CW Security Think Tank: How to prevent security breaches from personal devices in the workplace

What are the most effective security practices for allowing employees to use their own computing devices while ensuring corporate data is secure? John...

Balance the books, but keep the users happy 

John Walker, member of ISACA security advisory group and CTO of Secure-Bastion

As NORAD tracks the annual sleigh ride of Mr Claus, notwithstanding the downturn, one may expect his sacks to be bursting with goodies for all those boys, and girls - computer games, high-tech toys, and maybe even some of the more conventional playthings, like the good old train set. However, while Peter Pan is a myth, many grown-up boys and girls nevertheless also enjoy seasonal fun things.

We live in the Technology Age, where our appetite for those must-have gadgets is fed by advertisements. Here this year, as last, I expect such adult playthings will arrive in the guise of smartphones, high-capacity memory sticks and drives, iPods, computer-managed missile launch systems, and a host of computer-attachable devices, such as the USB dance mat, or Whack IT Game.

One gadget which caught my eye was the USB PC Prankster. As the blurb says, simply plug it into the "victim's" computer (the irony) and it will take over, and start making random mouse cursor movements, along with typing out complete gibberish to drive the victim to distraction. This little devil even has a built in time delay, so once it has been plugged into the target, it allows the miscreant to slide away into his/her cubical before it starts playing tricks - all in the name of fun, but consider!

The corporate mission to balance the books while keeping the users happy, while attempting to keep the estate secure always poses a challenge this time of year - all those pluggable devices, some of which will find their way into the office in the name of entertainment, bringing their own challenges. Storage which can download the complete works of Mr Bill Shakespeare. But just imagine that little gadget which has been brought into the office to create such merriment - whilst we like to think it is just a silly play thing, think about it - circulate a bunch of seasonal toys, with some more malicious intent - wrap them up in holly, and snow packaging, and possibly, one has the, makings of the perfect seasonal cyber storm - Happy Christmas to one and all!

New devices, new challenges

Raj Samani, Cloud Security Alliance

January represents a significant challenge for the security professional; this will be the time employees bring in their new consumer electronic devices into the office with the expectation that they can use them at work. Regardless of corporate policy, organisations are being challenged on an almost daily basis to provide support for a range of devices often designed for consumer use.

Supporting such devices represents opportunities as well as challenges. While providing access to corporate data may boost productivity, there is the added risk that these devices (which are often mobile) are vulnerable to theft or accidental loss. This not only represents a significant risk to the organisation (as such devices are likely to include some corporate data), but also potentially falls foul of compliance obligations.

It would be simple to write a corporate policy prohibiting the use of any devices not provided by the company, however not only is this difficult to enforce, it also prevents the company from exploiting the productivity gains such devices can bring. In the words of David Smith, vice-president and Gartner Fellow: "Exploit, manage and benefit from the consumerisation of IT with education and a realistic and pragmatic approach. Don't try to stop it - you will fail."

In order to benefit from this growing trend, organisations should clarify the corporate policy, but supplement this with not only education (regarding the management of corporate data), but also apply technology controls to act as enforcement and monitoring. This not only encourages secure behaviour, but also reduces the risk of accidentally copying sensitive data onto personal devices. The controls being used within enterprises should be able to support the consumerisation trend; for example in the event an employee reports they are leaving an organisation, such controls should be able to partially wipe devices (eg, the corporate e-mail part), but leave the rest of the device untouched. Combining this with data loss prevention, network access control and so on, ensures the arsenal available to the security professional is capable of controlling this tidal wave of new storage-laden devices.


Limit BYOPC access

Mark Henshaw, (ISC)2 member

Several large corporate companies have implemented a "Bring Your Own Computer" or BYOPC framework, where the employee can purchase a discounted personal computing device through a corporate catalogue.

Effective security practices employ a BYOPC at the client endpoint running a virtual desktop. So in effect the device never actually has access across the corporate network, but is limited to data and information access and manipulation only within the controlled environment. The data and information is not allowed to stay on the BYOPC but is held on secure corporate servers.

