Tim Rains, Director of Trustworthy Computing Communications at Microsoft, has published an interesting post on TechNet pertaining to the IT consumerization wave that is hitting enterprises at full force and the difficulties these companies face to deal with it.
The following excerpt, cited by Tim, is a telltale sign of enterprises groping for answers on how to address these consumer-grade devices in the corporate network (emphasis added):
our survey shows that the adoption of tablets and smartphones ranked second-highest on the list of technology challenges perceived as most significant, with more than half of respondents listing it as a difficult or very difficult challenge.
The vast majority of respondents try to tackle the issue from a security policy and awareness perspectives. 3rd comes encryption as many CISOs and CSOs try to concentrate on the data rather than on the equipment.
By approaching the problem from a data-centric point of view, they aim to isolate and protect corporate data stored on BYO devices. Sadly a well-known fact of information security is that whoever controls the device controls the data. Building a castle in uncharted territory is an ill-advised strategy.
I am not saying that data-centric approaches are useless. I am saying that they are not sufficient and must be complemented by a threat-centric approach as championed by Richard Beijtlich.
We should be monitoring what goes in and out of these devices and beef up our incident response capability to act swiftly in case of data exfiltration and other significant threats to brand image, business data and intellectual property etc.
Cert-IST is a French CERT dedicated to the Industrial, Services and Tertiary sectors. They organize a yearly annual forum. Last year’s edition was mildly interesting. The most interesting presentation IMHO was given by a security professional working for Sanofi-Aventis about how they conducted their security awareness programs. In comparison, it would be an understatement to call this year’s edition an interesting conference as most presentations were really thrilling.
First of all, let me apologize to my non-French speaking readers as all the presentations were made in French. This year’s theme was “Security and Modernity: a Challenge for the Enterprise?” and questioned the numerous technologies and trends from the standpoint of security professionals, be it the Cloud™, the smartphone invasion, the traction that the BYOD (Bring Your Own Device) movement is gaining in the enterprise, social networks, or APT attacks.
There have been quite a number of very interesting presentations such as:
Keynote “Security and Modernity” by Antoine GARAPON, Judge: CISOs continue to view Information Systems as a territory to defend while attackers act as sea pirates. They view the Internet not as land but as a body of water where they can sail, looking for preys. It is necessary that we, security professionals, look for a middle ground and get out of the “forbid everything not absolutely necessary” mindset. Otherwise, we won’t be able to cope with the challenges that we are facing (think new technologies).
National Strategy for Cyber Defense by Patrick PAILLOUX, General Manager, ANSSI: very interesting feedback on the French Ministry of Finance’s attack and the resources ANSSI allocated for incident response. The attacks were not sophisticated but their perpetrators had important means and were highly organized. Mr. PAILLOUX insisted on the necessity of having a CERT-like capability or at least some sort of incident response in every company to help cope with the new threat landscape.
Securing Mobile Devices for Enterprise Usage by Jean-Marie MELE, Security Engineer, France Telecom Orange: very good presentation on the technical and legal issues pertaining to BYOD (Bring Your Own Device). In France, a personal device is the property of its user even if it is used in a professional context. As such, it cannot be audited or submitted to a pentest without the consent of its owner. A number of Android vulnerabilities were also cited. It is necessary to follow such trends and adapt to them or risk being completely bypassed.
Cloud Computing: Legal Questions by Jean-Marie JOB, Attorney: excellent presentation on the legal aspects of Cloud Computing. Who is responsible of data processing (and thus must make sure that personal data is processed according to the French law)? What are the important points to keep in mind before moving to the Cloud? What happens if personal data is handled outside of the EU?
