BYOD - Challenges of protecting data - Part 3

Welcome to part 3 of the 4-part series on Bring Your Own Device (BYOD).


In part 1 I set up the discussion points for you and gave you a bit of a background primer.  This generated some discussion.

In part 2 I discussed the debate over one of the key pro-BYOD arguments, increased productivity. This, too, generated discussion.


This brings me to part 3 of the series, the security point-of-view (PoV).  We've generated enough discussion, and complementary blog posts on this topic to make a novel, so I'm going to try and keep this post relatively short (har, har), sane, and in my own voice.  I know lots of you out there have your own opinions and have written on this topic -so please tack those onto the comments section of this post... also leave a Twitter handle for how we can reach you.


I'm going to break this post down into 3 sections: issue analysis, technical challenges, and possible solutions.


If it's one thing I've learned through the last few days talking to people on Twitter about this (and reading the many comments posted) it's that there is absolutely no simple solution, and we're likely not going to all agree.  With that in mind, I continue to invite your discussion, comments, and personal thoughts on this.  Most importantly I'd love to hear from those that have implemented BYOD, from the security and operations angle ... how was it?



Issue Analysis


Let's take a look at the first part of this ... as one of the many comments on the last point summarized (via @ScreamingByte):


"...what I think we have really arrived at is that we're not blaming BYOD for current failures - we're acknowledging that BYOD would compound current failures."


He points that out rightly, as issues stemming from employees bringing their own devices into the corporate network just compound the problems we have masked today by locking down corporate productivity gear.  The thinking appears to be that if IT can lock down the corporate laptop and not let employees browse content, participate in social media, load their own software that will somehow translate into a 'secure' laptop.  Dead wrong, and we have proof littered through the media to demonstrate this case.


At the heart of all of this I believe is that we (I'll include myself in this, since I was not so long ago a sleeves-rolled-up practitioner in big corporate IT) have not actually figured out that there is no such thing as secure.  Therefore, while chasing the myth we've been struggling with the question of how to get to a place we can never reach - I see a problem here, simply on principle.


Another point is that corporate-owned devices aren't the enemy of productivity - a highly restrictive technology platform is.  Employees should be able to work in what ever manner keeps them the most productive while keeping them generally content or happy.  In the push for some obscure vision of security, IT organizations have failed to serve their number one customer - the user.  By the way, if you fail to understand that security serves the user ... I think you're short-changing yourself.


So there we have it, we're back to basics ... again.


I don't think the sky is quite so dark though, as I may have led you to believe... IT Security isn't just a pack of rabid monkeys pushing random policy and yelling at users least not all the time :-)  In many cases security is highly fractured and broken as a response to the irrational business requests and requirements - and sometimes you just can't help it.  Been there, I can show you the scar.


Whatever the case is, we can agree that BYOD is going to take the many, many potentially small holes in your environment and drive a semi truck through them ... blowing a hole the size of a Buick in what security we have now.  This requires a full-scale mobilization ... and it's not just because BYOD is going to happen whether you like it or not - but it's mainly because we need to fix this train wreck we call corporate security.



Technical Challenges


Let's acknowledge that the reason IT Security has even a remote grip on IT risks right now is that we've had a relatively easy go at it.  Face it, when you can enforce a lock-down policy on your devices (such as laptops) and turn off so many features that you've decreased the attack surface drastically - and in the process made that piece of equipment as much fun as a two-by-four to the back of the head - it's at least conceivable that you can claim to be able to manage your technical risks.


When someone brings their own, fully operational, fully functional devices with a bright shiny attack surface that you haven't had a chance to lock down ... your defensive paradigm falls over.  Unless you're doing smart security at many different layers including the data layer you're about to be in way, way over your head... so that's technical challenge number one - loss of ability to "lock down" mobile endpoints.


Technical challenge number two is a response to number one ... the desire to push and enforce policies, software and patches to non-managed endpoints (BYOD devices).  A technical nightmare, wouldn't you agree?  Let's just take the dozens of flavors of Android tablet devices out there - all at different operating system versions, with different features turned on/off by each manufacturer, and with varying levels of securability (I think that's a word?)  Can you secure all of these variants when they all request to access your corporate MS Exchange server?  Maybe, no guarantees.  Oh, right, then we get to yet another problem - rooted devices.  I have absolutely no idea how many of these feature-enhancements for managing mobile endpoints handle a rooted device which could potentially subvert policy enforcement.  Just though I'd throw that one out there... if you have any technical expertise or experience with this, please do speak up!