In some instances a hybrid BYOPC is used, involving limited or guest network access: A network access control program will be in place to ensure the device is running with the correct protection, is patched properly, and is not carrying a potentially harmful payload. There are numerous other network and data controls addressing connectivity, access, and data loss.

Further enhancements to the BYOPC framework have business level support and maintenance for the device and software, and a policy relating to document and information exchange between different types of office automation software on each device - this enforces the use of compatible information interchange formats between different software products. There would also be a personal device usage policy and statement of consequences.

Best-in-class companies run targeted education and awareness campaigns looking at specific risks and behaviours around both work and personal use of the BYOPC, ensuring employees understand and are able to protect the device and information through appropriate behaviour, and the use of software protection programs.

More smartphones and tablets will join the corporate network and they will be used for business tasks. IT has to co-operate and support this future.

Fortunately, there are benefits for all: the employee gets to use the device and software of choice, which is maintained to corporate standard including in some cases support for non-work related issues. The employer reduces TCO for end-point devices, and improves retention of happier employees, who in turn are more likely to look after their own devices properly.


Two principles to follow

Andrew Yeomans,founder member of Information Security Awareness forum and Jericho forum

There are two main principles businesses should follow to ensure corporate data is kept secure with employees being allowed to use their own computing devices.

First, not allowing corporate data to be stored on the device, through use of remote/virtual desktop and application technologies. Only transient screen images will be held locally. You need network connectivity to access corporate data, no off-line use permitted.

Second, designing your server and network environment without dubiously assuming that they are "secure". So use secure protocols, secure authentication, data-centric security. See Jericho Forum's Self-Assessment Scheme (SAS), a tool designed to help organisations to check the effectiveness of an IT security product in meeting their needs.

The permissive challenge

Peter Wood, member of ISACA security advisory group, CEO of First Base Technologies

The use of consumer technology such as smartphones is becoming common in corporate IT and recently even the iPad has emerged as a popular choice for executives and IT staff alike. Users have access to business-ready devices in their personal lives, so the line between personal computing and work computing is blurring.

Security professionals are being challenged to permit personal devices to connect to corporate networks and to find a way to secure them. Just saying "no" doesn't work when the pressure comes from the top, so better to embrace the inevitable and build secure architectures that support these devices.

The use of technologies such as ActiveSync permits users to manage their mail, contacts and calendars on their smartphones and iPads without a direct connection to the corporate network. Apple's iOS products (iPhone, iPad and iPod touch) support Cisco IPSec and VPN protocols, providing a secure option for remote access. With the release of iOS 4, iPhones and iPads offer enterprise-quality access controls and policy enforcement comparable with those offered on a BlackBerry, although some security vulnerabilities are still emerging on these new platforms.

A deal needs to be struck which enables adequate security controls to be applied to consumer devices in return for permitting access to corporate data. The trick is to identify the controls which will enforce your corporate security policy without driving a wedge between the business and its users. The 'sexy' nature of recent consumer technologies has captured the imagination of users, encouraging them to use them as more than phones and PDAs and really explore their capabilities. This can be great news for organisations who embrace the technologies - giving better productivity, more creative results and flexible working. Rather than permitting this wave of consumerisation to sweep over your organisation, research the technologies available and the controls they offer. Perhaps start by offering access to mail and diary systems to a trial group, monitor behaviour and build your experience before committing further. Limit VPN access to devices you know offer secure client software, and ensure you deploy strong authentication to compensate for the potential weaknesses in consumer platforms. Most importantly experiment with the technologies yourself and ensure you understand the strengths and weaknesses of each platform.


Assess data losses

Tim Holman, vice-president for ISSA and CTO at Blackfoot.

With my security hat on, securing somebody else's devices is a nightmare and their use on a corporate network should be forbidden, prohibited and prosecution brought with no exceptions.

With my business hat on, mobile devices improve productivity, give a competitive edge and save my business money, so every employee should be using them.

The only real security practice that can help is a solid risk assessment methodology. Before allowing employees to use their own devices for accessing e-mail, syncing with their work computers or accessing documents on the move, consider the risks. Likewise, even if employees use your own mobile devices, also consider the risks.

