We live and work in a world of immediate gratification. In the name of greater productivity if you need to check inventory from a supplier’s warehouse…click there it is. Share a file on Dropbox, no problem. Add detail about a meeting in the sales database… click! Update your Facebook or LinkedIn status. Email a white paper to a potential client…click, click. Want to see that flying pig meme…well, you get the picture.
Now that’s not necessarily a bad thing…unless you’re an IT professional and the those accessing and storing your network assets use unsecured/unauthorized devices while potentially bypassing security protocols. But unlike Veruca Salt quoted above, it isn’t the user who falls into the garbage chute—the risk is to the security of the network. And it’s happening more often than you think.
Many organizations are now allowing employees to use their personally-owned devices for work purposes with the goal of achieving improved employee satisfaction and productivity. However, this comes at an IT price. Users love the mobility and the immediacy of smart phones and tablets, but forget these devices are just hand-held computers prone to the same intrusions, attacks, viruses and risks as the computers used in the office. The larger problem is many users don’t see that, so every time they sign on to your network or download an app, it creates a wider and wider vulnerability gap for the enterprise network.
This issue is not unique to a company of any particular size or one vertical market, however the solution, whereas not simple, is clear. There are several moving parts that require elements of identity management, access management, SIEM, WebSSO and SaaS SSO. It incorporates a suite of integrated answers that together can let you rest a little better at night. The idea that if you build a strong perimeter or have users install anti-virus on their devices, the problem goes away. It simply puts the finger in the dyke, and the overriding issue still exists. Your proprietary assets are still exposed.
First off, regardless of whether you approach the solution from the cloud or more terrestrial confines, you need to rethink the risk, revise the policy and enforce the rules. You have to consider how best to maintain compliance (PCI, HIPAA, and/or Sarbanes-Oxley), and you need to incorporate the answer holistically. To this end you need new protocols to authenticate and credential users, define authorization rules based on very specific rights and profiles and monitor traffic patterns to identify, alert and act on any unusual activity.
This takes time, money and manpower. All of which are typically in short supply for new IT initiatives. That is why I advocate security-as-a-service. BYOD is a threat that will only grow exponentially and the longer you wait to address the issue head on, the greater the vulnerability gap. However, by taking advantage of the integrated solutions managed from the cloud, organizations gain the benefit of cost-effective, seamless, on-demand, scalable coverage. If you already have a strong SSO, then you don’t add it. If all you require is additional resources to improve intrusion detection and/or password management, the cloud solution exists to leverage your existing architecture. Essentially cloud-based security fills the vulnerability gap with proven and tested solutions monitored 7/24/365.
Managing security in the cloud provides the resource bandwidth to create the rules, easily provision or deprovision devices, automate the alerts and incorporate a more comprehensive and layered protection strategy that includes the BYOD crowd.
But whatever your decision, you need to address the issue sooner than later, becasue if you don’t take charge, your employees will self-serve based on their own needs. There’s a prescient blog by Joe Onisick of Network Computing who said:
“If you don’t support a particular device, employees will begin to find ways to self-support it. They will bypass corporate IT and, with that, bypass security, compliance, change management and audit logging. It’s a problem that will continue to get worse, and, as with any problem, an ounce of prevention is worth a pound of cure.”