Something that has been a growing trend of late is Bring Your Own Device (BYOD). Companies are allowing their employees to bring a device from home to use and connect to their network. You probably see this more than you think. Phones and tablets are two of the most used devices that people bring and use while at work. The downside to this, in my opinion, is the fact that they must use the company's wireless connections. This can open up their network for serious security threats. If a company is not set up properly, they can end up causing more damage by allowing BYOD.
I, for one, am not fond of this technology. A company network normally has some sort of confidential or sensitive information. If that part of the network is exposed to the Internet through a device, it could have huge ramifications for that business. Let me just use a specific scenario to get your attention.
Joe brings in his Samsung Galaxy 5. On his break, he decides that he wants to get on his phone and play some sort of game (app). The wireless connection allows his phone to connect to it so that his apps can process correctly. While Joe is playing an app, a link shows up offering him a game for free. Joe clicks on the link and begins the download. Little does he know, a virus is slowly making its way onto his phone. Now, the virus is on his phone and the company's network is exposed to it because the company's wireless connection was used. The virus is now slowly creeping onto the company's network. The network has now been infected with a virus. The network's data is now compromised.
Not a good scenario is it? Let's just say that this is what could happen if the company does not have a proper security process in place for BYOD. One of the first things you should do prior to allowing BYOD is to perform a risk assessment on the network to find the most vulnerable areas so those can be secured properly. You also need to ask the questions, Why should we allow BYOD? and Is it beneficial to the business? If the only answer to the first question is to allow employees to do something during break, you honestly don't need to be allowing it. If the second question's answer is, No, again, it shouldn't be allowed.
When it comes to securing BYOD, there is an awesome whitepaper written by Bradford Networks that discusses 10 steps in general to securing BYOD. The 10 steps are:
- Determine which mobile devices are allowed on the network - Are you going to allow phones only or both phones and tables? Also, are you going to allow outside laptops?
- Determine which OS versions are going to be allowed - Microsoft? Linux? UNIX?
- Determine which applications are mandatory and prohibited for each device - Are you going to allow only company apps or gaming as well?
- Determine which groups of employees will be allowed to use BYOD - All? Management? Security?
- Define the who, what, where and when of network access - Who will be able to access what content from where and when they are able to access it.
- Educate employees about BYOD - Make sure employees know the hazards of using BYOD and what they can do to defend against them.
- Inventory authorized and unauthorized devices - Find out what devices are being used and if they are authorized or unauthorized.
- Inventory authorized and unauthorized users - Determine if the users that are using the devices are authorized or unauthorized to use them.
- Control access based on the need to know - Limit access to areas just as you have it set up in your directory. Security gets to see security. HR gets to see HR.
- Continuous vulnerability assessment and remediation - Continuously monitor BYOD to make sure all policies and procedures are being followed.
These steps will help secure BYOD better than it probably already is. You can follow the link in the reference section for more detailed information about each step. Don't just set up your network and allow employees to bring in their own devices without first going through the proper steps to secure your network. You do not want what happened to Joe's company happening to you.
Reference:
Bradford Networks. (2011). Ten Steps To Secure BYOD. Retrieved May 17, 2014 from http://www.cadincweb.com/wp-content/uploads/2012/04/CAD_BRAD_Ten_Steps_to_Secure_BYOD.pdf
No comments:
Post a Comment