Enterprise security - a moving goalpost

Bring your own device and the consumerisation of IT pose new challenges for enterprise information security.

Lance Harris
By Lance Harris, freelancer
Johannesburg, 09 Dec 2013
Jayson O'Reilly, DRS, says the emphasis in endpoint security has shifted from protecting the device to protecting the data on it.
Jayson O'Reilly, DRS, says the emphasis in endpoint security has shifted from protecting the device to protecting the data on it.

Information security used to be siege warfare, with companies able to lock their data, applications and infrastructure inside the fortress-like security of their own networks. But today, the war against malicious hackers, data thieves and other security threats is more like guerrilla combat against an increasingly sophisticated and agile enemy.

Over the past three years, the increasing mobility of the workforce and the growing adoption of cloud services have changed the ways companies work. Today, the endpoint is no longer necessarily a PC on a desk inside the corporate network - it could just as easily be a smartphone or tablet owned and managed by the user.

"IT consumerisation is a real phenomenon," says Nader Henein, security advisor at BlackBerry. "This is the first time we're seeing consumers push enterprise adoption of technology." The latest smartphones and tablets hit the consumer market first, and permeate the enterprise when users bring devices they have bought themselves to work.

The line between a public and private device has become blurred as a result of this BYOD shift, says Jeremy Matthews, Panda Security's country manager. "The traditional notion of the corporate network perimeter is dead, yet so much security infrastructure and architecture is premised on the perimeter," he adds.

The flood of consumer devices into the enterprise is difficult for IT departments to manage and secure. One problem is the fact that the devices and operating systems are changing so fast, so IT departments that allow any devices to be used could end up supporting 10 or 15 desktop, tablet and smartphone operating systems, says Henein.

The proliferation of Android variants is a particular headache, since many of the key manufacturers orphan older devices with earlier versions of the OS when they bring out new phones and tablets, he adds. The result? High support costs and potential security holes.

Paranoid Android

The other problem Android is running into as the world's most open and one of the most popular smartphone and tablet operating systems is a proliferation of malware, often introduced through compromised apps.

Research from Trend Micro tracked 718 000 separate instances of high-risk Android apps (apps with malicious or dubious routines) in the second quarter, up from 509 000 high-risk apps found in the first three months of 2013. With its large market share and selection of app marketplaces - many of them with weak controls - Android is an attractive target for malware authors, says Gregory Anderson, country manager at Trend Micro.

The traditional notion of the corporate network perimeter is dead.

Jeremy Matthews, country manager, Panda Security

Against this backdrop, the challenge for IT departments is to find ways of protecting corporate IT assets and data without taking away the freedom and flexibility BYOD gives their end-users, says Jayson O'Reilly, director of sales and innovation at DRS. One sound approach to endpoint security is to move away from protecting devices, to protecting the data itself as well as the applications, he says.

"People are starting to talk about protection of data rather than of the device where data is," agrees Doros Hadjizenonos, sales manager at Check Point South Africa. "If you're protecting data in the correct manner, it shouldn't matter whether it's sitting on a laptop, on a USB stick, or on a server in the cloud." That means there needs to be a major focus on rights management as well as on data encryption, he says.

Martin Walshaw, ?senior engineer at F5, says context is the key to more robust security in a world where mobile and cloud-based access to corporate users is becoming increasingly common.

Irrespective of the location of the application, security systems and policies must take into account who the user is, where he or she is connecting from, and what device he or she is using. This approach of securing the applications will be simpler and cheaper to manage than trying to put software agents on every device, says Walshaw.

Policy reviews

There's no escaping the necessity of implementing mobile device management (MDM) tools, says Matthews. Geolocation, remote locking and remote wiping of mobile devices are essential features, since the loss or theft of tablets and smartphones currently poses a bigger risk than mobile malware does, he adds.

Enterprises can implement much of the technology needed to secure mobile devices 'upstream', Matthews says. Identity management, data security, mail security and URL filtering can all be managed from the enterprise data centre or the cloud, without needing to bug down the end-user's device with security software.

If you're protecting data in the correct manner, it shouldn't matter whether it's sitting on a laptop, on a USB stick, or on a server in the cloud.

Doros Hadjizenonos, sales manager, Check Point South Africa

Although South African companies are putting the tools and technology in place to secure BYOD and cloud computing environments, many are neglecting the importance of policies and end-user education, says Hadjizenonos. Many organisations still have the same policies in place as they did in the pre-BYOD world of 10 years ago.

Policies and procedures should set out basics of information security in a language users can understand, rather than in legalese or technical jargon, Hadjizenonos says. They should outline how many devices users may use and the applications and data they may access, what precautions they should take to secure their devices, and what to do if a device is lost or stolen.

As John McLoughlin, MD of J2 Software, notes, accidental and purposeful leaks of corporate data still form the biggest security challenge for the average organisation. With social media forming one new channel for leakages of data, companies need to put acceptable usage policies in place to cater for them.

"There must be a greater focus on user training around risks and repercussions of security breaches, and then ongoing guidance and evaluation of adherence to policy rather than a blame and fire response," he says.