Phones, Phablets and Clouds - Securing Today’s New Infrastructure

Wednesday, December 03, 2014

Steve Durbin


The technological landscape in the workplace has dramatically changed over the past decade with the introduction of ultraportable smartphones, tablets, phablets and more. The benefits and opportunities are clear: a mobile, fully connected global workforce is better able to multitask and communicate precise information with minimal disruption.

Despite the undeniable corporate and consumer interest, the security and privacy implications of cloud and mobile connected devices are concerning many security professionals. Countless organizations are still playing catch up – Bring Your Own Device (BYOD) polices are only starting to be embedded, reviewed and updated. IT departments are overwhelmed with the amount of devices entering the workplace and connecting to corporate networks. 

Ultimately, employers must accept that cloud and mobile working will appear as the de facto corporate infrastructure and should place a strong emphasis on employees understanding risks and their responsibilities in protecting corporate and personal data. But how? 

Enter the Era of Bring Your Own Everything (BYOx)

According to recent forecasts from the International Data Corporation (IDC) Worldwide Quarterly Smart Connected Device Tracker, worldwide phablet shipments will reach 175 million units worldwide in 2014, passing the 170 million portable PCs expected to ship during the same period. IDC has also found that next year, total phablet volumes will top 318 million units, surpassing the 233 million tablets forecast to ship in 2015.

As the trend of employees bringing mobile devices, applications and cloud-based storage and access in the workplace grows, businesses of all sizes continue to see information security risks being exploited. According to the Ponemon Institute, despite the importance of having good mobile security, 50 percent of respondents are not satisfied with the current solutions used in their organizations to secure employees’ mobile devices. In the era of BYOx, this won’t suffice.

BYOx has become the target of hackers who are ready to take advantage of people who are programmed to use their devices or access their cloud storage for personal use and forget that they’re on a corporate network. A well-organized attack, whether originating from nation states, criminals, hacktivists or rogue insiders, can exploit BYOx devices, applications and cloud-based storage by using them as a bridgehead and means of entry to an organization.

The success of a Chief Information Security Officer (CISO) will involve the personalization of IT and being able to accommodate increasingly diverse, yet interconnected, technological ecosystems. BYOx initiatives present considerable challenges, as does the widespread adoption of social media. The modern CISO must embrace these technologies or risk being sidelined by those more agile.

Preventing risks presented by the new BYOx ecosystem will require IT departments to rapidly and effectively deploy enterprise-wide strategies, policies and management technologies. While safeguarding an organization’s data is of the utmost importance, empowering employees to use their own devices, applications and cloud-based storage, both safely and flexibly, is essential to better workplace productivity, competitiveness, in addition to keeping workforce morale and talent retention high. 

Bring Your Own Cloud

We’ve touched upon BYOD and BYOx, but what about another acronym, BYOC (Bring Your Own Cloud). Today’s global organizations need a full understanding of what extent they rely on cloud storage and computing. They may have data in the cloud they don’t even know about. The simplicity of acquiring cloud services makes it easy for local initiatives to store information in the cloud. Outside of the organization itself, information shared with suppliers might be stored by them in the cloud, especially as small and medium enterprises (SMEs) are known to have embraced cloud services as flexible and cost effective solutions.

Forbidding the use of cloud services is doomed for failure. IT and information security teams should instead work with the business on finding the best solutions, embracing cloud services that can deliver what internal systems cannot. They should provide the organization with expert advice, discussing the benefits and risk of using cloud services. Together with the business, IT, information security and information risk management teams can work together to ensure adequate safeguards are in place. Such a proactive approach will make it less likely that unmanaged initiatives will bypass processes and defenses.

By developing a deep understanding of the needs of the business, and knowing when cloud services can meet those needs better than internal services, IT will empower the business and demonstrate agility. The organization is less likely to be exposed to the risk of unmanaged cloud initiatives. Business units will be more aware of the risk associated with the use of cloud services and will welcome information security support in both risk management and contract terms.

