Tight security needed in device anarchy

Moves by financial services firm Suncorp to dump corporate-sanctioned computers and allow users to work on personal devices has raised eyebrows in the information security industry, but it may have actually made its network safer.

(iPhone family image by Blake Patterson, CC2.0)

The organisation was already testing BYO devices with software developers last year, and had decided to ditch an upcoming hardware refresh, according to a News Ltd report.

Suncorp told ZDNet Australia that the decision to shirk a 20,000-desktop refresh and relinquish control over the type of devices staff can use was part of a long-running plan to make the workplace friendlier.

The company will use a mix of Citrix and open-source tools to "create a virtualised and secure interface for BYO devices", the report stated. Such tools could be used to enforce access rights and application controls.

Some security professionals had suggested over social media that allowing potentially vulnerable devices to connect to the company network was risky for a financial services company. Others, however, said the bank will not jeopardise its network or sensitive data with the right security infrastructure in place.

"I think it is realistic, and if properly implemented [it] can improve practical security," said Jack Daniel, a United States-based security professional and director of the National Information Security Group.

He said the BYO device policy is an acknowledgement that staff will connect to corporate networks with their own iPads and mobiles regardless of security policy.

"If you don't have policies for dealing with non-standard devices, it is a safe bet they are being used in violation of policy. Sure, there are some high security environments where you might be able to enforce a 'no stray devices' policy, but in the real world, it isn't going to happen," he said.

"Accept it, embrace the idea, develop plans for allowing the devices to securely operate in your environment."

A general ban on personal devices at work may be misunderstood or ignored by staff, whereas a BYO policy will allow a business to set clear limits and expectations that can be enforced and understood, Daniel said.

"That isn't to minimise the headaches of a myriad of new data loss vectors, but those exposures exist today, and ignoring them does not work," he said, adding that business tends to ignore the issue of lost corporate devices, a "time-honoured" and ineffective way to tick compliance boxes.

Ronin Security Consulting director Matthew Hackling said security must be tight before organisations consider a BYO device policy. He listed five points to be checked off before committing:

• Network segregation of the BYO devices into a "semi-trusted" Virtual LAN so that connections are restricted via a firewall only to a set of understood, authorised, secured and monitored application ports.
• Allowing only an approved set of BYO devices to connect to the network so that the threat environment can be understood and tracked by the security team.
• Offering antivirus and anti-spyware software to staff free of charge for the supported BYO devices to protect against keylogging and "screen scraping" malware.
• Using enhanced authentication to counter the capture of log-ins and passwords via keyloggers.
• Understanding the footprint left in temporary files and browser caches by the applications.