About MCPc

MCPc is a trusted technology products and solutions provider driven by a team of dedicated, customer-focused professionals with experience solving complex business challenges.

Posts by Category

MCPc Blog

Current Articles | RSS Feed RSS Feed

BYOD Security Planning

Posted on Mon, Apr 18, 2011 @ 10:11 AM

BYOD (Bring Your Own Device) is a growing trend that encourages an organization to embrace the consumerization of IT and allow its employees to incorporate their personal devices, usually smartphones, iPads and other tablets. But while the concept offers many potential benefits — reductions in end-user device management, greater mobility and satisfaction for the workforce, among others — BYOD can become a nightmare if the appropriate security measures are not put in place.

If you’re an IT professional, there’s a good chance you have experienced first-hand the damage an unauthorized personal device can do to a network. A common misconception is that application and/or desktop virtualization eliminates this problem because the devices don’t have direct access to corporate assets, but the fact is that when an end user plugs their BYOD unit into your network, a communication must be established. And that communication is all that’s necessary for a virus to spread through the network, regardless of your virtualization setup.

Moreover, if a computer that is given access to your network is unknowingly participating in a botnet, then a communication hole can be opened up in your firewall, and any nefarious activity that results can be traced back to your organization’s network.

mobile devices

BYOD Security Tools

So, how do you reap the benefits of a BYOD program without compromising your network security? Following are five BYOD security tools that can help you get started:

  1. Network Access Control (NAC)
  2. Full Disk Encryption
  3. Personal Software Firewalls
  4. Antivirus/Adware/Spyware /Malware Software
  5. Host-based Intrusion Prevention Systems (HIPS)

Network Access Control

In a nutshell, NAC establishes a gateway to your network that only allows approved devices to access it. With NAC, you set up a separate, isolated network that scans newly connected devices to check for proper protection against viruses, spyware and malware. An NAC solution can also be used to ensure that network communication between the endpoint and the virtualization technology the user has been given access to is secure, and limited to that particular virtualization solution and approved device.

Full Disk Encryption

Full disk encryption is a primary tool for mobile-device security. Whether software or hardware encryption is deployed, the process is the same. All data on the hard drive of the mobile endpoint is run through a NIST-certified encryption algorithm which ensures that data remains unreadable unless the proper form of authentication and authorized credentials unlocks it. Once unlocked, only the information that is requested is unencrypted and presented

Be aware, however, that full disk encryption has limitations. For example, it won’t protect against network attacks — if your mobile endpoint is actively connected to a wireless or wired network, then full disk encryption cannot protect your data from someone who is trying to access it from the network itself. This is where personal software firewalls come in.

Personal Software Firewalls

personal firewall is an application that controls network traffic to and from a computer, permitting or denying communications based on security policies. It acts as a guard at the network gate, only letting in authorized entities.

Personal firewalls are a necessary line of defense against unauthorized network access, but what about network access that has been “authorized” unknowingly, i.e. spyware? Most people do not go looking for this kind of thing and it’s usually a surprise when it happens. This is where protection software becomes important.

Antivirus/Adware/Spyware/Malware Software

The “anti” programs are the most widely known and used security measures in both the corporate and consumer technology spaces. The job of the “anti” programs is to monitor, stop and provide remediation of known virus, malware, spyware and adware threats. Each of these four categories has their own unique prevention and remediation measures, but the basic function of all “anti” programs is the same: to stop the threats before any damage can be done.

However, these “anti” programs have their limits, too: They can only respond to known threats. If the protection software manufacturer is not aware of a threat, or has not updated the program against one, then a vulnerability exists. This is where host-based intrusion protection systems can play a role.

Host-Based Intrusion Protection Systems

If “anti” programs are reactive solutions, a HIPS is a proactive one. A HIPS learns how a particular program is supposed to act, then monitors that program for behavior that is outside of those learned parameters. For example, if Microsoft Word attempted to access your email-contacts database when you tried to bold some text, the action would be flagged by the HIPS and either denied or held, pending your authorization to proceed.

However, since HIPS work by learning the approved and unapproved behaviors of the applications they monitor, it requires a lot of fine-tuning over time. Luckily, most HIPS vendors have a master definition file that all of your endpoints can share, which can be updated from the clients (mobile devices) and shared with the other endpoints. This allows for a more dynamic learning process and relieves the IT department of the burden of constant updates for multiple clients.

Whether or not you have a BYOD program in place, the encroachment of employee-owned devices into the IT environment is likely to accelerate in the coming years. With these security measures in place, your organization can reap the benefits of new IT models, without putting corporate data at risk.

Your Thoughts?

What security measures are you taking to protect your data in new computing environments?

 

Jason Dell

Jason Dell is a Converged Network Solution Consultant at MCPc, and is responsible for developing and programming custom solutions for clients. His expertise includes network security and security for mobile devices in the enterprise. Connect with Jason on LinkedIn.

 

Stay Connected with MCPc: Subscribe to the blog; follow us on Twitter, Facebook or LinkedIn.

Image credit: seantoyer

Are you a business leader in Northeast Ohio interested in learning more about mobile devices and other advanced technologies for your organization? Join us on Wednesday, August 10 at 3:00 p.m. for a roundtable discussion: Mobile Device Explosion. This will be the second session of a three-session series that also includes Path to the Cloud (7/19) and Intuitive Collaboration (9/29). All three events will take place at our future headquarters, 1801 Superior Ave. in downtown Cleveland. You can attend all three or any combination of sessions. Click here to learn more and register.

Tags: , , , , , , , ,

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics

MCPc Blog

The MCPc Blog offers insight into common business technology products and solutions, as well as an inside look at MCPc's people and culture. 

Subscribe by Email

Your email:

Connect with MCPc

Latest Posts

Most Popular Posts

Posts by Month

Copyright © 2010 MCPc, Inc. All Rights Reserved. All Rights Reserved. Designed and Developed by Wakefly