Managing Risks in Today’s New Infrastructure

Clearly, an information-centric approach to managing security risks is essential; devices not issued by the company are too numerous, varied, and vulnerable to be effectively managed. Focusing on protecting information and meeting compliance requirements will keep your BYOx program usable and scalable.

BYOx policy options can be crafted to reflect the interplay of factors such as the information type, device ownership and the likelihood of access to more sensitive information. For policy controls to work, organizations must be able to trust their people to do the right thing. This is only realistic if the organization provides communications, training, monitoring and enforcement that make it clear what behaviors are expected of them. Behaviors can be difficult to change, and security awareness is often elusive.

Shift from Awareness to Embedding Behaviors

Traditionally, organizations have run security awareness initiatives, either standalone or alongside other work, to address unintentional or accidental outcomes. Their expectations were that imparting knowledge would motivate people to take information security seriously and act accordingly, thereby:

  • Preventing incidents due to human error
  • Detecting such incidents earlier
  • Providing a greater resistance to threats turning into incidents
  • Delaying the impact of an incident to allow the organization time to respond
  • Reducing the overall impact of incidents

However, this reliance on awareness initiatives – and the vast sums that have been spent on them over recent decades – seems to have been misplaced. At best, awareness only creates knowledge, and even that can be temporary.

Like any other aspect of the business, organizations need to shift from promoting awareness of the BYOx problem to creating solutions and embedding information security behaviors that affect risk positively. Here are ten principles that the Information Security Forum has developed to help businesses embed positive information security behavior within their organization:

Develop a Risk-Driven Program

1. Let risk drive solutions. Ensure that each solution has a direct link to business requirements and addresses a defined risk. Using risk reduction as the driving force enables a strong baseline and measurement criteria to be defined upfront.

2. Continue to look for alternatives. By looking closer, organizations may find that a complex system or cumbersome process is inhibiting the right behaviors. Our leading ISF Members strive to make systems and processes as simple and user-friendly as possible.

Target Behavior Change

3. Embed positive behaviors. People are an organization’s biggest asset and also potentially its biggest risk. People – how they take decisions and behave in key moments – must play an essential role in strengthening organizational resilience.

4. Empower people. Winning hearts and minds changes both attitudes and mindsets. As far as possible people should be trusted, motivated and empowered at all levels of the organization. Information security practices then become embedded in the business culture, making information security a critical element of “how things are done around here”.

Set Realistic Expectations

5. Set a realistic timescale. There is no silver bullet. Don’t expect significant results within a month or a complete change after a year: think in terms of three to five years.

6. Aim for ‘stop and think’. Successful solutions enable people to make the right decisions – or know when to consult – when faced with the unknown. If people stop and think and take the appropriate actions in key moments the battle is won.

Engage People on a Personal Level

7. Move from ‘tell’ to ‘sell’. Develop a strong brand and identity, and tailor solutions to people’s risk profiles where possible – ‘one size fits all’ solutions fail to engage people on a personal level.

8. Tap into the right skills. While the information security function plays a vital role in providing context and content for a solution, experts skills are required to define and implement solutions which are distinctive and that people will buy into.

9. Identify and integrate champions into efforts. Top performing organizations recognize that a network of trained information security champions from within the business plays a vital role in introducing and embedding positive information security behaviors.

10. Hold people accountable. Successful organizations demonstrate that information security is important to them by rewarding good behaviors and addressing bad behaviors constructively – just as they would with any other sub-standard performance.

Don’t Get Left Behind

BYOx initiatives promise significant benefits, including improving productivity, attracting and retaining talents and reducing costs. But these business benefits will only emerge if the initiative is carefully managed by the organization. Shifting from a culture of awareness to embedding positive behaviors is key.

Organizations with the appropriate expertise, leadership, policy and strategy in place will be agile enough to respond to the inevitable security lapses. Those who do not closely monitor the shifts of BYOx could very well be left behind. 

Cloud Security General HIPAA PCI DSS General General Infosec Island Firewalls IDS/IDP Network Access Control Network->General SCADA Budgets Enterprise Security Policy Security Awareness Security Training Breaches CVE DB Vulns US-CERT Privacy Vulnerabilities Webappsec->General General PDAs/Smart Phones
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.