Security Think Tank: Cloud, BYOD and security – lock your doors

With BYOD and the growth of the personal cloud being used at work, what security measures can IT take to ensure security of enterprise data and does MDM really have a role in security?

Cloud computing and bring your own device (BYOD) are fundamentally dangerous, but manageable, concepts from a security perspective.

An organisation storing data is like a house – you can break in through vulnerable points such as doors and windows, but not through the walls. The cloud and BYOD represent the introduction of two new windows or doors.

To keep your house secure, you have to ensure that they are locked and bolted, but remain aware that they will never cease to be potentially vulnerable entry points. 

However, neither are really new security threats. The cloud could be seen as a logical step forward from the virtualisation concept. BYOD, at its core, is still only the management of a fleet of mobile devices – the only change is that there are now scores of different devices in that fleet.

BYOD is stripping away some of the misconceptions about security that we have long held as corporate entities. For instance, the corporate standard device has always been an illusion. New devices and updates have been shipping every week, ever since the smartphone proved to be the killer app that the telecoms industry had been searching for since text messaging made mobile phones ubiquitous.

It has always been a complex security issue to manage.

The key to ensuring that this mobile fleet is secure is constant penetration testing. Do you have a methodology in place to deactivate mobiles and tablets when they are lost? Do you have a password and encryption policy? Are your people aware of basic ways of avoiding mobile theft?

Have you ever stood in the middle of a busy station and watched travellers' routines when they get up from their seat to board a train? They pat their pockets – if they are men they often do it three times; once for their wallet, once for their phone and once for their keys. 

The reason I mention this in a piece on security is that people show you where their phones are if you watch them for long enough. Learning not to do this is a social engineering art.

The device security process is founded on deciding who needs access to what data and providing a platform or app that can interrogate that data while storing as little of it as possible on the device itself. The next step is to produce an inventory that records all this in case of data loss or theft.

Advanced mobility solutions can secure communications using both user and device-level authentication and encryption. In addition, automatically securing communications while outside the enterprise firewall can eliminate many of the IT-related security concerns surrounding BYOD and the cloud.

However, no software will ever eliminate all security issues because many of them are founded on human, rather than technical, problems. Coming to terms with social engineering as a solution to the security problems that the cloud and BYOD bring may be the only real way of locking the new windows and doors they represent.  

Peter Bassill is a member of the ISACA cyber security board and managing director at Hedgehog Security.

Read more on Endpoint security