This article can also be found in the Premium Editorial Download "Information Security ANZ: The IT security gold rush is on."
Download it now to read this article plus other related content.
We've all survived the holiday rush and celebrations, and now the real fun begins: evaluating the security implications of the new mobile "toys" that people want to use to access corporate data, applications and networks. Niche items such as Google Glass and the Samsung Galaxy Gear smartwatch make for great stories around the water cooler, but in most organizations these devices currently have little impact. However, the influx of iPad and Android tablets and wide range of smartphones can really challenge network security, especially in organizations that support the bring your own device (BYOD) trend.
BYOD is one of those topics that has adamant supporters and detractors. Honestly, I think BYOD is something that each organization has to evaluate based on its needs (and wants). But whatever the choice, mobile devices have to be evaluated at some level before you allow them to run on internal networks.
How can you determine which devices to allow or what level of access these products should have? Of special concern are those that are increasingly popular among staff (the new phablets) and company executives (tablet/laptop transformer devices). Analysts expected consumers to opt for smaller-sized tablets over older smartphone replacements during the holiday season, and so should you in the coming year.
Security organizations have to ask a number of device-specific questions, and those answers will drive support and security decisions.
Is it just a new fad, or is there a business driver?
What is the device? Is it an Android tablet, a Windows phone or some other odd gadget, such as a 3D printer for mobile devices, or coming soon, mini drone? This basic question helps you determine the category of devices to consider, and drives the rest of the questions. It also provides a starting place based existing policies and procedures. (You do have policies right?)
Are similar or related devices already supported? Is the new device an upgrade to a Samsung Galaxy Android tablet or Apple iPhone smartphone—that is, devices that you already deal with within your existing security controls? If it is, does the latest version change something fundamental (for instance, the cellular connection on the cellular model of the iPad Air or an operating system upgrade, such as the Google Nexus 5 running Android KitKat?) If it is similar enough, then the device likely has the required security controls; it's already supported in key areas (access control, authentication, mobile device management, data encryption), so you can move on and evaluate the next device.
What is the need for the device? This question is a bit more complicated. You have to evaluate the business reasons behind why people want to use specific devices, and dig into their underlying thought processes. Is it just a new fad or is there a business driver? This evaluation is often more difficult if the device has little practical business application. Who wants to admit to their boss that the primary purpose for the device is the cool factor? (If I had told my management team I wanted them to sign off on Google Glass because it made me popular, there's no way I would own one.)
Look for business efficiencies as well as technology advances that can make jobs easier or provide benefit to the company. I recently signed off on a Nexus 5 purchase for one of our consultants. Yes, I know he wanted a new gadget, but he was able to show a potential value to the company. Long story short, Jason now has a Nexus 5, and it's already shown benefits to the business by providing us with information on attacks possible against the device.
What connection types does the mobile device support? The connections are often where the real risks of adding a device comes into play. A Wi-Fi-only device limits the number of connections the attacker can use against the organization, but this may also cause some employees to connect to an untrusted wireless network to get their jobs done.
Security organizations also need to think about how different connection types can affect the security of their internal wireless network systems. A device that has a cellular connection active while it's connected to the corporate wireless network could allow an attacker to pivot from that cellular connection on to the network, bypassing the typical Internet controls a company has in place.
To sum up, think about why your employees want these new devices, and despite the onslaught, try to keep an open mind. As security people, we have to accept that sometimes new things aren't so scary (wait for more wearables and the Internet of Things). Many devices actually benefit the organization.
About the author:
Kevin Johnson is the founder and CEO of Secure Ideas, an IT security consulting firm specializing in identifying companies' cybersecurity vulnerabilities. In a career spanning over 20 years, Kevin has worn almost every imaginable IT security hat, including instructor, consultant, public speaker, administrator and architect. You can find him on Twitter at @secureideas.
This was first published in February 2014