The first risk to assess has to be data leakage. Top-secret or classified documents should never make their way to employee-owned equipment and confidential information should be under strict control.

Second, data loss should be assessed. What would be the impact if data gets lost? Is it encrypted? Should the loss be reported to the ICO?

Third, and very much overlooked, is the fact that employees need to install software on company machines in order to use their mobile devices. For example, an iPhone won't even charge off a USB port unless iTunes is installed and iTunes won't work unless Quicktime is installed.

"So what?", you might say. Well, for a fact, iTunes 9.x has so far been affected by 64 software security vulnerabilities. Quicktime's record is worse, with v7.x being so far affect by 143 vulnerabilities (source: As this software is so ubiquitous the risk is immediately catapulted to critical.

Mobile productivity software rarely appears in build standards, employees are often free to install it and it falls completely beneath the radar of any corporate patch management programme.

A good risk assessment will take all these factors into account and must be both data-centric, to ensure sensitive information can not leak through employee devices, and also vulnerability-centric, to ensure the introduction of mobile device productivity software does not bring an abrupt end to your security career.


Not when, but how and why

Mike Westmacott, chair, BCS Young Professionals Information Security Group, and security consultant, Information Risk Management plc

The question of whether to permit employees to use their own IT equipment in the workplace is not so much one of whether, as most employees already use their own equipment in the form of smart phones and media players, but to what degree, and why.

Essentially there is a cost versus risk trade-off that needs to be considered, with the potential for reducing the number of high value assets on a company's books and associated costs versus information leakage, software and hardware incompatibilities, and increased burden upon IT support staff. The spectrum of ownership varies from disallowing any form of employee owned IT equipment including mobile phones and media players to providing only shared services for employees such as storage, backup, printing and common applications which are accessed solely via a series of different technologies and models.

Before deciding upon a point along this spectrum, and as a key part of any security programme, it is essential that an organisation carries out a review of the information assets that the company holds, who needs access to those assets, and the problems that may occur in the event of a breach of confidentiality, a loss of integrity or a lack of availability of those assets. It may then be possible to construct separate information domains with classifications such as public, private, confidential and secret.

An organisation whose structure means that most of its employees rarely need to access anything other than public or private information resources may be able to realise benefits from providing individuals with a suitable personal IT budget, together with information on preferred suppliers. Where confidential and secret information is being worked with it is desirable to ensure a greater level of access control, and so company provided equipment and software may provide the best solution.

Once the organisation has determined the information domains, and selected the roles that may be suitable for using their own equipment then the next hurdle must be approached: ensuring that the solution is operationally secure and viable.


Interesting challenges ahead

Adrian Davis, principal research analyst, ISF

Organisations will face an interesting set of challenges in the next few years, as employees increasingly use and select tablets and smartphones as well as laptops to perform their work. The rise of the 'company car' IT scheme (please pick any of the following - you pay if you want something higher performance) means that information will need to be secured across many more platforms that are not wholly under the direct control of the organisation.

For laptops, there are a wide variety of solutions to choose from but the secret is to select the solutions that best fit the needs of the business. Tablets and smartphones may have to be dealt with on a case-by-case basis as 'commercial strength' solutions (e.g. malware protection and virtualisation) become available. Where possible, the basics such as patching, malware protection software and firewalls will need to be in place on the employee device, to provide a minimum baseline of security.

Virtualisation (or using cloud-based virtual desktops) is likely to play a major role. By using a virtual environment, the organisation can ignore the underlying device and deploy a secure environment in which the employee can work. The security of the virtualised machine and associated information can be enhanced by prohibiting the use of USB devices, stopping printing, writing to the storage on the device and by deploying applications such as Digital Rights Management and Data Loss Protection.

But probably the most effective practice will be awareness. Making sure the employee doesn't blur (or forget) the lines between business and personal use will be key. Awareness will have to reinforce the fact that the employee is responsible for looking after the organisation's information - regardless of the device it is on. As a result, the employee has to be more aware and understand what is expected of them and what to do in the event of a problem. Awareness will need to cover both electronic and physical security.


