Category: Risk Management and Information Security Blog

Get Your Head In The Cloud

By Amine Mekkaoui,

Cloud-based solutions are no longer the wave of the future they are a necessary driver for most Enterprise businesses. The “cloud” which is really just a very large, remotely-connected server to store and access data isn’t a new phenomenon, but there are still the same old concerns about how secure data really is out there in Cyber Space.

The truth is you can control the safety of your data. Your overall cloud strategy and your use of the technology play a large part in the security process. It can range from choosing what you put on the cloud; to different models of service delivery like IaaS, PaaS, or SaaS; to what cloud-based server you use.

There are some very big, well-known companies with pretty good track records, like Rackspace, Microsoft, Amazon, and Google that have teams of people working around the clock on security and monitoring and can immediately identify, assess and remedy potential risks or threats. That’s something that most locally housed IT infrastructures can’t match. By storing data in the cloud businesses free up local IT infrastructure and are able to cut costs, but with any investment you must weigh the risk versus the reward.

So what are some of the things you need to consider before putting certain information in the cloud?

Data Breach: One of the major concerns when using the cloud is a data breach. The cloud presents greater challenges since you’re dealing with hypervisors and other external shared networked infrastructure. Data breaches can release personal information such as a person’s social security number or access to their credit or debit cards. Over the past couple of years, companies such as TargetExperian and Anthem BlueCross Blue Shield have been hit with major data breaches exposing personal information of millions of customers.

Data Loss and Recovery: While the data breach is considered a malicious of intrusive action, a data loss maybe a result of sever or storage malfunction. If your provider goes off-line and your data is lost, can it be recovered? Data sent to the cloud is encrypted as one of the many steps to ensure privacy. The downside is that encrypted data is harder to recover, especially if the encryption key is lost too.

Data Access: What information are you putting out there and who is going to have access to it? Sensitive, classified, or confidential information may not warrant storage on the cloud. You want to be able to monitor who has access to your data and their activities. Are these people authorized to access the data, and if not they need to be shut out of the network. You may also want to limit access to certain levels of individuals to mitigate any potential misuse of your data.

Data Availability: Storing data externally means you don’t have complete control of it anymore. Your cloud storage could go offline and someone else is now responsible for getting it back up. You want to make sure that whatever provider you chose has a proven record of highly available data and a quick turnaround for getting the system back on-line should it go down. All this needs to be spelled out in a Service Level Agreement (SLA).

Cloud-based solutions offer benefits for companies large and small, local and worldwide. What works best for a large company may not for a smaller one, but there are many options available that can make storing, sharing and accessing data more efficient and cost-effective no matter what business you are in.

Mobility is the trend of the new generation. Increased access to tablets, smartphones, robust data networks and even Wi-Fi everywhere has extended the capabilities of the professional in the field. When the BlackBerry first emerged on the market, the enterprise acquired, provisioned and controlled the mobile device for the workforce, enabling access to key applications and information, while also monitoring activity.

The demand for increased mobility has spurred a new phenomenon – BYOD. Employees are opting for the Bring Your Own Device to work strategy, balancing personal and professional conversations and information on the same device. The BlackBerry is no longer the smartphone of choice as the iPhone and Android dominate the market. BYOD has proven to be an effective strategy with the right policy in place, but how can it truly support the initiatives of the enterprise?

There are a few realities that accompany the adoption of BYOD:

Employees select the brand and type of device – while employees enjoy the freedom of selecting their own preferred brand and operating system, enterprise IT recognize the different challenges working in varied environments. It may be more effective for the corporate policy to allow BYOD to only include selected, approved brands, models and operating systems.

Employees control the level of personal information contained on the device – this is an important point if there is no separation between personal and corporate information. For example, if baby pictures are mixed with corporate or customers proprietary information, that’s a problem. Employees should be allowed to load their own information on their own device, but it’s up to IT to provide the technology and information to keep personal and professional information separated on the device with the application of mobile applications.

Employees access websites, applications and file sharing services not normally permitted by the enterprise – this is a critical threat for any network. Users may be accessing a vulnerable hotspot, uploading information to a file share site lacking the appropriate protections or downloading applications with malicious software. The enterprise BYOD policy should include guidelines to acceptable practices and mobile device management applications can be installed that prevent risky activities. The key to the successful application is to inform employees as to these rules and the consequences if those rules were to be broken.

Employees may allow other people to use their device – this reality is difficult to address from the corporate side. Employees may be educated on the risks involved with allowing other users to access their device, but complete control in this area is difficult. Monitoring and management applications can help control what the individual may do while using the device, however, which is an important step towards protection.

Employees may not demonstrate diligence in keeping track of their device – regardless of how much the employee uses his or her mobile device, it can still be lost or stolen. If that happens, the finder will have access to a wide range of network applications, proprietary information, authentication information and so much more. This is where keeping personal and private information separate is crucial as IT management can remotely wipe the device clean of any information that puts the enterprise at risk. Likewise, the employee can opt to wipe everything if personal information lost will also put them at risk.

While this list just scratches the surface in terms of the realities that can affect BYOD and the enterprise, they are important points to ensure success in this new environment. Any corporation can resist the trend and instead purchase mobile devices for all employees, but that may not always be the optimal choice. By understanding the realities that exist in a BYOD environment, the enterprise is more likely to benefit. 

Threats Associated with BYOD

By Amine Mekkaoui,

The use of mobile devices among the global workforce is not a new concept, but the introduction of user ownership is a trend that has just gained momentum in the last few years. Professionals in a wide range of industries are relying on their own mobile devices to support the balance between work and home, introducing a whole new set of risks for the corporate network when the proper policies and controls are not in place.

While BYOD (Bring Your Own Device) offers plenty of benefits for the enterprise and the employee, a strategic approach is necessary to mitigate the risks associated with users accessing the network and supported applications from outside of the corporate firewall. Let’s take a look at some of the threats that exist with BYOD and what you need to do to protect your network, your users and your proprietary information.

  1. Lacking a Robust Policy – Now that users are accustomed to relying on their own devices to access the network and their personal email, they also need to know what is acceptable use, who has access to their device(s), and what will happen if the device or the information contained within the device is compromised. An effective policy outlines expectations and outcomes, while also providing for the proper sharing of information so all employees are informed.

  2. Weak Authentication Methods – It’s a given that employees will need unique user names and passwords to access the corporate network, but it’s also a given that such information is easily captured by hackers. It’s critical that IT management implements and enforces strong authentication methods and limits access to applications. Strong authentication methods demand constant monitoring and regular updates to ensure any breach is immediately identified and mitigated.

  3. No Visibility or Control over Devices – Employees often prefer BYOD as a concept as it suggests they have complete control over their mobile device. While the physical control may remain, IT management establishes its own control over the device with mobile device management or other applications that provide remote access and complete visibility. Access to such technology ensures IT always knows what devices are accessing the network and can immediately locate, lock and wipe clean any compromised or lost device.

  4. Applications – While a number of applications exist to promote the activities of the professional in the field, a larger number exist to waste time or access proprietary information with malicious intent. Any applications downloaded by the user without IT approval are a risk to the corporate network. The simple scan of a QR code could quickly launch malware on the device, with reach into any network to which it is connected. The corporate policy must define what constitutes an approved application and how to avoid downloading malicious software.

While this list merely scratches the surface of the threats that exist with BYOD, it still provides clear insight into what you need to consider within your own environment. Whether yours is a large enterprise, small- to medium-sized business or sole proprietorship, any mobile device used to access your network, server or other IT assets presents a threat to your operation. Before allowing BYOD to flourish, put the right strategy in place to support only the safe use of all mobile devices.