Enterprise security a moving goalpost

Bring your own device (BYOD) and the consumerisation of IT pose new challenges for enterprise information security.

6 January 2014
photos: Karolina KomenderaJayson O’Reilly, DRS, says the emphasis in endpoint security has shifted from protecting the device to protecting the data on it.

Information security used to be siege warfare, with companies able to lock their data, applications and infrastructure inside the fortress-like security of their own networks. But today, the war against malicious hackers, data thieves and
other security threats is more like guerrilla combat against an increasingly sophisticated and agile enemy.

Over the past three years, the increasing mobility of the workforce and the growing adoption of cloud services have changed the ways companies work. Today, the endpoint is no longer necessarily a PC on a desk inside the corporate network – it could just as easily be a smartphone or tablet owned and managed by the user.

“IT consumerisation is a real phenomenon,” says Nader Henein, security advisor at BlackBerry. “This is the first time we’re seeing consumers push enterprise adoption of technology.” The latest smartphones and tablets hit the consumer market first, and permeate the enterprise when users bring devices they have bought themselves to work.

The line between a public and private device has become blurred as a result of this BYOD shift, says Jeremy Matthews, Panda Security’s country manager. “The traditional notion of the corporate network perimeter is dead, yet so much security infrastructure and architecture is premised on the perimeter,” he adds.

The flood of consumer devices into the enterprise is difficult for IT departments to manage and secure. One problem is the fact that private devices and operating systems are changing so fast, that IT departments could end up supporting ten or 15 desktop, tablet and smartphone operating systems, says Henein.

The proliferation of Android variants is a particular headache since many of the key manufacturers orphan older devices with earlier versions of the OS when they bring out new phones and tablets, he adds. The result? High support costs and potential security holes.

Paranoid Android

The other problem Android is running into as the world’s most open and one of the most popular smartphone and tablet operating systems is a proliferation of malware, often introduced through compromised apps.

Research from Trend Micro tracked 718 000 separate instances at Trend Micro. is to find ways of protecting corporate IT assets and data without taking away the freedom and flexibility BYOD gives their end-users, says Jayson O’Reilly, director of sales and innovation at DRS. One sound approach to endpoint security is to move away from protecting devices, to protecting the data itself as well as the applications, he says.

“People are starting to talk about protection of data rather than of the device where data is,” agrees Doros Hadjizenonos, sales manager at Check Point South Africa. “If you’re protecting data in the correct manner, it shouldn’t matter whether it’s sitting on a laptop, on a USB stick, or on a server in the cloud.”

That means there needs to be a major focus on rights management as well as on data encryption, he says.

Martin Walshaw, senior engineer at F5, says that context is the key to more robust security in a world where mobile and cloud-based access to corporate users is becoming increasingly common.

Irrespective of the location of the application, security systems and policies must take into account who the user is, where he or she is connecting from, and what device he or she is using.

Policy reviews

There’s no escaping the necessity of implementing mobile device management (MDM) tools, says Matthews. Geolocation, remote locking and remote wiping of mobile devices are essential features, since the loss or theft of tablets and smartphones currently poses a bigger risk than mobile malware does, he adds.

Enterprises can implement much of the technology needed to secure mobile devices ‘upstream’, Matthews says. Identity management, data security, mail security and URL filtering can all be managed from the enterprise datacentre or the cloud without needing to bug down the end-user’s device with security software.

“Policies should outline how many devices users may use and the applications and data they may access, what precautions they should take to secure their devices, and what to do if a device is lost or stolen,” says Hadjizenono.

As John McLoughlin, MD of J2 Software, notes, accidental and purposeful leaks of corporate data still form the biggest security challenge for the average organisation.

“There must be a greater focus on user training around risks and repercussions of security breaches,” he says.

Related stories:

Taking shelter in the cloud

Mastering the enemy’s weapons

Cloud security on the rise