It’s about consumerisation, stupid
#infosec - If you bring your own smartphone or tablet to work, you’re not alone. Opinions vary about how much of a problem this presents to an organisation’s information security, but ‘consumerisation’ was the topic you just couldn’t escape at this year’s InfoSecurity show.
Yes, cloud was big too. But then it has been for some time and I got the impression that some people were getting a little tired of cloud being the main topic of conversation. Now, consumerisation - the incursion of devices like the iPad and Android phones into the workplace, often as a result of people bringing their own equipment into work - has given infosecurity firms and specialists something new to worry about. I caught up with a few of them at the show.
“The devices are changing so quickly and the functionality is changing so quickly,” says Adrian Davis, principal research analyst at the ISF. “The pace is relentless. We’re now getting 3G- and 4G-enabled devices within the organisation’s perimeter and yet so much IT security activity still focuses on things like patching servers.”
On Android and iOS platforms, the situation isn’t made any easier by the sheer number of apps that people are bringing into the corporate environment. Given how cheap the apps are (often free) people tend to be fairly careless about what they’re downloading. And while Android has suffered some significant exploits, the ridigly controlled Apple ecosystem isn’t immune: that very control encourages people to jailbreak their devices.
The degree of concern varies, though. “People who have a real problem with consumerisation tend to be those stuck in an old mould,” said Jon Geater, director of technical strategy at Thales. Like everyone else, he recognises the dangers of corporate data finding its way on to personal devices and of having hard-to-control wifi- and 3G-equipped devices, beyond the direct control of the IT department, inside the organisational perimeter. But he is fairly confident that solutions are available.
Going deep
For Geater, as well as many others, it’s all about defence in depth, an old concept that has acquired a new relevance. “You need internal defences with levels of access rights appropriate to various parts of the IT estate,” he says. “Different assets require different security.”
The solution is likely to be a mix of technologies and approaches. One interesting piece of the puzzle, for example, is a solution from Bradford Networks (which wasn’t exhibiting at Infosec, but I met up with CEO Gary Mead and Scott Tyson, channel manager for EMEA, in the press room).
The firm’s background is in Network Access Control (NAC) but its offering now goes well beyond that. Bradford’s system is all about identifying devices on a network and it has been particuarly strong in the education market. Every year, thousands of new students descend on universities, all demanding access to the network. Bradford’s solution automates the process of discovering what devices are accessing the network and then building policies around that. (One customer discovered a cupboard full of servers it had forgotten about.)
Typically, each student will be allowed to connect up to five devices — laptop, smartphone, maybe even a Playstation. But there are restrictions on where that connection can be made - in the student’s dorm room is fine, but if the same person appropriates the network socket belonging to the library’s printer, that will be spotted automatically and action initiated. That action could be immediate disconnection or simple a ticket raised with tech support, according to the policies you implement.
The system isn’t concerned with data - it doesn’t look at that - so there’s no Deep Packet Inspection (DPI) or other potentially intrusive behaviour. Its focus is on devices and it sits alongside other systems that monitor behaviour.
Now corporates are beating a path to Bradford’s door. They want that kind of visibility for their own systems. Traditionally, enterprises have focused on the perimeter. Anything inside it carried at least some level of implicit trust. With Bradford’s model, nothing is trusted by default. And as the corporate perimeter has evaporated, enterprises now need the ability to monitor what’s happening at all levels.
The monitoring is continuous, too. The discovery is not a one-off process when the system is installed. Every time a device is plugged into the network, it’s spotted and analysed to see if it’s known and is allowed to be connected at that point.
Acceptable behaviour
The Bradford solution doesn’t attempt to work out what people are doing with those connections, but other systems do.
Lancope’s NetFlow offering, for instance, analyses network flow data. It looks at what’s happening in all parts of the network and can flag changes in behaviour or anomalies in data according to a ‘concern index’. Adam Powers, Lancope’s CTO, claims it’s especially effective at spotting filesharing and botnet activity, and can even map the propagation of a worm across the system. But all manner of activity can be spotted. “A lot of this revolves around acceptable use,” says Powers.
Similarly, a solution by Q1 Labs will examine events generated across your entire network, looking for unusual behaviour. Making sense of events is a tough job. In spite of the rise of the commercial Security Information and Event Management (SIEM) market, logs often go unregarded, sometimes because of the sheer volume of events generated.
“There are customer sites out there with millions of events a day,” says Steve Jenkins, VP EMEA. “We can reduce that. One major oil company has five billion events a day, and we take that down to 25-50 potential threats. Over time, you build a picture of the environment — you learn the behaviour of your specific network.”
As this filtering process is rule-based, this still leaves open some questions about how good those rules are, and how confident you can be that you’re not missing threats. But if used effectively, this approach could help reduce the noise level and give greater situational awareness.
For Sophos, part of the solution is in migrating security down to the endpoint - not just anti-malware but also capabilities such as encryption. Paul Ducklin, head of technology for Asia Pacific and Naked Security blogger, believes that encryption is going to play an ever-greater part in this story, an opinion echoed by several of the people I spoke to: a ‘revival’ is how one put it.
Human solution
So there are some technological answers to the problem. And also, perhaps, some encouraging signs of a positive human response.
While ‘user education’ has been something of a joke within the security community, Ducklin at Sophos believes there are signs that people are becoming more security aware. He points to the common sight in enterprises of people carrying two phones -the company-issued phone (typically a BlackBerry) and their own, private device. “They don’t want to mix company and personal data,” he says.
When it comes to those personal devices, the very fact that they are owned by the individual employee may be an advantage. Davies gives the analogy of company cars. Back when the firm provided the car, as well as insurance and maintenance, people had a careless attitude. So what if you have a scrape? It’s just a company car. Now, it’s more common for employees to receive allowances to use their own cars - and they’re correspondingly more careful.
“Most people take security of their own devices seriously,” said Ducklin, but adds, “usually only after they’ve suffered a problem.”
Fact of life
The inevitable conclusion is that consumerisation is a fact of life.
“It’s being pushed from the top, so it’s unstoppable - especially with iPads,” says Peter Wood, CEO of First Base Technologies and committee member of ISACA.
Personal devices will find their way on to your premises. (At Security BSides, held at the same time as Infosec, one consultant, who had done significant work in the UK health service, told me it wasn’t uncommon to find patients bringing in their own wifi hubs.) So most companies would be best advised to accept it and implement the systems and processes to deal with it.
“Ultimately, it all comes back to risk,” says Davis. “These are tools, and you need to decide if you want to use them to aid your business. And there are big issues around educating your users.”
Wood agrees. “The equation’s about risk versus business benefit,” he says. “And so businesses will have to come up with a strategy.”
