The company contends that the protective “walls” that businesses construct to deflect infiltrations and exfiltrations, whilst not providing some level of threat intelligence and provisioned access models (such as Role Based Access Control) as well, is rendered useless when it comes to BYOD.
“ICT, and security, must adapt to this trend and deploy tools to mitigate the plain fact that data control is no longer merely deploying internal technology to control security rights and policies,” says Andrew Chester, Security Officer at Ukuvuma Security Solutions.
One of the most significant challenges with BYOD is the lack of control. “Devices can access multiple networks at any given time, and that opens up several threat vectors which a common workstation, situated within an organisation, wouldn’t necessarily be subjected to. Networks aren’t the only problems, mobile devices have differing operating systems and software which is utilised. Everyday security controls, such as application control is now much more difficult, if not impossible. You can control applications on mobile devices – however that means restricting a device, such as an iPad or iPhone, and preventing a large part of the feature-set which it was created and bought to be utilised for,” adds Chester.
Ukuvuma Security Solutions suggests that against a backdrop of the advanced nature of attacks, today’s software has not advanced sufficiently to secure computers safeguard the business entirely and protect data.
“Anti-virus is essentially dead when it comes to securing computers due to the advanced nature of attacks today. By the time a software/system vulnerability is found and exploited (known as a zero-day), it usually takes an anti-virus software manufacturer several days to release a signature to detect the exploit,” Chester continues.
By this time the exploit will have already infected thousands of computers, and given the exploit-handler time to patch the vulnerability and hide their presence on a computer, he continues.
“Many will argue that this is exactly the reason why one should look at defence in depth to protect computers today, namely a combination of defences other than just an anti-virus system, and I would agree – that is exactly one of the key things to look at within any organisation to defend against security threats. However, defence in depth is not only comprised of technological systems such as security software – it can’t be. It must comprise the human element and procedural control systems as well,” says Chester.
There is something to be learned here says Ukuvuma. The company says most businesses are aware of the need to protect their infrastructure, but not of the extent to which they need to do this.
To achieve higher levels of effective security and address challenges, Ukuvuma advises that companies construct a BYOD program with clearly defined goals. These goals should include subjects such as social goals, risk management, sustainability and processes that should be followed in the event a device is compromised and/or lost.
“Risk management would touch on how to control BYOD devices, whilst not crippling the user’s device, whilst sustainability includes topics such as how to ensure the BYOD program includes security for the organisations applications and data. Once you have your goals listed, define steps to achieve them – such as remediation options that address your risk, process and sustainability management. Options could include implementing policies and access control mechanisms, separating personal and corporate data, tracking devices and identifying users on the devices,” Chester continues.
A BYOD program should never be just technology-based, the company suggests, it should include organisational requirements, documented processes, user training and metrics to measure how well these implemented processes and procedures are performing.