How to Approach Network Security in a ‘Bring Your Own Device’ Workplace
Mobile technology is still surging in popularity. According to TechCrunch, a study by International Data Corporation reports that smartphones, and tablets are projected to command 83 percent of the total worldwide market for device sales by 2017. Compare this to 11 percent for laptops and just 6 percent for desktop PCs, and you get the picture that mobile is not going away anytime soon.
As these devices become increasingly common, people are changing their expectations about how and where they should be able to use them. For some time, workers have been taking their work with them on portable devices, so it’s only logical to take these portable devices to work.
This momentum toward bring your own device (BYOD) to work is creating a need for many companies to rethink their approach to network security. According to Andy Ellis (@CSOAndy), chief security officer at Akamai, “BYOD is where IT is moving to, security needs to live in that world.”
BYOD Problems in the Workplace
Unfortunately, personal devices used in the office and on the company network present a number of threats, including potential exposure to malicious code and unauthorized access of sensitive information.
Gregory Coticchia (@GregCott), president and CEO of Malcovery Security, believes BYOD erases the boundaries that traditionally defined corporate IT security:
“People who bring a device into the office, bring the outside to the inside of your perimeter,” he says. “Conversely, when someone leaves, data is ex-filtrated. You have to worry about malicious coming in to your organization, and you have to worry about sensitive data leaving your organization.”
With BYOD, users now bring external data with them in to the network, creating vulnerability to malicious code. And at the same time, data from inside the network can travel outside of secure boundaries, potentially exposing it to unauthorized access.
Echoing Coticchia, independent security consultant Rafay Baloch (@RafayBaloch) emphasizes how easily information can be compromised on a mobile device. Citing a recent survey by internet security firm Zone Alarm, Baloch claims that 79 percent of security incidents within the past year involved a mobile device, “BYOD should be one of the main concerns of the organizations. Sensitive information that is transported or stored on a mobile device can be compromised easily.”
Of course, companies can’t afford to risk their data and technology resources, so they will not stand idly by and watch security breaches happen. However, addressing the issue is more complicated than simply regulating access for these devices. According to Coticchia, policies aimed at controlling employees’ use of their own devices at work have not proven to be particularly effective.
“You can try to secure the devices, but you don’t own them so that is problematic. You could try to say that your employees can’t use them, but as long as your employees are people you can’t really control that,” Coticchia says.
Enabling BYOD securely is entirely possible, but a company’s lack of exclusive administrative control over devices prompts the need for new tactics. Adam Ely @AdamEly), co-founder & COO of Bluebox, offers a high-level suggestion to guide security professionals and company leadership. In his view, the key is “rethinking strategy and focusing on the data, access, and how we apply protections without impacting the user’s privacy and experience.”
Other experts offer some specific guidance in the areas of network design and data access. Coticchia, for instance, advises companies to get a handle on apps and data on mobile devices. If those devices are used to access corporate resources, such email, there are solutions available to mitigate and prevent breaches.
“You need to understand what threats are out there and how those threats manifest themselves. Your perimeter is…porous, and threats will get through,” Coticchia says. “So invest the time now to learn how to mitigate the threat of socially-engineered emails that are known to be the first step in most breaches.”
Coticchia and Baloch agree that there are also steps a company can take to better secure their wireless network for a BYOD environment. Their combined suggestions include:
1. Make sure you are using the best protocol for securing the wireless network.
The older WEP protocol is vulnerable to breaches and it is deprecated. Its successors, WPA and WPA2, are better options, and because WPA2 uses both TKIP and AES encryption types. “WEP is notoriously insecure so that is not an option. WAP is better, and the fellow on WAP2 is even more secure,” says Coticchia.” Using this protocol will give you the strongest security option. In addition, make sure to turn off the WPS protocol, which is insecure and may be enabled by default on your network.
2. Be smart about your network ID and login details.
The default administrator login and password is highly insecure, and you should change these credentials immediately. “Pick an SSID that does not contain your company name. If you work for Acme Inc, making your wireless network SSID Acme_Wireless makes it very easy to guess,” Coticchia says. You should also set the network so that it does not broadcast its ID to devices in range. This way, employees will need to know the network ID in order to connect. And you can make it difficult to guess by not including the company name in the ID.
3. Use Virtual Private Networks (VPN).
With VPNs, you can add security with two-factor authentication methods and create network layers to ensure only secure access to your company’s sensitive data. “Ensure the use of VPN and actively monitor clients to see if they have placed their network card into the monitor mode,” Baloch recommends.
4. Use remote authentication user dial-in service (RADIUS).
A mechanism that adds an authentication factor for users accessing corporate servers, RADIUS is another step that ensures only secure connections to sensitive data.
5. Consider additional access controls.
If your network does not commonly deal with visitor access, you can configure network settings to allow access only from specific MAC addresses, which are tied to a physical hardware location. This method is especially useful for companies who are realistically able to undertake it.
Successful BYOD Implementation
Managing a BYOD setup for your company adds complexity to security and networking configurations. However, with the trend in personal computing steadily moving toward mobile devices, there is really no other option than to prepare for it.
In seeking out network and data solutions to enable a secure BYOD setup, make sure you research best practices and learn about the solutions that can help you get this done right. For a great starting point, get familiar with our guide covering the ins and outs of wireless networking.
With the right approach, your employees will feel great about their ability to work the way they like, on their own devices, and you can rest easy knowing the company’s data and technology resources are safe and sound.