Manage the risk rationally

Ollie Ross, head of research, the Corporate IT Forum

"Security is often the stake in the ground to which IT ties itself. And yet, as any sophisticated information security professional will attest, it is a matter of managing risk rationally." So observed The Corporate IT Forum's July 2010 survey report about mobile consumerisation in the enterprise.

With 66% of replies deeming personal device connection to corporate networks an out-and-out 'No', the pendulum still swings in favour of the business device of choice - the BlackBerry. But perhaps only just. As one respondent commented: "There is a balance to be struck between security, support and the end user benefits (and perceived business benefits)".

For those embracing the popularity and potential of the growing range of consumer devices, security remains the No.1. concern and access management is foremost. 'We've introduced a process allowing certain approved personally-owned smartphones to synchronise with corporate email, contacts and calendars," states one member. "We're allowing connection only via policy - we block any device that doesn't meet prerequisites and ensure that users sign a binding instruction about using and securing the device," comments another.

Clearly, evaluation of the best ways to mitigate the 'threat surface' of consumer devices is ongoing, but there is a definite transition taking place. As our report concludes: "The traditional wisdom about sensible risk management needs to be applied, it is important that IT becomes ever more of a facilitator, and ever less of a break. Do we want to lead the way, or be in the way?"


Blurring the line between personal and business

Avtar Sehmbi, member of ISACA security advisory group, head of security and IT risk mnagement ITS, Deloitte

Christmas for IT departments will bring a new range of innovative consumer technologies into the workplace. The increasing sophistication of consumer technology presents a series of contradictory opportunities and challenges that organisations are grappling with.

Expectations of business technology among employees, particularly generation 'Y', are increasingly being set by their experience of consumer technology. It also brings real value to business dialogue (social networking, instant messaging and email), blurring the need for individuals to separate personal and business lives and therefore devices. In theory this consumerisation can reduce organisations' capital costs, decrease asset management activities and potentially increase productivity.

But it also creates security issues and challenges traditional security models and thinking. But IT consumerisation is not going away. So how can IT security policies adapt?

We know that more devices will be able to connect from almost anywhere to anything, so understanding the risk profile of the end user will be key. Centralised security systems can interrogate and potentially enforce end user policies and controls. An example is 'Network Access Control': any device can connect to the network but it will be checked to see if the organisation's policy has been applied and if it is worthy of holding the organisation's information. For example, is it encrypted? Does it have a firewall installed? Is the antivirus up-to-date and so on? The centralised system will then decide whether to allow access to the network, provide limited access (guest network) or simply deny access.

However the dissemination of data and regulatory responsibilities also needs to be considered. For example, it may be unacceptable to have regulated or sensitive data on a non-business device, even if that device is secure and controlled.

Desktop virtualisation allows for remote connectively from potentially anywhere by providing a virtual window into the organisation's desktop computing environment. Again the level of access can be discretionary, ie, end-point checks can ascertain the level and type of information that can be transferred to the remote device (if any). This architecture ensures that data remains in a controlled and secure environment. This could be an option for regulated or particularly sensitive data.

However there are still technology maturity issues: end points potentially storing temporary data or, in some cases, the ability of the end point user to store data manually on a personal device.

So is the technology here to enable us to leverage the benefits of IT consumerisation? Well we are close, concepts such as Network Access Control (NAC) and device certification will help us to decide what can connect to an organisation's resources and then data classification tools will help to decide what data can be accessed and in which scenario. The industry doesn't quite meet all organisations' requirements around the data classification toolset yet, but potentially a balance may be achievable with a combination of policy, awareness and technology developments in the near future.

Essentially the controls for the adoption of consumerisation of IT are being rapidly developed but organisations' risk mindset, reflecting their regulatory/security profiles, will dictate when and to what extent they leverage personal IT. What is clear is that organisations cannot afford to drive this underground so they will need to define the acceptable level of integration of consumerisation in the enterprise and then communicate those decisions. And this will need to be supported by strong user education about the risks and consequences of connecting personal devices to enterprise resources.


