Bring Your Own Pandora’s Box

May 1, 2012

Bring Your Own Device (BYOD) seems to spreading in the industry as a debating point in the industry like a virulent virus. Is it fast becoming the 21st century version of the “Pandora’s Box” for the workplace?

Bring Your Own Device - BYOD = Bring Your Own Pandora's Box

In ancient Greek mythology the “Pandora’s box” was a box which contained all the evils of the world. Compelled by her own curiousity, Pandora opened it, and all the evil contained therein escaped and spread all over the world. Is “Bring Your Own Device” (BYOD) the 21st Century equivalent?
Image: © foaloce - Fotolia.com

I’ve long been an advocate of information security professionals adopting a more flexible approach when giving end-users the functionality and flexibility they want: a happier user is a more productive user. Indeed, a recent study published by O2 last month [1], the largest ever flexible working pilot of its kind in the UK, found that workers were more productive, happier and richer if they did not go into the office.

Users want to experience the functionality, applications and interfaces that they use and are familiar with in their private lives. They want devices that allow them to work remotely from outside the office and on the move. All things can be taken too far, however; and this is exactly what is happening with BYOD. It seems that some organisations appear intent in throwing out the corporate security (baby) out with their data (treating it as bathwater).

BYOD should be treated with the same three basic principles as with any other information security issue: confidentiality, integrity and availability. Vast sums were spent on secure laptop rollouts in the noughties in order to give workers the ability to work from home and on the road securely. Did we ask/ allow users to bring their own home laptops (along with their malware!) and just plug them into the corporate network and hope for the best? Of course we didn’t!

Some good reasons why BYOD may not be such a great idea:

  • What happens if the device is lost or stolen from the end user? Along with the device goes (unencrypted) corporate data and contacts and an inability to remote wipe/ kill it
  • Removable media is easily targeted by would-be remote hackers as an easy way of bypassing network firewalls: it the assumed route for example for the Stuxnet virus for example.
  • Smartphones usually nowadays have both voice recording and high definition camera capabilities: easily allowing for industrial espionage. There’s good reason most high-security organisations don’t allow them on their premises.
  • There are legal ramifications in most geographies in monitoring employee’s personal web behaviour.
  • Laws on employee monitoring of personal data/ behaviour varies from geography to geography: this is a potential headache for corporate risk departments.
  • How will you monitor the mobile devices for malware, and prevent its introduction into the corporate network?
  • How will you identify which device is ‘rogue’ and which is ‘approved’ in a true BYOD environment?
  • How do you monitor for acceptable use on an employee-owned device? (assuming there are no legal blockers)
  • How will you prevent the employee walking out the door with your customer and supplier contact lists?
  • How do prevent illicit/unlicensed content from entering the corporate network?
  • Which devices are deemed to be supported and unsupported?
  • Does your IT department have the right skills to support cross-platform mobile applications in a secure fashion?

The more enlightened organisations are of course doing a sensible compromise: rolling out well-known tablets to their workforce in a controlled manner, whilst not allowing private devices to access the corporate network. According to Apple, 9 months after they launched the iPad, 80% of Fortune 100 companies had either deployed or were piloting the device. [2]. When deploying mobile devices you should consider all the areas you would have done for a laptop device and more:

  • How will the data on the device be encrypted?
  • How will you transmit data encrypted to your internal network and external service providers?
  • How will you ‘remote kill’ the device should it be lost or stolen?
  • How will you prevent malware and inappropriate content entering the network.?
  • How will the user authenticate securely onto both the device itself and also the corporate network?
  • How will you identify vulnerabilities on the mobile Operating System?

