IT security protocols in flexible working
13th Feb 2013 | 12:00
'Bring your own device' can make make it as difficult as herding cats
As people increasingly use their own tablets and smartphones for work, controlling and securing company data can become like herding cats; established IT security policies and protocols don't translate directly to the new 'bring your own device' world.
"In terms of technologies, things such as desktop configuration standards or remote troubleshooting tools, which are typically part of IT policies, cannot be applied to mobile devices because the underlying platforms are very different," says Chenxi Wang, Vice President at Forrester Research.
"In terms of processes, the way you typically manage corporate-owned endpoints cannot be extended directly to employee-owned devices, often because of privacy reasons."
Security protocols and policies for flexible working might encompass: employee use policies and security training; data ownership and data protection; access control to specific resources based on permission levels and policies; encryption requirements; redundancy and disaster recovery.
Some of these policies may be supported by technology, but this is a business not a technical issue.
"You need to look across the business (to develop security protocols)," says Steve Durbin, Vice President at the independent Information Security Forum (ISF). "HR, IT and business departments will be involved.
"In an SME it is a broad conversation that is going to be going on at a management team level."
For many businesses awareness training is the best route. For others, mandating upgrades and installation of security measures on their devices prior to accessing company systems, or central provisioning and control of all devices, may be the way forward. Opinions are divided.
"The most effective way of getting users to follow through on the security controls is to make it a necessary condition to access corporate information, such as email," Chenxi Wang says.
"If you have a policy which stipulates that only phones with the latest OS update can access corporate email, and you have technology controls such as mobile device management (MDM) or network gateways to enforce that policy, you'll see that many employees will be happy to exercise the security controls."
Tony Dyhouse, cyber security director at the government-supported ICT Knowledge Transfer Network places more emphasis on trust.
"At the moment the best thing we have is policy," he says. "You have to have a lot more trust in users.
"Yes it can be enshrined in policy, but if you want to turn off a functionality on the device, you are reliant on users and you rarely have the power to do that."
Dyhouse points out that a lot of mobile devices sync to the cloud, potentially putting company data out of reach.
"You get a free iCloud account with Apple devices and one of the main purposes of it is to be able to sync calendars and email through a cloud account.
"Before you know it all your work stuff is on the cloud and there is technically no way of getting rid of it or knowing where it is. It is not technically possible to apply policies requiring firewall and antivirus as all security applications are in extremely early days."
The biggest thing is functionality, he believes.
"Anything that starts to break that in the name of security fails because the users don't want it.
"There is only one mobile you can connect to classified networks in the UK and that is a BlackBerry. With a BlackBerry you can turn off the internet access, but then people do say what is the point of it?"
Brian Horsburgh at Dell Kace believes it is important to put in place security protocols that look to the future and encompass all devices, not just smartphones and tablets but also the likes of kiosks and point-of-sale terminals.
"When it comes to tackling device security, organisations should resist the temptation to create a separate policy for every new form factor," he says. "That will inevitably lead to cross-over, contradictions and gaps between policies.
"Instead, create one over-arching policy and then tailor the implementation and the systems management technology for the varying device types."
Before setting up a series of security protocols addressing every known risk and attempting to address unknown risks, businesses could save themselves some time and money by sitting down and working out what risks they really face.
The ISF's Durbin recommends taking a pragmatic view: "As far as SMEs are concerned it is about focusing on the areas that are absolutely business critical.
"It is about trying to understand where your critical information sits, who has access to it, who needs to have access to it and from where, then reaching an agreement as to how that information may be accessed."
He adds: "Most organisations probably only have in the region of 10-15% of their information that is really highly sensitive. The problem is that often that information tends to pop up in about 15 different places on average, based on recent surveys."
Look for weaknesses in the supply chain, advises Durbin. "It is about considering who else you are sharing your information with in the supply chain; other organisations, departments or individuals. If you are sharing your information with a third party, have you asked the question as to where they store their information?"
He believes that if a business is going to allow people to access corporate systems using their own smartphones or iPads, it has to get employees to agree to steps such as maintaining upgrades, and that one of the most effective ways is through peer pressure.
"You want people to be talking about 'Have you seen the latest version of iOS?' or whatever. It is about sharing that culture of how you are making use of these tools that has a number of different benefits not just on the security side but also increasing effectiveness."
There are also challenges specific to the security of mobile devices used in businesses. See Protecting information on mobile devices.