BYOD too Big for Twitter...

Sunday, July 29, 2012

Boris Sverdlik


First I'd like to say that I'm really glad that we have Twitter, a place to vent and share our ideas and opinions...

However we all know opinions are like asses, and everybody has one.

I'd like to thank @Wh1t3rabbit, @wgragido, @mattjezorek, @krypt3ia, @arch3angel@grey_area, @dewser and I'm sure there are others that I have missed for the long winded tweets and conversations we've had over the BYOD topic. 

So with that, let me put my ass out there on the BYOD topic...

There has been some confusion in what BYOD is and what it isn't according to the tweets I have been able to follow. BYOD (Bring your own device) is the latest in buzzwords that product vendors have introduced over the last few years. It shouldn't be any different than the remote access we have provided to our users for years.  

Some argue that productivity will increase if users can use their own [Insert iDevice] here to perform their jobs. This may or may not be true, but as security professionals our job is to enable the business to continue being profitable while minimizing risks /cissp_speak_off .

So where is the disconnect? Why are some for and some against the concept that essentially has been around for at least the last 15 years? It comes down to the fact that organizations are starting to realize that they aren't even in a good position to provide remote access, let alone support new technology.

How can you possibly provide remote access when you don't implement the basic controls such as data classification, role based access, centralized logging, intrusion detection?? We all complain about introducing new risks - are we really introducing new risks?

Let's look at how most organizations have their corporate network rolled out... Production access is usually granted on blind faith based on the whole "I trust my Lan". How can you put so much faith into equipment that you have purchased? Is it because you have extensive control of those systems? In most cases you do not.

Do you know what type of data users have on their workstations? If their is sensitive data in use on the endpoints, do you require two factor authentication and encryption to that endpoint? Why not? It's the same data that you are trying to protect in your production environment, why should the endpoint be any different?

Oh because you bought the equipment. It's because you can control what sites the user accesses, you can control data leakage with that shiny DLP device, right? You have that NAC thing rolled out right?

I hope you see the sarcasm in that last paragraph. Most organizations definitely fail at basics, so the introduction of new technology scares them and so it should. What if you started treating the corporate network as hostile? Wouldn't life be so much easier from a security perspective if you stopped nitpicking endpoint controls?

Call it BYOD, call it endpoint enforcement, call it whatever the hell you want. If it's done right it should work across all of your platforms and your shiny iPads. Imagine for a second everyone has to VPN in to get to production. Regardless of if you bought the equipment or they did. Regardless of it they are at the office or at home. Who cares?

All hostile all the time... In order to do it right you must first get the basics in place. Data classification needs to perfect! Your access control program must also be perfect. If you can't say that you've nailed either, than you aren't ready for remote access let alone BYOD and/or wireless.

If you have, however, then read on. You shouldn't be introducing any additional risks if you have already gone through the above. There are several solutions available that will allow you to quarantine devices that are physically plugged in or connected wirelessly into a DMZ where they have to authenticate.

We all know NAC fails because of exceptions and misconfiguration, and that's not where I'm going. What if to get production, you have to authenticate to a central enforcement agent such as, I dunno VPN??? The VPN solution can then in turn allow you to access only what you need to do your job. If it's access to sensitive data, then you have to go through additional levels of control which can also be pushed by the choke point.  

The point is that a central enforcement solution is the only way to go. You can do everything from force software installation to perform a vulnerability assessment prior to allowing access.

It's not a question of technology, it really isn't. The one problem that we keep running into is that user's don't want us installing things on their personal devices. It's the whole entitlement mentality that our users have somehow attained through all of our babying. That's the cost of using our resources, and I'm sorry to say there must be some compromise.  You have to pay to play!

With all that said, I'm not crazy about users replacing corporate owned systems with user owned devices just yet, but depending on the environment it might be a feasible solution.

What I am saying is that BYOD is not as big of a deal as everybody is making it out to be.  

Get your basics in place and then when your CEO wants to use his new shiny iPad to access the SCADA console, you can give it to him because you've built your environment with the understanding that the host is hostile!

That's my frak or my .02 - thanks for reading!

Possibly Related Articles:
PDAs/Smart Phones
Information Security
Risk Management Access Control Best Practices Data Loss Prevention VPN Network Security Information Security BYOD Classification
Post Rating I Like this!
Krypt3ia Nice... One more thing that worries me more than the technical issues. Legal. The legal issues of oversight/discovery/privacy etc. People eventually are going to revolt. It's a nightmare I think, and having put a BYOD in place, I kinda gave up on the technical issues because as you point out, unless you get it 100% right it's game over really whether it's your asset or theirs. By adding the ideal that you are saving money by having the EU own the device (i.e. pay for it and upkeep it) you are adding legal complexity vis a vis privacy and were there to be compromise, via forensics and discovery.

Never mind the whole idea of discovery from other court cases...
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.