In an office somewhere in Sydney, a mobile phone beeps and is checked. It’s a tech support email for an HR manager with a request to change her corporate password. She clicks irritably.
Meanwhile in Melbourne, a co-worker downloads software from the internet to his new laptop while copying sales forecasts from the corporate servers. One of his free video players offers an Adobe Flash update, and he clicks the flashing text.
These security incidents may be fictitious, however, this kind of do-your-best policy is live at a very real Australian company. This is no small business: it is one of the country’s biggest insurance agencies, which has, astonishingly, granted 25,000 staff full administration rights to install any software they like on their work machines and to connect all of their personal devices to the corporate network.
With little collective will for change in tech support, the company’s IT decision makers responded to the bring your own device (BYOD) trend by telling staff they could do as they wish – at the risk of being unsupported.
At another Australian insurer, employees batter away on their well-used devices, blending personal with corporate data in an anarchic information soup spread across more than 500 applications installed at a user’s whim. This is bring your own application (BYOA) in full swing. Each of these apps may or may not have access to the corporate network and could ferry both sensitive and benign data to clouds located all over the world.
These are gigantean security risks – which CRN has agreed to keep anonymous – because every staff member, every device, and scores more personal apps represent holes in the corporate network. It is a dramatic but by no-means isolated indicator of the challenges that BYOD or BYOA – or BYOx, to combine the two – can bring.
Driven by the consumerisation of IT, BYOx is inevitable for almost all organisations other than spy agencies – although even the National Security Agency has its own fleet of custom-hardened Android phones it calls Fishbowl.
Yet BYOx introduces security risks because uncontrolled and non-standard devices brought onto the corporate network can bypass perimeter security. Attackers need only compromise a staffer to get onto the network, avoiding any need to find and exploit vulnerabilities in enterprise technology.
Breaching the corporate network through personal devices could be as simple as compromising a staff member’s home computer. This could be done while they browse popular news sites, which may inadvertently be serving up trojans slipped into paid advertisements.
Condensing the number of standard operating systems and devices makes sense in terms of cost of management and security defence, says Sydney-based consultant and veteran former security chief Marcel Sorouni. But he says too few organisations have a hold on essential IT security and the infrastructure running on their networks, let alone those brought in by staff.
“The fewer standard operating environments you have, the better it is for IT in terms of administration and patching because it means you can push out updates and patches all at once,” Sorouni says. “Each app is a potential entry point into the organisation and if you don’t know what apps are running, it means those apps are unsupported and patching is left up to the user.”
He finds many corporate IT shops are run by staff who lack strong knowledge in security and have mostly practical experience. When it comes to new initiatives like BYOx, security is an afterthought. The policy may be left only to paper and not enforced.
“Think about a travel policy. What if an employee ignored the policy and decided to book first class, eat caviar and sip French champagne, then submitted their expenses? Why is it that you cannot get away with that but you can when it comes to security policy? You can because it’s not enforced.”
Ken Pang, security strategist and chief technology officer at Sydney managed service provider Content Security, identified two predominant risks of BYOx: the loss of a device and the loss of corporate data to cloud services. “Big events like the recent nude leaks from iCloud should have been a wake-up call to all CIOs and CISOs,” Pang says.
“It’s a trivial task to harvest email addresses from your company and use them to try to brute force Google Drive, Dropbox and iCloud accounts. And unlike nude celebrity pictures, stolen data is unlikely to be publicly distributed – it’d be sold on the black market without you knowing.” Identification of cloud components within apps is key, he says.
Beyond security, BYOx presents issues of support and collaboration when users demand different devices and apps and comfortable homogeneity becomes grating heterogeneity. “Support and collaboration are two problems that IT managers are facing. When the IT environment becomes fragmented because every user wants to use a different application or device, it can become difficult to support.
"It can also be a challenge when half the company wants to use Facetime because it’s the preferred Apple video conferencing application, and the other half can’t because they’re on Android or Windows mobile.”
While restricting or banning BYOA can impact productivity and end user satisfaction with IT services, allowing a free-for-all can do the same thing – and cause security issues to boot. The happy medium lies in vetting applications that end users have indicated they want to use and either refusing to support or allow any other applications that haven’t been vetted.
NEXT: One Federal agency's BYOx approach
The Australian National Audit Office’s high security requirements are reflected in its BYOx strategy. The agency set out to put a fleet of BlackBerrys, iPhones, iPads and Androids in the hands of employees as a means to improve productivity while also mitigating the significant risk that it brought.
“We operate to protected level and need to totally isolate workspaces,” says chief information officer Garry Pettigrove. In March, he migrated to BlackBerry 10 to manage its fleet of 50 agency-supplied BlackBerrys and other devices.
