Meeting the IT Security Challenge

The trend toward BYOD has greatly increased IT security risks. “The amount of new malware introduced in 2012 surpassed the amount introduced from 2000 to 2011. It’s going crazy. We are infected, all of us”, said a participant in a recent debate on business security.

How, then, do you protect your business network and data? Do you try to ensure only clean devices connect? Or strive to protect your data in an environment where infected devices are unavoidable? The debate was hosted by the Guardian, in association with Infosecurity magazine and network protection specialist ForeScout. The discussion was conducted under the Chatham House rule, which means comments are unattributed to encourage free and frank expression. The roundtable heard how modern ways of doing business have increased exposure to security threats and made them harder to manage.

“You want your teams to have access to the data at any time because that translates directly to business and performance”, said one participant, who added that around 20% of the devices used by staff are unknown to the IT department. Even if companies had complete understanding of what’s connecting to the corporate network, roughly 50% of devices are not compliant with data security measures, the participant pointed out. “That is what we are seeing even from the biggest banks, armies and governments”, the room heard.

Compliance in this context means adhering to the policies set down by IT administrators.

Even inside a corporate network, behind the firewall, the trend toward BYOD means unknown devices are connecting.

Network Access Control

One solution the roundtable heard about is to manage who and what can connect using a technique called network access control (NAC).

“The first step is seeing what’s on your network. The second step is understanding what they are running and whether someone is not running anti-virus, or it is not updated. You screen every device on the network. Then you can remediate – for example, installing anti-virus or updating it. It’s all automated”, said a participant, describing a method called continuous visibility monitoring and remediation.

The approach does not work for everyone. “We took the view that you can’t control the device", said another participant. “You are wasting your time. That device is someone’s property, it has their data. Try to put anything on that device and you start getting into dangerous territory. What you can do is try and control access to your core data, and protect that.”

One of the issues is device proliferation. “Last year, Apple did two releases. You’ve got Android, you’ve got Windows 8, you’ve got devices running [the program language] Java. How can you access and control embedded Java?” Today, even game consoles on the television have web browsers. “We are on an exponential curve of devices”, heard the panel.

Another panel member observed that companies are increasingly interconnected, and connect to networks run by partners. “You have no way to force other companies to adopt a policy which is not theirs. You need to say, that’s the way it is, and manage it. The security of the data is the only thing you really care about.”

One approach is to install an app that isolates access to corporate data from the rest of the device. An example that works like this is Good for Enterprise, a secure mobile email and collaboration tool. “We adopted Good. We took the view, it’s your own device as long as you run Good on it”, said a participant who highlighted how enabling BYOD can bring measurable business benefits. “Overnight, productivity went through the roof thanks to email access. We saw a revenue uplift.”

Desktop virtualization is another technique that allows people to work remotely while isolating their work environment from the device they are using.

“We’re looking seriously at virtual desktops. The ease of use and the ability to provide access to the network based on who the user is, as opposed to what they are using, is key for us”, said a panel member. Another advantage is that, if the virtual desktop is compromised, it can easily be wiped and reset.

“The correct answer to the data management problem is to control everything and just give a presentation layer to everyone. The idea is simple, but transition from the model we have today is hard”, commented another participant.

“It works if you can guarantee bandwidth”, said another. “We worked with an organization that trialed virtualization for about 10,000 users. For a significant number of their people, the solution did not work at all.” This was because the company had a lot of mobile workers who were constantly on the move, or who were working in areas with poor internet access, the participant added.

The security requirements were one of the obstacles. The connection had to work over a virtual private network (VPN) for security. “The requirement to pull up a VPN, sometimes just over mobile phones, was a problem. Every time it dropped for a few seconds, it dropped the VPN.”

The outcome was that people stopped using the impractical corporate solution and turned to their own alternatives, such as Google Docs or Microsoft SkyDrive, outside the control of the IT department. This kind of shadow IT prevents compliance and control. The answer is not simply to prohibit it, but to find an equally convenient approach that does conform.

In the right context, though, virtualization can work. “One company went to Google Chromebooks, running Citrix clients for Windows-based virtual desktops. Everyone was happy, the data was secured and support easy. If you spilled coffee on the device, you just went to the cupboard and got another one,” the room heard.

Business Matters

“You don’t do anything for security’s sake”, said one panel member, emphasizing that organizations exist to do business. “If you go to a business and say would you like to double your profits or double your security compliance, I know what the answer is going to be.”

This means security has to map to the business need, rather than working against it. Further, no amount of security can eliminate the trust element in business. “There is a degree of trust with one another in normal life. At some point, you decide you trust someone and do business”, said a participant. “It’s business that needs to drive the corporation. If you are hindered by security, you have an issue.”

The best security solutions enable, rather than disable, business. “By controlling security properly you can improve the productivity of your people”, commented one expert. “If we take security seriously, with proper identity management and access control, stopping people having to remember different passwords or log on multiple times, making it possible for people to work from their homes or the airport, then security is not the bad guy – it will enable you to embrace new ways of working.”

Better security, together with better productivity, is a combination anyone can embrace.

This roundtable discussion was hosted by the Guardian, in association with Infosecurity and funded by Forescout. This article was commissioned by – and originally published in – the Guardian.