An organisation storing data is like a house – you can break in through vulnerable points such as doors and windows, but not through the walls. The cloud and BYOD represent the introduction of two new windows or doors.
To keep your house secure, you have to ensure that they are locked and bolted, but remain aware that they will never cease to be potentially vulnerable entry points.
However, neither are really new security threats. The cloud could be seen as a logical step forward from the virtualisation concept. BYOD, at its core, is still only the management of a fleet of mobile devices – the only change is that there are now scores of different devices in that fleet.
BYOD is stripping away some of the misconceptions about security that we have long held as corporate entities. For instance, the corporate standard device has always been an illusion. New devices and updates have been shipping every week, ever since the smartphone proved to be the killer app that the telecoms industry had been searching for since text messaging made mobile phones ubiquitous.
It has always been a complex security issue to manage.
The key to ensuring that this mobile fleet is secure is constant penetration testing. Do you have a methodology in place to deactivate mobiles and tablets when they are lost? Do you have a password and encryption policy? Are your people aware of basic ways of avoiding mobile theft?
Have you ever stood in the middle of a busy station and watched travellers' routines when they get up from their seat to board a train? They pat their pockets – if they are men they often do it three times; once for their wallet, once for their phone and once for their keys.
Read more on BYOD and MDM from the Security Think Tank
- Governance should determine strategy for BYOD
- Embrace BYOD, but be wary of the risks
- BYOD security: policy, control, containment, and management
- MDM is no BYOD silver bullet
- BYOD – key tenets and best practices
- BYOD means the map is no longer the territory
- BYOD – a challenge and an opportunity
- MDM just one way to lower the risk of BYOD
- Management is key to secure BYOD
The reason I mention this in a piece on security is that people show you where their phones are if you watch them for long enough. Learning not to do this is a social engineering art.
The device security process is founded on deciding who needs access to what data and providing a platform or app that can interrogate that data while storing as little of it as possible on the device itself. The next step is to produce an inventory that records all this in case of data loss or theft.
Advanced mobility solutions can secure communications using both user and device-level authentication and encryption. In addition, automatically securing communications while outside the enterprise firewall can eliminate many of the IT-related security concerns surrounding BYOD and the cloud.
However, no software will ever eliminate all security issues because many of them are founded on human, rather than technical, problems. Coming to terms with social engineering as a solution to the security problems that the cloud and BYOD bring may be the only real way of locking the new windows and doors they represent.
Peter Bassill is a member of the ISACA cyber security board and managing director at Hedgehog Security.
This was first published in May 2013