Technically it should be possible to manage most of the soon-to-be-inbound devices from some sort of automated tool or platform.  BYOD has existed for a long time so there must be tools out there to do this ... which brings me to another sticking point... privacy.


So @BrianHonan who lives out in the EU (Ireland, specifically) made a big stink about privacy when we first started talking about the idea of pushing and 'owning' BYOD devices.  He feels, and rightly so, that if the device is YOURS the corporation shouldn't be able to snoop into your private text messages, photos and what-not.  But where do you draw the line?  I don't believe the technology exists today across all devices which can effectively create a full sandbox separation between your corporate space and your private space on your personal device.  Then there's just the creepiness factor of knowing that at any time the company can read and control everything on your device ...all because you wanted to use your iPad to read corporate email.


I still think the biggest technical challenge is that many organizations I know, and you probably do too, would have to completely re-architect their environments to accommodate BYOD in a sane fashion.  What I mean by this is architecting component-level and even data-level security into their environments.  Technically - this is virtually a non-starter ... I can't even begin to imagine the work effort this would require.  Identifying where your data lives, classifying it, securing your applications, auditing your user roles and permissions ... this seems like too big of an Everest.


The final point here before I move on is something we've tackled in the previous post ad nauseum so I'll just re-start it briefly - support.  I can't even imagine the IT support nightmare that happens when someone is allowed to bring their very own device into the corporate sphere... 



Possible Solutions


My first and primary recommendation for not only surviving but maybe thriving a BYOD reality is going back to basics.


  • Understand your data - It's been said before but security starts and ends with protecting data.  Knowing what's critical to your organization, where it is, who uses it and how is key.  If you can't do this very, very basic thing expect the waters to keep rising around you as you bail with a thimble.  I recognize that in many very large organizations there is no prayer in Hades that you'll identify all of your data ... but that's no excuse not to try, or at least make it a priority to find the most super-duper-critical in the very least.  Find it, understand it, understand how it's used and how it moves ... decide whether encryption is enough, or dynamic data masking (DDM), or something virtual desktop or ... you get the idea.  It starts and ends with data, period.
  • Secure your applications - You have so many applications in your organization that are poorly secured, and that probably house some fairly critical business functions.  Whether these applications are accessed by some random Internet-based user, or your "inside the firewall only" corporate user - it won't matter anymore because your applications should be resistant to attack and tampering no matter who the user is.  Get rid of the silly notion of applications that are "inside the firewall"... and let's just finally integrate security into development, testing, deployment and the rest of the life-cycle of your applications.
  • Understand your user - I bet right now most of your users have way, way too much access on your network, systems, and applications.  I am not talking about users having local admin on their workstations or laptops, I mean at the file-server level, at the application level or at the data store level.  In a previous life when auditing a database for a group it became apparent that while only 30% or so of their employees had access to the big corporate database, once you authenticated to the database you could select/update/delete from any table, any time... how silly is that?  It's time to review your user access rights, across your environment and really do some IdM (Identity Management).
  • Increase visibility - It's time to stop wasting all of those logs your systems and applications are generating.  Plug it all into an analysis engine that can make sense of it, pulling in context from your change-management database, your asset inventory so you can see threats in a near-real-time fashion which gives you a chance to spot that obscure needle in the stack of needles... be honest with yourself, would you even know if someone plugged in a foreign object into your network today?
  • Have a good policy - Policy, it's more important than we care to admit.  While it may be just some words on a page - once you've educated your employees on the freedoms they have and what happens when they abuse those freedoms, and what responsibilities they have for protecting the company and themselves it's a powerful tool.  Policy can be enforced with incentives as well as negative reinforcement if necessary - the key here is that if you don't have a well-written policy you've got no legs to stand on.


