BTW, it might be wiser to call Android, iOS et al "less vulnerable" rather than not vulnerable. Or does Jack write these things to see if anyone's paying attention?
Discussion on:
View:
Show:
Although I'm generally anti-BYOD and unconvinced by the touted supposed benefits to the company, it's making a stealthy small beginning with us in the form of executive mobile devices that are either non-Company, non-Windows or both. Ostensibly these only connect to Exchange via ActiveSync (the policies for which I need to review) but there's nothing to stop them being used as storage devices for files. At least I have DLP in place in the form of monitor-only file transfer checks by our AV software.
BTW, it might be wiser to call Android, iOS et al "less vulnerable" rather than not vulnerable. Or does Jack write these things to see if anyone's paying attention?
BTW, it might be wiser to call Android, iOS et al "less vulnerable" rather than not vulnerable. Or does Jack write these things to see if anyone's paying attention?
It would be best to just ban BYODs. But... (a) "senior" executives with a sense of entitlement that is greater than the importance of corporate data security; (b) corporate pandering to youngsters, under the guise of being "hip" or "cool;" (c) ; all of which will subvert corporate data security to personal whims and desires. Regrettably, several major data breaches will have to happen in critical companies, before companies wise up to the threat. But then, its too late the damage has been done.
"For devices that do not run a vulnerable platform (Android, IOS, Linux)"? How naive and shortsighted. All these platforms are vulnerable to malware already in the wild, including the fabled fortress of iOS.
linux/android/ios aren't vulnerable? did you really just say that?
Also, if a user _can_ use their device from outside the office to "do business", what would be more secure about having them do it from the company wifi? What difference does being "on premises" make in that context? It seems to me that if you can get away with _never_ having them on the internal network, and still do their business effectively in a secure way, that's the best of both worlds.
Also, if a user _can_ use their device from outside the office to "do business", what would be more secure about having them do it from the company wifi? What difference does being "on premises" make in that context? It seems to me that if you can get away with _never_ having them on the internal network, and still do their business effectively in a secure way, that's the best of both worlds.
I consider using the company WiFi more of a security risk. If the device is a zombie then it can scan and possibly even act as an entry point into the corporate network. Unless the corporate network is doing SSL inspection then there is no way to know that a device isn't using HTTPS to provide a shell into their environment.
Since when was there an imperative to allow people to use their own devices? The whole idea is clearly being driven by the manufacturers of mobile devices as no network/security/sys admin in their right mind would allow personal devices on the network. My policy is exactly that and we check DHCP leases regularly and move all non-PC devices to the deny list. Mind you, for any of this to be useful you also need to have policies/proxies in place to prevent access to any medium that can be used to send data out of the network, so blocking Dropbox et al and webmail has to be implemented. When this is in place you have a solid argument for not allowing iPads etc to be used for work purposes as they would need to justify breaking policy just to use the device.
"Lee - YOH - dah" is my guess at pronunciation, but that's not important. What is important is the concept. I'm working on a start-up insurance brokerage where certain (limited) financial instruments can be sold over the phone. But the client data must still be taken and kept (for years!) and all other laws adhered to - like the USA PATRIOT Act, to name but one. We will require the use of company-purchased mobile devices (MDM) AND we will strictly control the apps available on each device (MAM)! In addition, all calls will be recorded and the recordings will become a part of the client or corporate records, as appropriate. No unauthorized devices will be allowed to connect to the corporate network, and all business related calls must be conducted from the approved devices, both as a client privacy issue and as a Dept of Insurance compliance issue. It's the only way to stay in business in this case.
must in your hand the facilitating device that will increase the apility of BOYD device as applicaple where ever.
While it is truly impossible to have a 100% safe, connected network, BYOD is certainly a risk probably not worth taking. Sure AV mandates and scans, HW firewalls, encryption and DMZs are great and required nowadays, but I think severely restricted user accounts are also a good practice worth at least consideration. Otherwise, company assets only seems to be a better option.
With MDM you can create secure containers and only allow certain apps to interact with your organisation's resources from within that container. Many people work for companies that don't believe their people need tablets to do their work, but the people find that they carry their own ones to work anyway, and can use it to make their lives at work easier. It just makes sense to allow it, but control it. Same thing with mobile phones. My company will only give me an LG L7 but I want to use my own Galaxy S3 (or read iPhone or whatever decent flavour you prefer) because the LG drives me nuts while waiting for the CPU to catch up to me. And I'm not all that fast...
I'm in the middle of trying to split our network into a public wifi lan and a private office lan that's entirely wired. Staff with devices will use a vpn to access office lan resources. There will be a proxy for printing, and possibly other services. Otherwise, they will use internet resources.
This arrangement's goal is to give wifi device users with a familiar internet-centered experience, and the desktop and laptop users a traditional lan-oriented experience. There's just not going to be a combination lan-over-wifi experience. Instead, they will get a vpn-over-the-internet experience, which is a little less convenient.
This arrangement's goal is to give wifi device users with a familiar internet-centered experience, and the desktop and laptop users a traditional lan-oriented experience. There's just not going to be a combination lan-over-wifi experience. Instead, they will get a vpn-over-the-internet experience, which is a little less convenient.
many people I know with a company-supplied smartphone don't even have a password to unlock the phone, ie they could leave it somewhere and anybody could pick it up and access all their company or private emails.
If these companies can't even get it right with their own stuff, how much security will there be with BYOD?
If these companies can't even get it right with their own stuff, how much security will there be with BYOD?
I'd even go further and say that everything except 1st one is old-school and therefore crap. Sounds like and advice to use old weapons in a war of new generation, just more of them! Will not work. Those guys out there have done their work inventing those devices. Now it's security turn to do inventing. I'm not an expert in the field, but here are a few general ideas: a) embrace the major change that has happened instead of denying it (i-dont-like/lets-ban/f...ing-executives type of statements) b) security has to become more granular, protect locally instead of the whole network; c) make/use new generation apps; d) analyse situation and data; e) generate NEW ideas.
I don't see anything special in this post for BYOD. These are things that every organization should be doing to protect their data. Personally I don't think these steps go far enough. One of my pet peeves is network infrastructure. If your network infrastructure is compromised then there is very little you can do to protect your network. Use accounts that are not tied to any type of computer account. Only allow changes from boxes physically located on site. Monitor activity to critical data. Only use encrypted protocols for access to network devices. Monitor network configurations for changes (tripwire offers a framework for doing this). This may sound a little draconian, but the network layer is used to segment and protect the rest of the network. If it's compromised then all other security is in doubt.
If the underlying operating system is compromised I am uncertain how effective an app like Divide would be.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