The deployment follows prevailing security advice in physically separating the personal and corporate lives of employees on devices. Some consumer applications are whitelisted and allowed to operate on the network, while others, such as Dropbox are blacklisted and prohibited.
This decision is taken to ensure a supported standard operating environment where corporate data cannot be stored on consumer cloud services protected by possibly leaky credentials, or placed at risk by user privacy slipups or software vulnerabilities.
Users can do whatever they like on their side of the security wall. “I don’t care what they do on their side,” Pettigrove says. “It gives them the freedom to do what they need to do for their own productivity without compromising corporate data.”
Data cannot be copied from one side to the other, and security systems including data leak prevention stop users emailing or uploading corporate data out of the ANAO, unless it is through the federal government’s Fedline mail system.
Pettigrove can also nuke corporate data on any device when employees resign. For a security-conscious organisation, he seems relaxed with the realities of BYOx and plans to build out the system further to allow staff to securely send data from their computers to phones and tablets.
Sometimes security is a matter of black and white. Staff walking the likes of Dropbox, Evernote or Google Drive into an organisation should face a checkpoint bearing the question: is this app approved? A whitelist tick means the app can run on the corporate network while a cross might result in a blacklist ban.
One of Australia’s best-known utilities runs an innovation sandbox where staff are invited to put their favourite apps up for assessment to become part of the company’s official endorsed kit. “They created a working group who would review these apps, standardise some and then perhaps buy that app in bulk under an enterprise licence,” IBRS analyst Joseph Sweeney says. The communications specialist cannot disclose the name of his client but says they are well mature and resourced in their BYOx deployment.
The system has support from executives, who are themselves BYOx users and enjoy the ability to have their most productive apps sanctioned by the security team and run over the mobile device management system. Apps that do not gain approval are not blacklisted – which could hinder the performance benefits of BYOx – but are instead run inside a safe container within the mobile device management platform.
Organisations should begin their BYOx assessments by asking staff what apps they “have in their pockets” to avoid shoving the wrong apps down their throats. Security aside, most employees already use their apps effectively and efficiently and do not need IT staff giving them new apps to work with.
The most difficult component of the project was budgeting; the apps costs mere cents so projects can’t generally be funded by a discretionary budget. Sweeney says it requires a new form of budgeting framework that needs to be worked out. “That’s the real show stopper,” he says.
Having mobile device managers and zoning networks into distinct areas of personal and corporate data were important to BYOx deployments, but so too was the need for education. A veteran security manager at one of the world’s biggest pharmaceutical organisations told CRN – on the condition of anonymity – that many of her security programs succeeded by focusing on the human. For her BYOx deployment, she ensured each of the organisation’s thousands of global staff were trained in handling sensitive information as part of orientation and were retested periodically on that training. It was a huge success, she says.
“All of the 400 staff who responded to our security survey were positive,” she says. “They would go home and find potential risks in all sorts of apps they use and apply their knowledge to their personal lives.” She asks staff a simple question: ‘Would you be happy if your office was on the front page of a newspaper for a breach?’
The opportunity of the channel in BYOx security is about communicating the need to control, but not the free use of apps and devices. Martin Claridge, network solutions director for Avaya, says BYOx is a conflict of universal access, openness and useability. “The conflicting security needs may be summed as the business’ regulatory requirements, privacy obligations, fiscal security and auditability of transactions, through to protection of intellectual property,” Claridge says.
He says to create a BYOx implementation with acceptable security, resellers must focus and direct customers through a consultative selling process to resolve policy and process definitions while isolating and separating an owner’s personal property and information. Resellers and service providers must educate their customers that they do not ‘own’ a user’s personal device and have no inherent right to know how or where it is used.
This, Claridge says, is the single biggest challenge he sees and runs counter to corporate security practices that are built on policies of access denial. “There is a large and highly profitable market developing around identifying management of individuals, devices and applications that we believe is driving our resellers, the market and the end users to transition to a new way of thinking about how we work, where and with what,” he says.
“Identity management and BYOx is occurring at the same time as we have a massive market dynamic moving our method of access for our apps and devices from a fixed connectivity model [wires and switches] to a more connected wireless access model in a virtualised ‘cloud’ method of service provision.
“Resellers and service providers have a unique opportunity –admittedly requiring up-skilling – to take on unified access, identity management, and application virtualisation for business.”
Customers need to be brought out of thinking of BYOx as a matter of tracking and wiping phones and start seeing it as a way of properly securing applications by way of sandboxing and private app stores.
“Education of customers is key,” says Pang. “Many IT managers still think that mobile device management is limited to remote wiping phones or tracking their location [but] these days it can help you set up sandboxes to secure unknown applications, build private app stores for your employees and securely deliver internal apps to your mobiles.
By understanding customer goals and risk tolerances, resellers and managed service providers can deliver solutions to boost productivity without unnecessary risk.