It’s time to start treating every device as if it’s infected

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://memeburn.com/2015/02/its-time-to-start-treating-every-device-as-if-its-infected/

Christmas has come and gone and, if gadget sales figures are anything to go
by, many people were given mobile phones, PCs, laptops and tablets as gifts.

It’s an IT department nightmare. Most of the shiny new gadgets – iPads,
iPhones, Samsung devices, Nexus devices and countless more – will make
their way into the enterprise, and that will result in increased security
risk.

Workers will want and expect the same level of access to their data they
get on their work PC or mobile device. It’s a tough battle for IT to find
that balance between enabling workers to do their jobs and protecting all
that vital and sensitive data.

BYOD, of course, is not a new phenomenon. It’s something IT departments
have been dealing with for years… but it is resulting in a fundamental
change to the way organisations are approaching security or ‘should
approach security’ may be a better way of putting it, because we are still
seeing a lot of businesses that haven’t gotten to grips with it yet.

These changes being driven by BYOD are reflective of the wider industry,
and are not necessarily a bad thing. The traditional approach to security
simply isn’t working anymore. Companies are still being hacked and
sensitive data, credentials and money are still being stolen.

The perimeter has shifted; no longer is it all about the data centre. The
perimeter is now the device, wherever that may be. But devices are not
worth protecting. The value is in the data; it’s in the applications on
that device. Protect those and suddenly an organisation’s security feels
much stronger. Focus security on protecting the data that is flying across
your network, from data centre to device.

One way of coping with the influx of employee-owned devices is to contain
the device into personal and business identities. When in business mode the
worker can only access what the business lets them, such as emails or
IT-approved apps. When in personal mode, the user can do whatever they want
without fear of crossover with the business identity. But obviously this
doesn’t work for all requirements

Here’s another tip: Treat every device as if it’s infected, as if it’s a
threat. Starting from that viewpoint will ensure a business focuses its
protection on the right target, protecting what’s important: the data and
the application. Transparently check the device, provide access to apps
based on the context of the session, not the user and the device. Then
create dynamic policies that can grant access, check for compromised
sessions and dynamically adapt to the threats in real-time.

This means moving security away from protecting physical devices and
end-points and adopting a more context-based approach. Who, which, where,
and what are all key questions to consider when looking at security. Who is
attempting to connect to the network? Which device are they using? Where
are they trying to connect from? What are they trying to access? Next
Generation is not enough; we need to consider what next-next generation
security looks like.

Doing this instead of a blanket approach to security means a business will
be much more agile and be able to respond to specific and emerging security
threats. This helps workers get their work done without compromising
sensitive information, keeping everyone happy.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!