Mais conteúdo relacionado
Semelhante a BYOD eBook Part 1 DREW (20)
Mais de Condition Zebra (CONZebra) (6)
BYOD eBook Part 1 DREW
- 1. Navigating the Waters of BYOD
©2013 Drew Williams
Drew Williams
Navigating
the Waters
of BYOD
Part 1:
Piloting the Perils
- 2. Navigating the Waters of BYOD
©2013 Drew Williams
2
So, you have decided that you’ve read
enough, heard enough and thought about it
enough, that you’re going to do something
about your organization’s dramatic rise in how
mobile devices have invaded the workplace.
The idea that it’s Taboo to bring devices to
work is being replaced with finding ways of
developing an effective use policy to address
the matter.
Good news: Gaining the upper hand on BYOD
requires some practical thinking, basic
administrative management, and some
common sense.
This little document will give you some basic
guidelines on what important matters to
consider when navigating the waters of mobile
computing, while still providing a safe harbor
for your organization’s assets.
Let’s start with what we need to know about
mobile computing in general, and how the
BYOD phenomenon is creating a sea of risk
management concerns throughout every
industry that relies on technology to
communicate or advance.
“Mobile Computing” includes everything from
Androids and iPhones to Kindles, iPads, laptop
computers—anything that can be used to store
AND transmit data.
BYOD Defined
1
- 3. Navigating the Waters of BYOD
©2013 Drew Williams
Statistics can tell you anything to support any
argument.
The topic of BYOD is no different, and as a
Value-added Services provider, Condition Zebra
carries no bias toward any technology to
support or prevent the case for BYOD in the
workplace, although we do support the idea of
implementing a good risk management policy
to manage BYOD, and we think ours is the best.
Charting the Course: Statistics tell part of the story
Love-Hate Relationship
When talking about BYOD in relation to its
impact in a business, it’s almost like Mom
and Dad arguing at the dinner table about
why the kids should and shouldn’t get the
keys to the car. On the one hand, the CFO
(aka “Dad”), likes the sense of freedom and
independence BYOD brings to the
organization, and how mobile computing
actually improves overall productivity in the
workplace, which converts into greater
revenue potential.
“Mom” (the CIO), on the other hand, sees
the risks of moving too quickly, of having
too much independence and accessibility,
which translates into inconsistencies in
standard operating guidelines, poorly
defined standards, complexities in
supporting a constantly changing
environment, and unpredictable security
risks. Both are right!
Based on a poll of 1,000+ mid-sized companies
throughout the U.S., Europe and Asia:
• 90% use personal devices;
• 100% noted accessing IP & PI via personal
devices.
• More than 1 billion smartphones used
worldwide.
• More than 100 million new Androids
were sold since Q3 ’12.
• 80% will budget to address “Risk”
relating to managing the usage of
personal devices.
2
- 4. Navigating the Waters of BYOD
©2013 Drew Williams
There are considerable (but manageable) risk
factors associated with BYOD-related activities,
including probably the most relevant concern:
data security compromise.
There are also statistics that show how, by
working with staff, employers actually create a
greater sense of organization-wide responsibility
for protecting the assets of the group, recruiting
every individual to take up the cause.
The results: BFF’s can freely sail the same waters
with FAQs and RFPs, without concern of course
collisions.
Before we address how to navigate the seas of
success with BYOD, however, let’s first address
some of the risks you might face.
In the days of the ancient mariners, one of the
most dangerous problems they faced was fog.
Not being able to see the stars at night, or
landmarks along the waterways during the day
could mean delay or greater danger to the
seafarer and his cargo.
Data theft, like the fog of old, can slip in and out
of an organization, often undetected, unless
monitored for and managed.
Laptop computers and mobile devices
notwithstanding, smartphones—all with the
ability to transmit communications exchanges
between hosts—can carry between 8GB and
128+GB of storage space, include multiple SD
cards, and automatically transact exchanges of
critical information, without an organization
even knowing what happened.
The Fog
of Data Theft
3
- 5. Navigating the Waters of BYOD
©2013 Drew Williams
The ancient Greek seafarers of the Mediterranean
included stories of fair maidens who brought song
and beauty to the weary crew, only to replace both
with disorientation, and death.
Malware is a constant problem in today’s
distributed computing environments. Mobile
phones—especially Androids—are highly
susceptible to problems incurred through cross-
site scripting, which represents more than 80% of
the root cause of hostile activities behind
application security.
Old-school processes of checking system
configurations, updating system patches and even
ensuring the latest versions of the applications are
downloaded, are only a few of the reasons why
this problem continues to sing tragedy for the
unaware and misinformed.