There we have it - part 3 is a wrap.  I'm sure this will generate some discussion too.  Mainly I'm interested in hearing how you're coping with these challenges (and hopefully thriving) and where my presentation of the security PoV differs from your thinking.  If you're going to leave a comment, please also leave your Twitter handle (if you have one ... you have got one don't you?) so we can take the conversation to the community of practitioners, managers, and thinkers who are all working to put a fence around this issue.


Thanks, I look forward to hearing from you - and stay tuned for part 4 ... coming soon!

ScreamingByte(anon) | ‎07-11-2012 10:06 PM

I'm not really sure what substance I can add to this conversation now - Mr. Los pretty much steals  all the thunder with this post.  This says exactly what I've been thinking - although I have to admit I have only recently come to the conclusion (I have always been a lock-down kind of guy and in many ways I still am).  I aluded to this earlier in one of my posts, but I want to stress it.  Until there is far more security built-in to all devices systemically, we will still have big issues with BYOD (depending on the environment deployed).

I agree.  To throw out everything - right down to the many languages out there... is just insurmountable.  I really believe that we will eventually overcome this, but we have to develop security-focused languages with an architecture than enables new solutions that are security enhanced and enabled.  As things stand now, it's just way to easy to break code (or inject or whathaveyou).  I think we are just getting a bit too big for our pants and I mean that as in technology as a whole.  We are starting to run before we've walked and, while languages have become more expansive, it's left up to the coder to include best security practice - and even then we still have zero days that pop up like daisies.


I do have hope for the future, even though I believe that infosec will be very tumultuous in the future (hey, job security, right?) but the fact remains that I don't want to be hacked and so I don't want anyone else to have to suffer through ID theft, or lose their job over a security issue.  I think Mr. Los is correct and BYOD is going to happen no matter what, but the infosec community will figure something out and getting back to the basics and coming up with new ways to think about what is secure and what isn't will be key.  Something I've said for as long as I've been involved with IT -> no device is ever completely secure.  I walked away from a consulting opportunity, because one of the "senior IT" people tried to tell me that UNIX-based systems "can't be hacked".  That was at a BANK!  People need to realize that no device is secure - even if it's turned off!  Someone can physically steal it (or maybe even a WOL possibly?)  or damage it.  If it exists, and you own it, and it has stuff on it that is critical - it is never safe.  Enter reasonable risk mitigation - walking the RMA line.  There are so many protocols, so many interfaces, so many ports... unfortunately, the hackers have the upper hand (and always will I might add ;) )  


By its very nature, security is reactive.   How does that play out for BYOD right now?  I'm not sure.  I agree with sticking to the basics, but if you're going to deploy it, for goodness sake, do it with a proper requirements analysis and a system methodology.  I guess I really can't add anything else specifically to the discussion now and Mr. Los has a great post here.  I'm very excited to see where this goes in the future.  I have never deployed BYOD and I haven't had the chance to attack it yet, so perhaps I am speaking out of place.  I still would love to hear from someone who has deployed this and especially if any pentesters have had a shot at one of these!

Darragh Delaney(anon) | ‎07-18-2012 10:56 AM

I also think that when it comes to protecting data you need to have a plan in place for when BYOD goes bad. Someone will lose something so its better to plan for this senario in advance of it happening. The solutions you suggest all apply here. Increasing visibility so that you can understand what your users are doing with applications and data. Our mutual friend @BrianHonan has a good PDF to get people started on developing a incident response plan

gfathp(anon) | ‎07-19-2012 02:19 PM
Quite interesting to see people talk over and over againt about all these BYOD technical challenges. Why so complicated - simple answer (wow, from someone always talks about security holistic approach...) if your business (CxO) really thinks about all the great cost savings with a BYOD stategy, there is only one technical solution, espcially about the personal data privacy concern (MDM client impossible to deploy for this type of private devices): create your own enterprise app for ios, windows mobile & android and offer a dedicated virtual work space (aka sandbox) where you let run ALL your enterprise related stuff (you know, some fancy shiny full-retina display enabled app), including email, sap-gui, salesforce app & co! No local copying is allowed, nor offline sync of data, no printing (c'mon, everyone has WLAN or 3/4g/lte hotspot, so no excuse to have something offline available!). also everything will be sent through TLS and you can also enforce strong authentication (modern 2-factor). /solved....
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About the Author

Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation