The challenges of securing enterprises in a BYOD world
Andrew Wild, CSO, Qualys
The consumerization of information technology is having a profound impact on organizations, and many are concerned about the risk that consumer IT poses to the confidentiality, integrity and availability of enterprise resources.
The consumerization of IT is commonly manifested through the “Bring Your Own Device” (BYOD) phenomenon — when employees use their own personal devices (laptops, smartphones, tablets, etc.) to transmit or store corporate information. BYOD risks are not going unnoticed, however, and typically rate as one of the top concerns for CSOs and CIOs.
Some have described BYOD as an unstoppable wave overtaking organizations, and the trend is only escalating. In general, there are three types of companies: ones that openly embrace BYOD, ones that formally prohibit BYOD and ones that ignore the topic completely.
But all three of these types of organizations have one thing in common: Regardless of their policy, their employees use personal devices to transmit, process or store corporate data.
There are two principal risks to the enterprise that are frequently discussed regarding BYOD: risk to the confidentiality of information assets and risk to the availability of resources.
Enterprises are concerned with the confidentiality of corporate information resources when employee-owned IT is used. How do they ensure that appropriate information security controls protecting the confidentiality of corporate data are in place?
In addition, enterprises are concerned about the risk of employee-owned devices impacting availability of enterprise IT resources. How does a business ensure that appropriate information security controls prevent the introduction of malware to existing corporate resources?
The risks to confidentiality and availability are fairly well-known and understood, yet there is an additional type of risk posed by BYOD that has corporate counsel and privacy officers concerned: How does an organization respect the privacy of employees when corporate-owned information is co-mingled with employee-owned personal information on an employee-owned device? This is a somewhat new topic that has many CIOs and CSOs scrambling to develop IT policies that do not conflict with their corporate privacy policies.
Cheryl Orr, partner and co-chair of National Labor & Employment Group at Drinker Biddle & Reath LLP, wrote an excellent overview of this concern, which can be found here.
Essentially, the risks organizations face remain the same as they have since the introduction of networked computer systems. The ability to move information quickly and easily among machines increases the difficulty of knowing where information resides, while enterprises must be conscientious about ensuring that private information isn't disclosed to unauthorized parties.
Today's technologies of cloud computing, web applications, ubiquitous internet access, social networking, vast inexpensive portable storage and broadband wireless have only added to the difficulties of securing corporate data.
Organizations looking for solutions to BYOD challenges should answer these questions:
Do you know the data your organization has, its value and where it resides?
Enterprises should implement strong information management processes. Information assets must be identified, owners and custodians assigned, and information classified.
Do you have an accurate inventory of all IT devices – company- and user-owned?
An inventory of IT devices, as well as an asset management system allowing for the management of the devices, will enable organizations to maintain an up-to-date inventory despite the rapidly changing and dynamic environment.
Organizations should ensure that they are able to identify unknown devices connecting to their enterprise networks. An ideal system to report and identify connected devices using enterprise resources is the network itself since it is the primary point of device connection.
Enterprises need to understand how the use of cloud services will impact their ability to ensure confidentiality of corporate information stored in the cloud. Does the cloud service provide the organization with controls needed to implement access controls and restrict the downloading of the information?
BYOD is a growing reality, as employees are connecting a greater number of devices to enterprise networks on a daily basis, and CIOs and CSOs must prepare accordingly.
Though the prospect appears daunting at first, enterprises can take proactive steps to mitigate some of the associated risks. A strong information management process, a system to track and organize IT system inventory, unknown device detection and a strong understanding of the enterprise's use of cloud services will help companies protect and secure their critical corporate data as BYOD proliferation continues in 2013 and beyond.