Beware of the Shifting Songs of the Sirens of Malware
“AVAST There!” Being Boarded by Wireless Exploits
While sailing the open waterways might sound
difficult to pose a risk of gaining unauthorized
access, pirates of old ran with impunity, threatening
all trade routes, all ships and in all waters.
The world has gotten a lot smaller in the Digital
Age, and taking advantage of a wireless
infrastructure seems to be getting more prevalent
and more common.
Risks and insecurities in WEP, for example, are so
well-known, there are even “How-to” steps
published online to describe WEP vulnerabilities.
Passive attacks on unencrypted wireless backbones
include eavesdropping, with more hostile threats, as
a result of exploiting applications, could mean
traffic floods and the all-evil Denial of Service.
Argh Matey!
4
- 6. Navigating the Waters of BYOD
©2013 Drew Williams
According to ancient Greek legend, the Cyanean
Rocks, which stood at the inlet of the Bosporus
Sea, randomly came together to crush any
unsuspecting sea-goers. The key, as fabled Jason
and his Argonauts discovered, was to manage
the timing between clashes and crashes, by
constantly monitoring the trends in how the
rocks interacted with the sea.
A top concern in BYOD security relates to the
overall lack of monitoring and consistent
management of access controls and privileges.
Perhaps one of the easiest preventive actions an
organization can take is also the action most
neglected: establishing a consistent policy for
remote file access, authentication and remote
privilege management.
Data, and the loss of contact, adrift and Lost At Sea
Watch Out for the Rocks!
5
Those sailors who have experienced the
unfortunate demise of being adrift in open seas,
and have lived to tell their tales, have said that
the sheer loss of contact with the rest of the
world drove some of their greatest fears.
Mobile devices are small and can be easily
misplaced or lost. For many people, those
devices contain everything from Grandma’s
secret recipes to government secrets entrusted
to device owners for safe keeping. Many people
(my five daughters included), have become so
dependent on mobile devices for even minute-
to-minute communications, they even take
them to bed with them!
The idea of encrypting mobile devices is still
a fresh concept in the category of BYOD security, and as a result, proprietary data loss is still
the chief concern regarding mobile computing environments.
- 7. Navigating the Waters of BYOD
©2013 Drew Williams
Desktop Virtualization is a growing
floodgate trend for edge businesses. In fact, fewer
security issues have actually been reported
(internally) with personal mobile devices than
with corporate devices. Fact is, people take better
care of their own property.
With the interest in BYOD on the rise—often
leading from the top of the Corporate Food chain
(namely: the C-levels themselves), the trend that
is “BYOD” also often translates into innovation,
enhanced “quality of work” for employees, a rise
in productivity, and the chance for organizations
to achieve faster rates of expansion and a higher
level of achievement in goals and business
objectives.
As the tempest of technology continues to rage on
the digital horizon, organizations worldwide
continue to pursue faster, higher, stronger
methods of doing more with less.
Steering Toward
Friendlier Shores
Part 2: Sailing the Seven “C’s”
To avoid sinking in the maelstrom, perhaps
the following seven points of action can keep
the tides even for those who are advancing
toward uncharted waters:
• Collaborative Staff Effort;
• Configuration Policies;
• Continuous System Monitoring;
• Compartmentalized Virtualization;
• Coordinated Carrier Support;
• Control Systems (VPNs, Tokens);
• Clarification of Roles & Ownership.
See you next month with Part 2!
6
- 8. Navigating the Waters of BYOD
©2013 Drew Williams
Available mid-September at
www.conzebra.com
Navigating
the Waters
of
BYOD
Part 2:
Sailing the Seven “C’s”
About Condition Zebra
Blended from the Information Security,
Defense, IT, and Software Engineering
industries, the Condition Zebra team has
a combined skill set of more than 100
years’ experience, with success histories
that span decades of work. Our security
architects, engineers and critical
infrastructure analysts have participated
with establishing critical infrastructure
security and policy for the United States
as well as having served on advisory
boards and critical infrastructure
committees and consulting groups for
foreign governments and organizations
ranging from Fortune 500 entities to
even the smallest of businesses. Contact
Condition Zebra today to learn how our
team of risk management experts can
help your business
About the Author
Drew Williams is the founder and CEO of international risk management
consulting services firm Condition Zebra, which has operating offices in
the United States and Southeast Asia.
During the 1990's and into the 2K's, Drew was involved in early
development of IT infrastructure frameworks and security standards,
including work with the IETF on the organization of the Common
Vulnerabilities Enumeration (CVE) format, the HIPAA security standard
and development of some of the industry's pioneer host-based
intrusion detection technologies.
Drew has produced more than 40 short documentaries on educational
and economic advancement in developing nations, and he authored
one of the multi-million best-selling "Complete Idiot’s Guides."