Share

Related Links

Related Stories

Top 5 Stories

News

The BYOD problem: criminal infiltration and data exfiltration

21 February 2012

A solution to the growing ‘BYOD problem’ can be achieved by extending network access control at the servers to include mobile devices in the field by combining NAC and MDM.

The ‘BYOD problem’ can be defined as twofold. Firstly, the increase in users’ own devices accessing corporate servers is an infiltration threat. Secondly, the habit of downloading sensitive data onto insecure and frequently lost and stolen mobile devices is an exfiltration threat. An IDC survey in July 2011 (2011 Consumerisation of IT Study: Closing the Consumerisation Gap) found that 40.7% of devices used to access business applications are the users’ own devices, including home PCs, smartphones and tablets. BYOD-facilitated infiltration and exfiltration are both rapidly growing problems.

A new survey published by the Boston Research Group today suggests that 78% of IT security professionals believe that network access control (NAC) must be a major part of any BYOD security solution. “Device mobility, wireless access, personal applications and the high risk of lost or stolen handhelds creates a need for added defenses against data loss, unauthorized access and malware,” said Paul McClanahan, research analyst and partner at the Boston Research Group. The solution is seen to be extending network access control to include mobile device management, all controlled by a single central console.

This is the route proposed by ForeScout with its new ForeScout Mobile add-on to its CounterACT NAC platform. Without requiring a software agent to be installed on the remote device, the system provides data about the device, its configuration, its security posture and its user. This data can then be used by CounterACT to enforce granular control over access by mobile devices, thus reducing infiltration threats. The same principle in reverse can be used to control what data can be downloaded to the remote device, reducing the threat of unauthorized data exfiltration.

A similarly new Mobile MDM Module allows companies to integrate their existing mobile device management solutions with CounterACT. Bob Tarzey, analyst and director at research company Quocirca Ltd, explained the relevance. “ForeScout,” he told Infosecurity, “admits that its CounterACT product is not a full MDM tool, although it does support NAC for mobile devices. ForeScout Mobile extends this support, for example control of app types used from devices; but while MDM vendors in general do not provide any sort of NAC, they bring other things to the party, especially support for contract management and billing. It is to this end that ForeScout is seeking integration with MDM vendors. This underlines a general convergence of MDM with end point management and network security vendors.”

This article is featured in:
Data Loss  •  Identity and Access Management  •  Internet and Network Security  •  Wireless and Mobile Security

 

Comments

EC4IT says:

29 February 2012
It's possible to address security concerns and still implement BYOD. What’s needed is to separate the Enterprise apps and data from the personal devices. This can be achieved with a solution like Ericom's AccessNow, a pure HTML5 RDP client that enables remote users to securely connect from various devices (including iPads, iPhones, Android devices and Chromebooks) to any RDP host, including Terminal Server (RDS Session Host), physical desktops or VDI virtual desktops – and run their applications and desktops in a browser. This keeps the organization's applications and data separate from the employee's personal device. All that’s needed is a HTML5 browser. No plug-ins or anything else required on the user device.

AccessNow also provides an optional Secure Gateway component enabling external users to securely connect to internal resources using AccessNow, without requiring a VPN.

For more info, and to download a demo, visit:
http://www.ericom.com/html5_rdp_client.asp?URL_ID=708

Note: I work for Ericom

qoolkaran says:

24 February 2012
We are dealing with the bring your own device ( byod ) issue from an HIPAA stand point, and how it applied to hospitals who are dealing with doctors and nurses who are texting patient information and files.

I think this is also a big issue for any business, your workers BYOD devices not only get hacked, but they are frequently lost or stolen, and much of the emails and texts are on the phone!

While the large enterprise solutions like ForeScout have a deeply integrates system where the IT department takes control of the device, in a hospital setting I think the doctors will have a large issue with this.

Looking around, we did find a way to at least protect text messaging and protect the hospital from lawsuits concerning HIPAA issues related with BYOD by using Tigertext ( www.tigertext.com ); which while not as integrated as the large enterprise solutions, offers some really good benefits:

1) Closed network for sending texts, messaging can be archived on your own sever

2)Messaging deletes itself afer a period of time, so losing the device will not open you up to HIPAA related PHI lawsuits

3) Seems to be a much lower cost solution

4) really easy to implement, very low cost

5) Doctors still feel they control their phone and personal information

Anyways, I think that this is going to be a major security issue of the next few years, and IT managers are going to have to look at all the alternatives for the various uses of BYOD communication and security.

Resources:

http://byod.us/

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html

http://www.tigertext.com

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×