Wrapping Personal Devices and Critical Data in Stale Policies
Sep 21, 2011 5:00 AM PT
It's a myth that ostriches bury their heads when they spot danger. It sounds plausible, but in reality, they're just like us: In the face of imminent danger, they either run or attack ("fight or flight").
This makes sense when you stop to think about it. After all, one thing that seems almost painfully obvious is that ignoring signs of danger isn't an effective defense strategy. In a high-stakes situation (like being a prey animal on the Serengeti), ignorance isn't an evolutionarily productive strategy. Successful ostriches are more likely to live by taking evasive action; less-successful ostriches are more likely to ignore danger and perish.
There's a lesson here for firms when it comes to their security programs. Right now, evidence suggests that employees increasingly use devices they personally own for corporate use. You might hear it referred to as "personally liable" (to distinguish these devices from "corporate liable" ones that are provisioned by the firm), "employee-owned" devices, or (more rarely) "self-provisioned equipment."
But no matter what you call it, the upshot is the same: Employees are out there accessing corporate data -- and using corporate resources -- from a personal device provisioned, owned and maintained by them.
And it happens a lot. For example, a recent survey by Dell KACE suggests that 87 percent of employees use personal devices for work purposes. This includes a number of situations: from mobile devices like tablets and smartphones used to check corporate email to home PCs with access to SSL VPNs and Web-based email. But whatever the specific use-case, if you're in IT, chances are (as the data suggests) it's happening in your firm ... right now ... with some unintended security consequences in certain situations.
Specifically, quite a few IT shops haven't fully addressed the information security ramifications of these employee-owned devices. The same survey from Dell KACE cited above suggests that more than half of respondents (62 percent) felt they were underprepared to address security concerns arising due to these devices in the enterprise. In some cases, this is due to the fact there isn't a unified, thought-through position on when and how to use these devices. In other cases, it's due to technical policy that runs contrary to management statements about device use. For still others, it's due to users "going rogue" and finding cracks to bring in unsanctioned devices and jury-rigging them to work without IT's knowledge.
So what are security pros to do? What steps can they take to help lessen risks resulting from the current scenario?
Take Stock and Evaluate
First, to pave the way for action, you'll need to first get a handle on what your current policies are as they relate to management intent (i.e., what is the corporate position as it relates to employee-owned devices?), as well as what policies you're already enforcing technically. Look through existing policy to see how personally owned devices are currently addressed. Does current policy address them at all? If so, are there specific prohibitions about who can access what from where -- and what needs to happen to allow that?
In the past, a number of firms took hard-line positions like "no corporate data on personal devices ever" due to the inherent difficulties of securing them. In the current environment, this approach is less realistic; policy may need to be revisited in light of honest assessment of what users actually do.
Historical policies are also important to consider here. For example, policies pertaining to PDA use and those addressing legacy corporate-issued mobile phones may be generic enough to apply.
Once you understand the historical management directives, turn to technical implementation. Ideally, you want to find and note areas where enforcement deviates from intent. For example, say you have a policy stating that "no personal mobile devices are allowed to access corporate email" (management intent = no access), while at the same time IT supports technical features specifically facilitating access (technical enforcement = full access). This divergence not only creates confusion for users, but it also puts your organization in a less defensible position if you should need to take action (for example, sanction an employee) based on their deviation from policy.
Ear to the Ground
Once you have an idea of what your policy requires and what the implementation enforces, evaluate synchronization of the two as well as management expectation about how data should be protected. Keep in mind that sensitive data is very difficult to keep contained once pathways to it are made available -- meaning, if you allow employees to access their email from home computers and smartphones, assume that they'll find a way to store corporate secrets there as well. So plan accordingly.
In many cases, you'll find that you need to revisit either the management directives or the technical enforcement, and making either change can take significant amounts of time. Changes to technical enforcement may need to get scheduled through the change management process and may need careful regression testing, while management statements usually need multiple levels of review and approval. So changes that might seem easy can take a while.
Next, find out what it is that users are doing and what usage they're most anxious to support via personally owned devices. This isn't about what you'd like them to do or what they think they're supposed to do. The goal is to find out what they're actually doing. Ask them, in a retribution-free way (for example, an anonymous survey).
The purpose of this isn't necessarily to set the standard around the status quo (that too can be less than ideal), but instead to get an idea of what you're up against. You'll know what use-cases you'll need to think about and where some of the most problematic issues might be. For example, if you find out that most users connect routinely from unmanaged home machines to network resources via an IPsec VPN, maybe it's time to provide security software, educational seminars or other malware-prevention strategies to cover those devices (if you're not already).
Lastly, if you're in IT, be skeptical of the "IT problem vs. non-IT problem" argument. Meaning, the temptation can be significant to classify employee-owned devices as "unsupportable" or "not an IT issue" and stop the discussion about how to secure them. Ultimately, this attitude can be counterproductive. Why? Because at least from an information security point of view, anywhere that corporate data will live -- and anywhere corporate data will be accessed from -- is an area of potential attack. And the support issue, while important to consider, is different from the security issue.