Today, the computing landscape has evolved considerably. We frequently share sensitive information with subcontractors and business partners who use their own systems. Computers and mobile devices are common household items. Employees routinely take their work computer home and bring their home tech to work. Business information ends up on personal devices and personal information on company-owned assets. We connect to the Internet from virtually anywhere, further blurring the line between business and personal use.
Managing security in this new reality is obviously complex. Organizations would like to believe that their office networks are more secure than employees’ home networks and that the endpoint protection we install on corporate laptops helps to protect them in all locations. However, mobile devices, including corporate laptops, make our security perimeter increasingly porous. Despite our best efforts, email and web traffic continue to present a major attack vector at work and at home. Whether corporate information is on a company laptop that travels home or on a personal laptop that goes to the office is increasingly a moot point.
We need to look far beyond BYOD. This begins with recognizing that processing sensitive corporate information on any laptop or mobile device — regardless of ownership — involves risk, as does storing it on any computer that has a web browser and Internet connectivity. Rather than undertaking major efforts specific to BYOD it’s time to step back and tackle the broader information security issues.
We need to classify information according to its sensitivity and apply appropriate controls. Some types of data such as payment card information and health records require a level of protection that is very difficult to achieve on a mobile device. Well-publicized security breaches over the past year demonstrate that allowing staff (or malware) to download large numbers of documents to a PC can do tremendous damage. There are two types of solutions that more organizations should consider: Desktop virtualization and fine-grained encryption controls.
Desktop virtualization allows us to lock down our data to a level we haven’t seen since the mainframe era. Rather than allowing users to copy data to their laptops, we can keep it in the datacenter and allow access via virtual desktops from just about any device. While it may still be possible for malware to record data from employees’ screens and emulate keystrokes, it makes stealing data en masse much more difficult and reduces the attack surface. Most of the components, including the hypervisor and orchestration layers, UTM appliances, VPN gateways, endpoint protection suites, and DLP products are readily available. The only missing piece is a system to apply policy-based controls and a robust approval process to file transfers in and out of the secure environment. This is not difficult to achieve.
The other approach worthy of consideration is the use of fine-grained encryption controls at the file level. While many organizations are deploying hard drive encryption to mitigate risks related to the loss of mobile devices, those solutions don’t address malware and insider threats. One promising solution is available from Ottawa-based Afore Solutions. Their product applies policy-based encryption at the endpoint. Files are encrypted as they are created and a policy engine considers the identity of the computer, application, and user prior to enabling decryption.
BYOD remains a corporate security challenge. To get ahead of cyber criminals we must look beyond BYOD and focus on protecting corporate information assets wherever they are.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…