Tight security needed in device anarchy

Tight security needed in device anarchy

Summary: Moves by financial services firm Suncorp to dump corporate-sanctioned computers and allow users to work on personal devices raised eyebrows in the information security industry, but it may have just made its network safer.


Moves by financial services firm Suncorp to dump corporate-sanctioned computers and allow users to work on personal devices has raised eyebrows in the information security industry, but it may have actually made its network safer.

Devices image

(iPhone family image by Blake Patterson, CC2.0)

The organisation was already testing BYO devices with software developers last year, and had decided to ditch an upcoming hardware refresh, according to a News Ltd report.

Suncorp told ZDNet Australia that the decision to shirk a 20,000-desktop refresh and relinquish control over the type of devices staff can use was part of a long-running plan to make the workplace friendlier.

The company will use a mix of Citrix and open-source tools to "create a virtualised and secure interface for BYO devices", the report stated. Such tools could be used to enforce access rights and application controls.

Some security professionals had suggested over social media that allowing potentially vulnerable devices to connect to the company network was risky for a financial services company. Others, however, said the bank will not jeopardise its network or sensitive data with the right security infrastructure in place.

"I think it is realistic, and if properly implemented [it] can improve practical security," said Jack Daniel, a United States-based security professional and director of the National Information Security Group.

He said the BYO device policy is an acknowledgement that staff will connect to corporate networks with their own iPads and mobiles regardless of security policy.

"If you don't have policies for dealing with non-standard devices, it is a safe bet they are being used in violation of policy. Sure, there are some high security environments where you might be able to enforce a 'no stray devices' policy, but in the real world, it isn't going to happen," he said.

"Accept it, embrace the idea, develop plans for allowing the devices to securely operate in your environment."

A general ban on personal devices at work may be misunderstood or ignored by staff, whereas a BYO policy will allow a business to set clear limits and expectations that can be enforced and understood, Daniel said.

"That isn't to minimise the headaches of a myriad of new data loss vectors, but those exposures exist today, and ignoring them does not work," he said, adding that business tends to ignore the issue of lost corporate devices, a "time-honoured" and ineffective way to tick compliance boxes.

Ronin Security Consulting director Matthew Hackling said security must be tight before organisations consider a BYO device policy. He listed five points to be checked off before committing:

  • Network segregation of the BYO devices into a "semi-trusted" Virtual LAN so that connections are restricted via a firewall only to a set of understood, authorised, secured and monitored application ports.
  • Allowing only an approved set of BYO devices to connect to the network so that the threat environment can be understood and tracked by the security team.
  • Offering antivirus and anti-spyware software to staff free of charge for the supported BYO devices to protect against keylogging and "screen scraping" malware.
  • Using enhanced authentication to counter the capture of log-ins and passwords via keyloggers.
  • Understanding the footprint left in temporary files and browser caches by the applications.

Topics: Apple, Mobility, Networking, BlackBerry, Security

Darren Pauli

About Darren Pauli

Darren Pauli has been writing about technology for almost five years, he covers a gamut of news with a special focus on security, keeping readers informed about the world of cyber criminals and the safety measures needed to thwart them.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Received this article from the big boss who waved and claimed someone's beaten us to BYO.

    BYO is the easy part, but you need to focus on the security controls. Desktop virtualisation is one that was mentioned in the news.com.au article, but I am sure other things such as NAC or the 5 points mentioned above are also in place. And finally the policies and procedures need to endorsed by the CEO.

    So get the budget before talking about BYO!