting security by letting only one device connect per user. When the new device is provisioned--since you have a default deny policy, you'll have to approve it--you can disable and wipe the old device without having your IT team physically touching the device. MDM is gaining steam mostly because it lets companies offer employees a large range of devices, because most MDM technologies implement security policy using a custom-built application that's loaded on the device. You no longer have to plead with Apple or Google to implement a new security feature in the next OS release. Most MDM vendors support BlackBerry, iOS, Android, and Windows Mobile.

Those companies that can't afford MDM software need to look at data flows to these devices and pick the points they can secure. In our experience reviewing mobile risks, the most critical and confidential data is stored within the email app on the device, followed by the calendar, contact list, and any apps the user has to write notes, such as Evernote. Start with the basics: Force devices to be locked when not in use, and encrypt the email stored on the device if possible.

It's unlikely that an attacker will access critical, confidential data in an enterprise application other than email, calendar, and contacts. There are just too many variations of enterprise apps and devices to make it worth most attackers' time to write malicious code to get at data from those other apps.

chart: How do you nsure security of end user devi es that may contain company data?

Value In What You Already Own

Your existing security technologies inside the firewall also can help cope with consumer tech, since the email, calendar, and contacts sync with the corporate infrastructure. You can use capabilities such as data loss prevention and attachment monitoring to keep critical or confidential data from reaching employees' mobile email boxes. Still, that approach isn't as effective as combining data loss prevention with MDM.

When you start looking at the data flow, you'll see that most devices can't access the company's file server or intranet without setting up VPN access. Most of these new smartphones and tablets do support VPNs out of the box, but hopefully your VPN software can prevent access from unauthorized devices. If not, see if you can update the software so that it performs a check before any device accesses the internal network, and then blocks VPN access from devices that don't meet security policies.

However, any time you block access, be sure to also offer ways to let people securely do their work with mobile devices. Otherwise, they're more likely to just download their own apps and work around you. For example, we recommend giving employees remote desktop access to a secure and locked-down desktop via one of the many remote access apps, at the same time you're blocking VPN access from mobile devices. This approach prevents files from being copied to the device but lets the worker read and view documents. If done properly, this approach removes the risk of rogue apps and Trojan horses because company data won't be on the device in the first place.

The companies we have worked with that embrace consumer tech are getting a great side benefit: centralization of security controls. If you take our remote access example, this is actually an opportunity to provide more robust controls on a virtual desktop, while still giving employees what they want. You get the ability to audit, monitor, and prevent data loss without having to worry about the device the user is coming from--the perfect opportunity for a give and take. You give mobile computing and anywhere access, in exchange for more security controls. Remote desktop client apps are available on all major device platforms, including Android, iOS, and BlackBerry.

So get out and lead the parade. Doing so will require some assessment of devices, software security tools, and MDM software. Do these assessments even if you don't have a company policy governing consumer devices, or if your policy is to flat-out ban them. In our experience, when employees feel like IT is embracing change, they're much more likely to work with you rather than against you.

Michael A. Davis is the CEO of Savid Technologies, a technology and security consulting firm based in Chicago. Write to us at [email protected]

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...