The enterprise is certain to be headed for a handful of surprises as employees and suppliers bring their own devices and connect them to the network. BYOD doesn't necessarily assure that these users also "Bring Your Own Secure" devices.
I had a talk with Route 1 CEO, Tony Busseri about their communications and services platform, MobiNET. MobiNET provides identity assurance and individualized access to networks and data. The solution is patented and built on FIPS 140-2 cryptographic modules.
The short version of how MobiNET works is simply that whatever device connects to the network becomes essentially a dumb terminal. Identities of users are authenticated and the solution is not device driven. IT and network managers steer what is accessible, and where in the network users are permitted. (See Solutions Overview here)
Tony noted that you must keep data within the fortress as well as knowing who the user is and authenticate them to strengthen the ability to stop data from leaving (see diagram below). Currently, many enterprises find themselves in a crunch, as they're pressured to let any device connect using any means; an exponential number of risks are either ignored, mitigated with self-insurance (banking), acted on with varying degrees of security at a wide range of costs, often betting the technology against an estimate of acceptable risk.
In my past post: Lost & Found: Another Security Nightmare,I wondered: The numbers of lost handheld devices compromises how many networks? But lost devices won't lead to changes in decisions until the attitude of protecting your data changes within the enterprise. I've long said that it's not what's coming into the enterprise that's as damaging as what is leaving it. This example rings true back to earlier times of private hardened networks being compromised by data leaving. Many of these compromises were either procedural flaws or failures to provide a degree of physical separation. With the BYOD rush, scores of new risks potentially enter and then obtain data from the interior of the fortress.
Since most of them are mobile, BYOD devices are potential moving targets. Oddly, when Apple employees allegedly lost their iPhones, a media storm either promoted the event of a new cool iPhone while ignoring the potential data compromise, or Apple feared some compromise of what, discovery of new hardware? Sadly, the new iPhones retain what the old offered and that is a 4-digit PIN to unlock the phone. But security and being open to communicate and obtain any data when and where you want it isn't a major selling point to the consumers. Arguably Apple and Google and scores of other firms aren't necessarily making security a key concern for users.
I asked Tony what key industries he thinks are vulnerable, and he said banking and law, because both of them are open to identity theft. Now as hardened vs. un-hardened browsers are concerned and whether or not all my data is safe, am I concerned? The reality is I want the convenience of having all my accounts linked at my bank so that it's easy for me. This is the cold hard reality of many users, and it's the challenges for network managers that try to appease them. The other reality is I am taking a risk, and the convenience is worth it until there's a compromise. Then, you will hear another tune and story as to why you don't do this. Will the bank be able to protect my data and is their platform secure? How secure? The word bank isn't always indicative of safe because bank robbers and hackers seem to target these assets. With a plethora of mobile devices, it's certain to be more than temptation that may lead to new and more effective attacks on mobile
Years ago I ventured into a pawn shop and found a Mac Classic for sale. Having just been married a few months, I snatched it up for a couple of hundred bucks and drug it home for my wife. That computer was a "deal" and did not crash and served my wife for about 7 years with her Claris Works and one or two other teacher apps.
Once home, I booted the box and discovered a mass of case files of a small defunct law firm that specialized in divorces. The files were mountains of personal information, assets, holdings and lots of documentation. Yes, of course I reformatted the drive, but that wouldn't make anyone sleep well knowing what I had access to. The BYOD rush is no different than this because devices end up in many places and often the wrong places or in the wrong hands. When the devices are mobile the risks increase--right along with the thinking that I want convenience, I want to communicate using whatever's available, and I want it now.
Some IT managers' immediate response is, "We must change user behaviors to lessen our risks." My reply is, stop focusing on user behavior and start changing executive thinking, because they may need to step up to the fact that better security is, as Tony said to me, "A challenge to IT leadership." An interesting perspective comes from is reading about the FBI's efforts a couple of years ago in: The FBI's Challenge: Collaborate More, But Stay Secure. Unfortunately, all these efforts didn't prevent the security breaches the FBI has endured since.
I will readily admit, after the Lost & Found post, I dumped my RDP app because a 4-digit unlock on my iPhone didn't make me feel warm and fuzzy--imagine if I had to tell a customer that because I lost my iPhone their network is now possibly compromised. Score one for changing user behavior. Regarding my bank account, geez, I hate giving that up. Honestly, burying my head in the sand will make the fear of compromise go away for now, and that's how users behave. Again, user thinking isn't much different than mine; so along with users willing to take on risks for convenience, enterprise really toys with the same attitude.
As Tony told me about how security plays out, "We [i.e., enterprises] are setting ourselves up," and did it ever hit home with me. So as enterprises embrace BYOD without security beyond calculating risks and self-insuring, remember another lesson: "Once the information is outside the network, it's never coming back." But any of my experiences pale in comparison to Nortel's reported chaos over hackers and rootkits and management's denial. According to the WSJ, hackers from China penetrated Nortel as far back as 2000, and the breaches were deep rooted within the Nortel network. Will deep data breaches result due to desired mobility and the scores of BYODs hitting networks and the cloud? Skeptical I am, but just as with risks and insurance, many people seem to be more than willing to take the gamble for convenience and mobility.
