Securing BYOD in the Enterprise Cloud
Unprecedented mobility is affecting the enterprise space, in a big way. If you haven’t heard of BYOD (Bring Your Own Device)–a term coined to encompass consumer mobile devices (smartphones and tablets) usage in enterprise space–then you probably haven’t been following digital media lately. Some call it the continuation of the consumerization of IT which is technically correct, but if we stick with this definition then we may lose out on aspects that will either make or break the relentless invasion of mobile devices in the enterprise space. BYOD emerged from obscurity to reality just recently. But the rate at which it is penetrating the traditional enterprise IT space is threatening to anyone and everyone who is stuck with old-IT, and not willing to make a significant change in the way the mobile corporate worker wants to work.
With the proliferation of apps sitting on the Cloud, such as Google Docs, Salesforce apps and a multitude of Cloud apps, it has become very complicated to secure the enterprise systems from a multitude of new threats that originate from unsecured access of the enterprise systems from personal mobile devices. Security has become one of the top concerns of IT in this new world of personal devices connected to the corporate network. This article gives you an overview of the changing security implementation practices for the Cloud with a focus on BYOD.
Can the security be outsourced?
Before diving into how you can implement your cloud security policy, let’s first take a look at the possibility of trusting your Cloud vendor to provide the necessary security. The cloud landscape is divided into 2 sectors with 3 sub-sections in each sector:
Now the answer to whether security can be outsourced to the cloud provider depends upon what level of cloud services are being used. SaaS stands as the most secure level of cloud usage since all you have to worry about is application level security and key management. In-house encryption appliances will be sufficient to ensure security in this case. IaaS is the least secure level of cloud usage since you have to deal with Operating System, Solution Stack, Application and Interface levels. PaaS stands in the middle with Application and Interface level security to be taken care of. One more aspect that is normally overlooked is the difference between responsibility and liability. In case of a security breach, how much liability is the cloud provider willing to take on? You can find multiple examples from industry experts, citing the specific SLA clauses that show that cloud providers are not really willing to take any liability at all. Here’s such an excerpt from the SLA of a public cloud provider:
This SLA and any applicable Service Levels do not apply to any performance or availability issues:
- Due to factors outside XXXXXXXX reasonable control
- That resulted from Customer’s or third party hardware or software
- That resulted from actions or inactions of Customer or third parties
This implies that in case of any damage caused by the cloud tenant (you) or a 3rd party software/hardware/technology, the cloud provider will not be held liable. Good luck if you left your security to the cloud provider.
Hence, even though some public cloud providers like Amazon and HP Cloud do offer data encryption services at the application level, the complete responsibility AND liability of securing the enterprise cloud lies with you. With this premise, let’s take a look at how the industry is trying to solve the problem of making cloud secure for the enterprise and hence, the new mobile workforce.
Building your mobile device usage policy
In order to embrace BYOD, companies would need to come up with a fresh usage policy on mobile devices. There are several scenarios that need to be appropriately addressed in the policy. Some of the following questions would need to be answered:
- Which devices do we trust? What models and software app versions?
- How much company data should reside in the private mobile device?
- In case the device is lost, how would company data on the device be secured?
- Compliance check: How does the IT make sure that the company data usage on the private device is data security regulation compliant?
- Will IT be able to remotely wipe out the data in case the device is lost?
- Ownership of the data: In case employee moves on to another company, should the company data residing on the device move on with him? Who ensures compliance in this case?
- Data backup: In case the device is damaged and user has “created” some data that is not synced with the corporate network, how will data-backups be managed?
These are just some of the questions that any data usage security policy will have to address but the real decision is the choice between ease-of-use can be given to employees versus the level of control which the IT wants to maintain. In any case, someone has to take on the responsibility for such democratic use of valuable, breach intolerant company data. Such lenient access to secured corporate networks would demand an even stringent penetration testing with an increased perimeter encompassing personal mobile devices as well. You may find a very good overview on penetration testing in our blog post entitled Penetration Testing:Tools, Exploits and Learning Resources. For a penetration testing article that dives deeper, focusing on Android, take a look here at Penetration Testing with Android.
