Bring-your-own-devices culture (BYOD) is sweeping enterprises around the world, bringing a flood of innovations and cybersecurity concerns. But while BYOD typically falls under the purview of endpoint protection platforms—given that it increases the number of endpoints needing security—it also brings new challenges to identity and access management that we haven’t fully addressed.
With that in mind, we were lucky to speak with Mark Cooper, Founder and President of PKI Solutions: a security firm specializing in public key infrastructure, Internet of Things, and mobile device security.
Here’s part of our conversation, edited slightly for readability. We also talked about cybersecurity and the Internet of Things (IoT), which you can find here.
Solutions Review: What do you think of the bring-your-own-devices culture, from a security perspective?
Mark Cooper: It’s an interesting world that we are in with BYOD, a dynamic shift from a few years ago. In my days as a corporate IT director, we defined the security boundary as the network firewall and only company resources were allowed on the internal network. We actively looked for ways to exclude unauthorized systems with schemes such as 802.1x port authentication, NAC/NAP products, and quarantine products.
The modern workplace has undergone a big shift from not only supporting BYOD but embracing it. BYOD started as employee-owned devices wanting to access network resources and has now evolved to corporations issuing mobile devices to employees and needing to manage their access. In fact, one customer I worked with recently has a goal to have all employees using “unmanaged” resources. Whether it is a device, laptop, or kiosk, the company encourages its employees to use whatever device they want and the company will focus on ensuring identities and data protection are in place for them.
From a security perspective, BYOD presents a large number of challenges to organizations. Maintaining integrity and protection for organization data while allowing access from any device is difficult. It’s not just a matter of building a wall around a physical building perimeter and carefully controlling what goes in and out. BYOD requires access from resources almost always outside our perimeter and often requires access to our most critical business systems.
BYOD requires a careful balance between maintaining control and security of information with the desire to access and use information freely. Organizations must carefully decide what information they can safely provide, and acknowledge the risks associated it.
SR: What do enterprises miss when trying to secure a BYOD workplace? Alternatively, what do they overemphasize in their efforts?
MC: In most BYOD solutions, the biggest challenge is handling identities and credentials. BYOD often is on devices that do not participate in traditional identity systems – such as Active Directory. This often leaves organizations using and managing multiple identity systems to support access to applications and services. As the number of these systems increases, the complexity and management [required] grow exponentially. Eventually, there is too little oversight and control over the [privileged] identities that control access to very sensitive organizational data. Identifying and using single-sign on technologies such as SAML can help organizations reduce the complexity.
Most organizations overemphasize the convenience and desires of their employees above all. I’m not advocating ignoring your employees, but you don’t have to open access to everything in your organization to BYOD. There may be some specific areas that can be appropriately accessed and used via BYOD. But there are also some areas that should be inappropriate for access. Should you allow BYOD access to your ACH wire transfer system because of an employee request? The answer is no.
SR: Are certain devices or user habits more at risk for infecting a BYOD workplace? And if so, what can enterprises do to prevent those infections?
MC: There are a few areas of risk associated with users and BYOD. Most devices employees are bringing into the environment are meant as consumption devices and provide consumer-grade security and protection. In addition, the style of use of these devices leads to a more informal use (such as social media) and casual attention. So, they tend to be left unmanaged or left [without being] updated for a long period of time. The blending of personal and business use often leads to a comingling of sensitive organization data and personal information, which could threaten the sensitive information you’re trying so hard to protect.
The best way to go is the use of mobile device management solutions that provide organizations with a means to define and control the environment on the devices. In addition, ensuring strong identities on the devices will enable organizations to ensure users and devices connecting to VPN, WiFi, and other resources are legitimate. These solutions also enable advanced encryption controls as well as remote data wipe [options] if the devices are lost.
SR: Can the problems of BYOD be solved in part via educational efforts? And if so, what educational tips do you have for enterprises?
MC: Employee education and training is definitely a big part of BYOD security, just as it is part of any security effort. For example, it’s critical to be aware of your surroundings when accessing and using these devices. Just as we have all learned to be conscious when using an ATM and entering our PIN, how many people are careful about who is around and watching when we enter our passwords on a device? Some tablets are quite large and it’s very easy to see password input screen, even from across the room.
Another important training aspect is teaching users that while the devices are portable and easy to use, they also represent a very attractive target for attackers looking to enter our environment. The use of lock screens with short timeouts can help mitigate some of this risk. But increasing user awareness of vulnerabilities is key.
Thanks again to Mark Cooper of PKI Solutions for his time and expertise! Mark is the president and founder of PKI Solutions, and has deep knowledge and experience in all things Public Key Infrastructure (PKI), known as “The PKI Guy” since his early days at Microsoft. PKI Solutions Inc. provides consulting, training and software solutions for Microsoft PKI and related technologies for enterprises around the world. Prior to founding PKI Solutions, Cooper was a senior engineer at Microsoft, where he was a PKI and identity management subject matter expert who designed, implemented, and supported Active Directory Certificate Services (ADCS) environments for Microsoft’s largest customers.
Mark Cooper also shared his expertise on the Internet of Things (IoT). You can read that part of our interview here.
Hey! Guess what? I’m going to be at Identiverse in Boston, MA for the whole show. Yes, June 24 to the 27. And guess what else? Ukuleles are technically part of the lute family of musical instruments. And what else else? You can save $250 by using our registration code REGISTERNOW18 via our specialized portal available here. I hope to see you all there!