IT security protocols in flexible working

'Bring your own device' can make make it as difficult as herding cats

TODO alt text

As people increasingly use their own tablets and smartphones for work, controlling and securing company data can become like herding cats; established IT security policies and protocols don't translate directly to the new 'bring your own device' world.

"In terms of technologies, things such as desktop configuration standards or remote troubleshooting tools, which are typically part of IT policies, cannot be applied to mobile devices because the underlying platforms are very different," says Chenxi Wang, Vice President at Forrester Research.

"In terms of processes, the way you typically manage corporate-owned endpoints cannot be extended directly to employee-owned devices, often because of privacy reasons."

Security protocols and policies for flexible working might encompass: employee use policies and security training; data ownership and data protection; access control to specific resources based on permission levels and policies; encryption requirements; redundancy and disaster recovery.

Business issue

Some of these policies may be supported by technology, but this is a business not a technical issue.

"You need to look across the business (to develop security protocols)," says Steve Durbin, Vice President at the independent Information Security Forum (ISF). "HR, IT and business departments will be involved.

"In an SME it is a broad conversation that is going to be going on at a management team level."

For many businesses awareness training is the best route. For others, mandating upgrades and installation of security measures on their devices prior to accessing company systems, or central provisioning and control of all devices, may be the way forward. Opinions are divided.

"The most effective way of getting users to follow through on the security controls is to make it a necessary condition to access corporate information, such as email," Chenxi Wang says.

"If you have a policy which stipulates that only phones with the latest OS update can access corporate email, and you have technology controls such as mobile device management (MDM) or network gateways to enforce that policy, you'll see that many employees will be happy to exercise the security controls."

Tony Dyhouse, cyber security director at the government-supported ICT Knowledge Transfer Network places more emphasis on trust.

"At the moment the best thing we have is policy," he says. "You have to have a lot more trust in users.

"Yes it can be enshrined in policy, but if you want to turn off a functionality on the device, you are reliant on users and you rarely have the power to do that."

Cloud challenge

Dyhouse points out that a lot of mobile devices sync to the cloud, potentially putting company data out of reach.

"You get a free iCloud account with Apple devices and one of the main purposes of it is to be able to sync calendars and email through a cloud account.

"Before you know it all your work stuff is on the cloud and there is technically no way of getting rid of it or knowing where it is. It is not technically possible to apply policies requiring firewall and antivirus as all security applications are in extremely early days."

The biggest thing is functionality, he believes.

"Anything that starts to break that in the name of security fails because the users don't want it.

"There is only one mobile you can connect to classified networks in the UK and that is a BlackBerry. With a BlackBerry you can turn off the internet access, but then people do say what is the point of it?"

Brian Horsburgh at Dell Kace believes it is important to put in place security protocols that look to the future and encompass all devices, not just smartphones and tablets but also the likes of kiosks and point-of-sale terminals.