An overview of existing solutions
This changing landscape in the enterprise IT has opened it for disruptions, which are bound to happen. But unlike Microsoft, which failed to make the transition from the PC era to the mobile era, industry leaders in the enterprise security domain have started offering home cooked BYOD solutions to tap into this emerging market.
Cisco BYOD Smart Solution
Cisco has identified the need to come up with a simplified mechanism to provide corporate network access to personal devices. Their BYOD smart solution consists of three core modules: Unified Access Infrastructure, which is governed by the IT security policy powered by their Identity Services Engine. This policy management tool spans across the entire corporate network (wired, wireless, remote, physical and virtual devices). The second module makes sure that any data accessed by a personal device is secured, during transmission and while at rest on the device. This is done through their AnyConnect® Secure Mobility Client. The last component is simple management, which they offer with their Prime™ Network Control System (NCS).
Citrix BYOD solution
Citrix has tailored its traditional desktop virtualization and collaboration solutions to fit into the BYOD paradigm. Now instead of just delivering remote desktop on the company workstations, workers will be able to stream the desktop on their personal devices. Further, the collaboration tools like GoToMeeting have been mobile-enabled with apps for iOS and Android. But again, it depends on the end-user, with the IT, to devise the policy for BYOD.
These are just two clear examples of how the industry leaders have identified BYOD to be something that cannot be taken lightly anymore.
At the end of the day, the weakest link in even the most stringent IT security policy is the user-the human being consuming the data and most prone to error. Increasing worker productivity cannot be achieved at the cost of security breaches that have become ever more costly, both in terms of financial penalties and the loss in business credibility, sometimes even threatening the very existence of the company.
Safari Books Online has the content you need
Take advantage of these penetration testing resources in Safari Books Online:
|Security in Computing, Fourth Edition goes beyond technology, covering crucial management issues faced in protecting infrastructure and information. This edition contains an all-new chapter on the economics of cybersecurity, explaining ways to make a business case for security investments. Another new chapter addresses privacy–from data mining and identity theft, to RFID and e-voting.|
|As companies turn to burgeoning cloud computing technology to streamline and save money, security is a fundamental concern. Securing the Cloud: Cloud Computer Security Techniques and Tactics is a practical resource for anyone who is considering using, building, or securing a cloud implementation.|
|Cloud computing allows for both large and small organizations to have the opportunity to use Internet-based services so that they can reduce start-up costs, lower capital expenditures, use services on a pay-as-you-use basis, access applications only as needed, and quickly reduce or increase capacities. However, these benefits are accompanied by a myriad of security issues, and this valuable book tackles the most common security challenges that cloud computing faces. Cloud Security: A Comprehensive Guide to Secure Cloud Computing offer you years of unparalleled expertise and knowledge as they discuss the extremely challenging topics of data ownership, privacy protections, data mobility, quality of service and service levels, bandwidth costs, data protection, and support.|
|You may regard cloud computing as an ideal way for your company to control IT costs, but do you know how private and secure this service really is? Not many people do. With Cloud Security and Privacy you’ll learn what’s at stake when you trust your data to the cloud, and what you can do to keep your virtual infrastructure and web applications secure. Ideal for IT staffers, information security and privacy practitioners, business managers, service providers, and investors alike, this book offers you sound advice from three well-known authorities in the tech security world. You’ll learn detailed information on cloud computing security that-until now-has been sorely lacking.|
About the authors
|Salman Ul Haq is a techpreneur, co-founder and CEO of TunaCode, Inc, a startup that delivers GPU-accelerated computing solutions to time-critical application domains. He holds a degree is Computer Systems Engineering. His current focus is on delivering the right solution for cloud security. He can be reached at email@example.com.|
|Aamir Majeed is Senior Solutions Engineer at TunaCode, Inc. He holds a degree in Avionics Engineering. His interest areas are anything and everything GPUs – from writing highly optimized, performance oriented GPU code to experimenting with latest tools and solutions to porting existing frameworks/codebase to GPUs. When not working, Aamir spends his time trekking snow capped mountains.|