- Distribution of data across a growing number of devices not directly managed by IT
- Liability confusion
- Changes to how we manage MTPOD
- Expansion of incident response
In this article, we examine administrative and technical solutions useful when reversing incremental weakening of your BCP due to changes in how you safely collect, process, and deliver information.
Managing risk is the foundation of security: including availability. Many organizations perform risk assessments when implementing new solutions. Often, however, solution-dependent policies, processes, and systems are not revisited until an audit or when a major upgrade is required. With the rapid growth of BYOD and cloud services, organizations must take a close look now at all critical systems and their associated sensitive data to determine how (not if) risk has changed.
Risk assessments typically include 10 steps (Olzak, 2012). BYOD and cloud services directly impact the first four:
- System definition. Defining a system requires examining all entry points, exit points, data channels, and integrity of data items. In traditional systems, these access and control vectors were tightly controlled at both the end-user and data center ends. Today, BYOD and cloud service providers (CSPs) can largely move control from IT to employees and CSP staff. When defining a system during a risk assessment, ask the following questions:
- What employee-owned devices (i.e., smartphones, tablets, laptops, and desktops) are allowed to connect?
- How do we manage the attack surface created by external network/device connectivity?
- How do we enforce security policy, including data movement constraints, based on the who-what-when-where-how-why (attribute-based access control) of BYOD or cloud connections?
- What upstream and downstream processes are affected if a process fails due to cloud or BYOD issues? (See System dependency mapping in The elements of business continuity planning.)
- Threat identification. Each information resource, or collection of resources, is a potential target for one or more threats. Employee-owned and CSP devices provide additional attack surfaces that often reside outside our direct control; this can increase our network's vulnerability landscape. Add to your organization's list of probable threats those unique to mobile devices and consumer operating systems.
- Vulnerability identification. Like threats, your list of vulnerabilities must include those found on smartphones and tablets. Without a complete list, it's impossible to accurately assess the risk of common attack paths.
- Attack path controls assessment. Risk is largely determined by walking through potential attacks and determining whether relevant vulnerabilities exist. In addition, the analyst must include the impact of existing or proposed controls on successful vulnerability exploitation. Pre-BYOD and CSP security control infrastructures are often not properly configured to include new attack paths. In some cases, the right controls may be simply missing. An accurate attack path controls assessment feeds the action plan needed to reduce risk. Careful completion of steps two and three above is necessary to accurately assess attack path risks.
Policies and processes
Existing policies are likely still focused on traditional access and use models. BYOD acceptable use standards and guidelines, both for end-users and IT security, lag far behind actual use. This puts management and IT at a disadvantage when attempting consistent, safe implementation of the plethora of devices and operating systems employees and managers demand. For an example BYOD policy, see TechRepublic's BYOD (Bring Your Own Device) Policy.
BYOD policies must include what data can reside on various types of devices. Further, they should stipulate different access control constraints based on what end-user device is used, where the employee is using the device, when access is requested, etc. This is known as attribute-based access control. For more information, see Attribute Based Access Control (ABAC).
Business Continuity Planning (BCP)
In addition to changes to how risk is managed and the acceptable use of new technology, additional planning dimensions force new business continuity event (BCE) considerations: adjustments to MTPOD variables, redundancy, and backups.
MTPOD variablesMTPOD is the total time a process can be disrupted by a BCE before an organization experiences irreparable harm. Figure A, from my last post on BCP planning, depicts the various components that comprise BCE recovery. The element most affected by cloud services or BYOD is the RTO. RTO is the time necessary for recovery of failed infrastructure or lost/damaged data.
BYOD failures often don't cause a full process failure. Instead, they result in one or more employees being unable to perform their business tasks. Process failure is related to both loss of important information available only on the end-user device or the user's inability to reach business applications. Further, failure to reach business applications is often caused by a BYOD device failing a compliance check or access control constraints. BCP requires attention to all challenges facing BYOD users.
One of the most important issues is backup of distributed data. Traditional backup solutions don't usually support BYOD, anytime/anywhere access, and distributed data across many different types of devices. However, emerging cloud solutions remove these restrictions and result in backups across smartphones, laptops, tablets, etc. For an example of a cloud-based backup solution, visit the Asigra website.
Whether using personally owned or company owned devices, organizations must remain compliant with business policies, including access control constraints, while enabling employee access. Because of BYOD and cloud services, commonly deployed RBAC and NAC do not always provide sufficient compliance checking and resolution. Again, new solutions help overcome these issues with attribute-based access control and device compliance management. MobileIron and Good Technology are leaders in the BYOD and mobile device market, providing controls for both BYOD and organization-owned devices.
One approach medium and large organizations take is implementation of redundant servers for performance and failover. If a server fails, another is ready to quickly take over; this significantly reduces RTO. However, servers move from the internal data center as CSPs take over. How can you ensure sufficient redundancy of systems in the cloud that support critical business processes?
In a Network World article, Apurva Dave lists three tips for surviving a cloud outage:
- Balance across availability zones. Availability zones not only help with outages, they can also improve performance. An example is Amazon's EC2 solution.
- Cloud balance. Instead of allowing a single CSP to manage all servers, consider using two or more providers to host your IaaS, PaaS, or SaaS.
- Support CSPs with a private cloud. Have a private cloud ready to take over if the CSP hosted services fail. This could take the form of a hybrid cloud where both the internal and CSP clouds operate together, maintaining maximum performance until one fails.
Maintaining redundancy can cause the cost of cloud computing to come dangerously close to exceeding the costs of internal data center hosting. However, a good risk assessment includes a cost/benefit analysis. There may be costs not directly related to management software and hardware that make cloud redundancy a good idea for your business.
One way to keep costs low is to ensure the CSP's RTO is clearly defined in the cloud service agreement. Incident response testing, with both internal and CSP staff, is a good way to ensure the CSP is capable of restoring services within the RTO. Root cause analysis performed after each test can help improve restoration times. Ensure your service agreement includes sanctions to exit the agreement or remediate recovery failures (at no cost to you) if the CSP consistently fails to meet your recovery time expectations.
Identifying liability when a link in the supply chain fails and implementing business safeguards as part of a services agreement are important parts of managing cloud services. If a CSP manages order fulfillment processing, for example, who takes the financial hit when customers don't receive product during an order fulfillment system failure? Keep in mind that customers can also be organizations responsible to their own customers for delivering products and services dependent upon your part in their supply chain.
According to Roberta J. Witty, research VP at Gartner, one way to protect yourself is to buy contingent business liability insurance (CBII). CBII is an add-on to business interruption insurance. It can serve to reimburse CSP customers for loss of revenue or actions taken by upstream recipients of your dependent products and services. At first glance, this might seem like an unwarranted expense; the alternative, however, is trying to make your CSP pay for your organization's losses before it suffers irreparable harm.
Witty also describes other methods useful in financial recovery, including civil action and liability "pools" created by putting aside dollars for BCE related expenses. Regardless of how you manage this, be sure your risk assessment identifies associated risks, so management can make informed decisions about mitigation.
BYOD and cloud services have added addition considerations to BCP. However, adjustments to our risk assessments is a great first step in addressing how to fill the gap between existing risk and risk expected by management.
Changes to security controls include restrictions on how data is distributed. Consider basing BYOD data access and distribution on attribute-based access control for more granular control.
Redundancy and backups for BYOD and cloud services requires new ways of looking at how we protect data and system continuity. Backup vendors and many CSPs provide solutions for making the switch from data center focused controls.
We can't prevent all failures, so risk transfer is often necessary. CBII provides the means of ensuring our organizations don't take a mortal financial hit if a critical cloud service fails.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.