Devices lack protection

Lawrence Orans, research director, Gartner

The problem with "bring your own PC" (BYOPC) to work programmes is that many consumer devices lack appropriate security protection. To compound this problem, these devices are often used by employees' family members and others, and so are more likely to be infected with malware than corporate-owned and managed devices. One of the greatest threats comes from botnets, because attackers often use botnet-controlled PCs to gain access to sensitive data and conduct industrial espionage within an organisation. Those organisations that allow employees to bring their own PCs to work are significantly increasing their exposure to the botnet threat.

Gartner estimates that 20 per cent to 30 per cent of consumer PCs have been compromised by botnets and other targeted threats. Enterprise PCs are not immune to the botnet threat, even though they benefit from more-mature vulnerability management processes and stronger perimeter security. Gartner estimates place botnet compromise rates for corporate-managed PCs at between 4 and 8 per cent. Poor patch management and the fact that major endpoint protection platforms remain weak in protecting against targeted attacks and zero-day threats are key reasons for botnet problems in organisations.

In most organisations, the consumerisation trend is a grassroots phenomenon that is happening much faster than IT security teams can respond to. Employees are already bringing their own PCs to work in environments where the IT organisation has yet to establish formal and secure programmes and policies covering these practices. Many corporate security groups will react to BYOPC initiatives by fighting their adoption instead of developing a proactive strategy for making sure that security controls and processes get deployed to minimise the risk of consumer devices. Just as security groups failed to keep out the internet, wireless LANs, social networking and other technologies, saying no to consumerisation is not a viable strategy.

Network security managers need to develop policies that place limits on the range of allowable devices. Network access control (NAC) solutions can be used to enforce policies that dictate acceptable devices (and operating systems) and acceptable device configurations.

Virtualisation technologies can also be deployed to enable the safe use of consumer-grade devices. Virtual desktop infrastructure (sometimes referred to as hosted virtual desktops), in which a virtual desktop is stored on a remote central server (instead of on the endpoint itself), protects data by storing it centrally. Another approach to virtualisation - full virtual machines or virtual workspaces - will also gain traction as a response to the botnet problem. Here, virtual work spaces run locally on a user's PC and create a fully contained and isolated PC environment that runs its own virtual hardware on a separate IP stack.

Gartner also advises:

  • Allocate some portion of the savings realised through "bring your own PC to work" programs to protect against botnets and other targeted threats.
  • Ensure that the security organisation informs business leaders about the risks of using consumer-grade devices and the costs of mitigating these risks.


What are the most effective practices?

Sarah Janes, operations director, Security Awareness Special Interest Group (SASIG)

What are the most effective security practices for allowing employees to use their own computing devices while ensuring corporate data is secure?

It strikes me that when this question is asked in open forum there are two schools of thought. Some, the old school, immediately jump to tactics and talk about controls and risk mitigation. The rest state this is an antiquated approach.

These two schools of thought came through very strongly at last week's Security Awareness Special Interest Group (SASIG), attended by the thought leaders of the security industry and run by the Security Company (International) Limited, where the main topic of discussion was 'Protecting the Mobile Enterprise'.

So why is it that very few organisations have actually established an effective solution? It seems to me that the issues around allowing employees to use their own computer devices is just a tactical manifestation of a bigger issue. Our employees do not understand the value of information. If this fundamental grounding is missing then there are many more problems to deal with than this one alone! Blurring the lines between business and personal information should be viewed positively. The incentive to take care of my computer that contains my family photo collection is far greater than one that just contains business information. This immediately allows the employee to understand that value. Once this is understood, applying a common sense judgement of the situation will become second nature. Moreover this perspective can be transferred into many situations.

To summarise, instead of trying to establish a raft of employee constraints, that by the way the employee will never remember, spend the time helping your workforce understand the value of information at the highest level establishing a culture alert to the risks, who are able to make sensible judgements regarding how to deal with a situation and will seek advice when they are not sure.

Read more on IT risk management