It is perhaps my last question which causes me the most concern, since some in the industry appear to think that certain mobile platforms are not open to the vulnerabilities and exploits in the same way as their desktop and server counterparts. A recent mystery shopper exercise has confirmed my opinion: most do not take the threat posed by mobile devices as seriously as they should. The SANS Institute think otherwise: a whitepaper published them by in 2011 [3] stated that whilst Apple has done a great job by allowing only digitally signed software to be installed on a non jail-broken iPhone; there were still vulnerabilities that could be exploited, particularly in the web-browser (Safari).  Recently this year Reuters reported on a flaw on the operating system of the Android operating systems which allowed hackers to eavesdrop on phone calls or monitor the location of the device. [4]

In order to reduce the risk posed by BYOD, organisations should develop an acceptable usage policy for tablets which clearly identifies the steps end-users should take to complement the security that has been built-in to the device by the IT department. This should include sensible advice on the dangers of allow shoulder-surfing when logging on in a public area; ensuring the device is not left in a public place; regular network connectivity to the corporate network to allow regular updates.

The sensible compromise of rolling out familiar, but secured, tablets in the workplace combined with an acceptable usage policy, will prevent your employees seeing the management as “tone deaf” and may well realise significant increases to both end-user productivity and creativity in the workplace; whilst maintaining a sensible approach to safeguarding against the unguarded use of mobile devices in the workplace.

Phil Stewart is Director, Excelgate Consulting & Secretary & Director, Communications, ISSA UK

Sources:

[1] Working From Home More Productive, Telegraph 3rd April 2012:
http://www.telegraph.co.uk/technology/news/9182464/Working-from-home-more-productive.html

[2] Morgan Stanley: Tablet Demand & Disruption:
http://www.morganstanley.com/views/perspectives/tablets_demand.pdf

[3] SANS Institute: Security Implications of iOS:
http://www.sans.org/reading_room/whitepapers/pda/security-implications-ios_33724

[4] Android Bug Opens Devices to Outside Control, Reuters, 24th February 2012
http://www.reuters.com/article/2012/02/24/us-google-android-security-idUSTRE81N1T120120224


Every Cloud Has A Silver Lining

November 23, 2011

As more organisations are looking at ways of cutting costs, outsourcing IT to the cloud makes sense from a commercial perspective. Is your company and customer data secure in the cloud however? Have you taken adequate steps to do thorough due diligence in the procurement cycle?  There may be compliance issues in rushing to the cloud you may not have considered.

Cloud Computing, Cloud With Silver Lining

The ubiquitous term “cloud computing” merely refers to applications, services or data that are managed outside the boundaries of the corporate network by a third party. Many large organisations have already outsourced applications or data storage as a way to cut costs. Many SMEs too have already widely adopted cloud computing, using it for a variety of services including web and email hosting; CRM; and invoice processing.
Image: © shutterbug - Fotolia.com

Earlier this year I was invited to attend the Cloud Computing World Forum in London. What came as no surprise is that cloud computing is already widely adopted by many large organisations. As one CISO put it so succinctly:  when your boss asks you to reduce costs by over 20% – we’ve already bought the cheaper coffee and reduced headcount, we now need to outsource our IT – both to reduce operating costs and free up valuable floorspace for other purposes. Whilst there were some good sessions in the conference on security in the cloud, what struck me is how few vendors present were focused on security.

In many ways the challenges of security in the cloud are no different to what the information security professional has always had to face: confidentiality of data; integrity of data and availability of data and services.  The three challenges I would argue that cloud computing presents that are new, however are: due diligence of suppliers to ensure there aren’t legal and compliance issues; user authentication – within the context of being managed by a third-party; and the unique threat that virtualisation plays when used in Cloud Computing.

Due Diligence of Suppliers

Before you can even consider migrating to the cloud, you need to identify and classify your data in-house. What data is customer and business sensitive data? Where is it stored currently? Are you storing personal data and/ or credit card data? Think about the implications for compliance, for example, with the Data Protection Act 1998 and PCI DSS. If you are storing credit card details and you outsource operations, you may well increase the scope of PCI DSS. Usually, for most organisations, it makes sense to outsource credit card payment transactions to a PCI DSS compliant provider. Regarding the Data Protection Act 1998 here in the UK, it is worth bearing in mind the 8th principle of the Act:

“8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

As the law currently stands, at the time of writing, in the UK you remain the data controller for personal data  – outsourcing the data storage and management to a third party doesn’t change this.  You therefore need to make sure you ask appropriate questions of your proposed suppliers.  A good starting point –but not exhaustive list:

  • Where is the data hosted?
  • Where is the data replicated to?
  • What technical, physical and procedural controls are in place to protect the outsourced assets?
  • Ask whether the proposed provider is certified against any internationally recognised standard. ISO 27001 certified and PCI DSS compliant providers are helpful in this case
  • What are the local data protection laws in the country(ies) where the data is hosted and replicated?

