BYOD - Challenges of protecting data - Part 4

Wh1t3Rabbit| July 23, 2012 - last edited July 30, 2012

Today I'm wrapping up the 4-part BYOD series on Bringing Your Own Device. I've held off on publishing part 4 of this series until we've had time to let the dust settle a bit and discuss the issues at length and possibly come to a consensus on defensive posture. What has happened is that there are still largely 2 camps out there in the security community, and various opinions outside of it. I'll address it here, and try and wrap up the discussion with some logical next steps.

This final part is on 'defense', though after thinking about it - maybe I should have called it strategy. When it comes down to it, BYOD is only possible if you're ever gotten the basics of data-centric security right. You know, protecting the actual data rather than trying to build elaborate structures around the things that work with that data in order to compensate. Let me explain.

Here's the deal, after all the conversations, the debates, the long posts and my colleagues contributing their own posts it all comes down to something my friend Boris (goes by @jadedsecurity on Twitter) said "I'm actually beginning to think byod might not be so bad if done right. Treat it all as hostile instead of nitpicking controls".

In the final analysis, the one key word is data. If you don't understand how your data is stored, how it's used, and by whom you've got a problem all the shiny blinking boxes and add-ons in the world won't solve. Security teams the world over have in place today elaborate schemes to authenticate devices, control network ingress and egress and scan systems for malicious bits because we fundamentally don't understand how to protect the data. Rather than drawing the defense around the bits of information the tendency is to expand that out - and the result of that madness is that we have banks now talking (and doing in some cases!) about pushing a paid browser plug-in to their end users' devices to protect them while using their site or application.

In the security community there are basically 2 camps- those who think BYOD is untenable, and those who shrug it off as yet another evolution. You'll find the people who shrug it off without much heartburn are the ones who have been pushing the perimeter inward in their organization instead of the other way around... designing mechanisms to understand data ownership, flow, and lifecycle. The rest panic or have varying degrees of inappropriate response.

There is also the recurring theme of VDI, or virtual desktop. Of course, the minute you bring up virtual desktop someone is bound to mention that developers don't fit this use-case well (something I'm not quite sure I am on board with) and therefore it invalidates the virtualization option. That's just silly. Your developers are probably a small portion of your total user population (unless your organization is heavy into development, but then you're in the minority of companies) and the rest of the organization can virtualize just fine. Virtualization is coming along on remote devices as sandboxes are starting to become more flexible and device privacy and segmentation are getting discussion and answers.

Outside the security community there are differing thoughts on whether BYOD is just simply a passing fad which will resolve itself over time as organizations realize just how mad it is, or whether security will finally get that final nail in its coffin. I don't think BYOD is a fad, nor do I think that it necessarily buries security.

My thoughts on a technical solution to BYOD are a return to basics, as I mentioned in the previous post. An even more simple answer is before you look outward for a solution look inward for the answers to how you're classifying, storing and using your critical data.

BYOD isn't the apocalypse. What I believe BYOD does give us in information security is a wake-up call of sorts. We've largely been able to get away with being incapable of understanding data-centric defensive strategy for a long, long time because we can layer ridiculous defenses to the point of rendering our users incapable of being productive. Enter BYOD, which really is a game changer, but not the way you may think. BYOD changes the game because it makes us really go back to basics and de-focus on the distractions of "layered unusability", which is what Information Security organizations should be doing anyway.

Labels: byod| Enterprise security

Labels:

Comments

As usual, I'd be looking at the user education side of things. Surely much of the (percieved) pain of BYOD can be hugely mitigated by an informed and motivated staff? It's an area so often overlooked or badly done by IS departments.

If users understand the risks and the reason behind our requests for behavioural change, they'll most likely comply.

Permalink

I would have to agree with you that BYOD is not a fad and that its critical that anyone considering the introduction of BYOD knows how they are classifying, storing and using critical data.

There are things that can be done prior to the introduction of BYOD. You need to ask yourself, do you know what users are doing on your network, especially the privileged ones who may have access to sensitive data. Do you know where they are logging on, what systems they access and how to they use the data from these systems. If you don’t know the answers to these questions in a wired corporate environment then you are asking for trouble introducing BYOD.