It must be stressed that you should always seek legal advice when determining if the proposed supplier offers the same levels of protection as defined under your own jurisdiction regarding data protection.

You should also do a valid risk assessment to identify what services are business critical and what makes business sense to outsource,  and what is simply too risky or cost ineffective outsource. What are the legal implications of outsourcing the data? The International standard  ISO 31000  -risk management – principles & guidelines –  forms an extremely useful reference material for the implementation of a risk management process.

User Authentication in the Cloud

Secure user authentication is not a new challenge in itself; but when combined with a remote network being hosted by a third party it does represent some new challenges. One is for example, if the user is already authenticated internally on your network, perhaps via a directory service, can they be seamlessly recognised by the third party’s network without compromising security?  Mobile workers, increasing both in number and from a increasing variety of mobile devices, also need to be able to authenticated by the cloud provider’s network securely without in any way compromising the security of your data on their network or indeed your own network itself.

One vendor which has impressed me in this space is Ping Identity – who offer identity management software to enable Single Sign On as a service for cloud resources. It integrates both with mobile devices and web browsers and integrates with Active Directory or cloud identity providers. In addition, Ping Identity extends the capabilities of Active Directory — enabling control of user management, policies, and access, and integrates with over with 30 identity and infrastructure platforms. I was impressed with their demonstrations at the show and it is worth a look for their innovative offering.

 

Vitualisation posses a Unique Threat

In cloud computing, a program called a hypervisor allows multiple operating systems to have access to the same hardware resources. In essence the program is controlling access to these resources amongst the different operating systems. Whilst the operating system at the client (the guest OS) thinks it has full access at all times to the resources it requires, in essence what is going on behind the scenes is that the hypervisor program is carefully managing access to the host (cloud hosted) resources of processes and memory, so that each guest operating system gets the resources it requires at that moment in time, without disrupting access to the other guest systems. It is partly this principle that allows the better utilisation of resources that makes cloud computing cost effective (along with economies of scale).

One key concern – rarely addressed to date – is that malicious code could infect one customer’s machine and then spread – via the underlying hypervisor – to other customer’s machines. There was a lot of talk around this time last year of a collaboration between NC State University and IBM, of a prototype product – HyperSentry – that specifically addressed this threat, but it seems to have gone quiet recently. I hope that IBM, as well as other vendors look at ways of addressing this unique threat.

 

Cloud Security Initiatives

I have no doubt that most large organisations have both the legal and technical resource available to do an effective due diligence process, should they choose to do so. However, when it comes to SMEs, they don’t have access to in-house technical and legal resources. What is required to address these issues effectively for organisations –  is a cloud assurance scheme. There are currently two major initiatives in this space:

  • STAR – Security Trust & Assurance Registry from the CSA (Cloud Security Alliance)
  • CAMM – Common Assurance Maturity Model

In the case of STAR, CSA have created a free, online repository of documents that list the security controls by cloud computing providers who have gone through a self-assessment. The documents list a series of controls and whether or not the provider has them. CSA are currently urging all cloud security providers, large and small, to provide a complete self-assessment for publication.

CAMM’s pilot is currently in its alpha pilot phase, which aims to provide framework in support of the information assurance maturity of a third party provider or supplier (of which cloud providers are currently a major part). These will then be published in an open and transparent manner.

Whilst both initiatives are to be welcomed,  both need to address the challenges of SME due diligence (given their constraints) and the unique threat posed by the hypervisor threat. A cloud assurance model that effectively addresses these issues is definitely needed for the industry.

CSA’s STAR is available from the CSA website ; CAMM is currently undergoing its alpha pilot and more information is available at the CAMM website.

Phil Stewart is Director, Excelgate Consulting  and Secretary and Director, Communications for ISSA UK.