Bring Your Own Device to work, let’s think about that one…

Should it work for you but more importantly can it work for you?

Dave Wharton, Senior Security Consultant, Advent IM

With the proliferation of Smartphones and Tablets there is a growing trend that allows or turns a blind eye to the use of personal devices for work purposes but is it safe and can a company really justify it in the event something goes wrong?  

In an era where flexibility and mobility is the key, there seems to be a growing acceptance by companies (or is it a sense of inevitability) that staff should be allowed to use their own devices to do their work on – BYOD.  Whether this is using a PC at home or using their Smartphones, Tablets and Laptops on the move, there is no question staff are doing it either with or without the blessing of their company.  A recent BBC article on BYOD quoted a survey by Avanade (a business technology company) in which it was found that 88% of executives said employees used their own devices for business purposes (http://www.bbc.co.uk/news/business-17017570).  Another survey found that while 48% of employers would never allow BYOD, 57% agreed that some staff used personal devices without consent.  

So what, might you ask? 

 My PC at work is slow and takes an age to open an email and if I try to do two things at once it just freezes or my boss needs this by tomorrow and I’ll be damned if I’m staying behind again tonight. 

When faced with such challenges is it any wonder that staff want to take advantage of their state of the art device that provides functionality and performance a company ICT manager can only dream of.  The appeal to companies is there also, productivity improves and staff are content but at what price?  Companies that allow BYOD should be under no illusion that it does not come without risk.  By allowing staff to use their own devices, companies are in effect relinquishing control of how their information (sensitive or otherwise) is imported and exported from their business networks and are also allowing the connection of untrusted devices.  Thereby, increasing the risk of malware attacks, data compromise and perhaps more worryingly exposing the business to reputational harm or costly fines in the event of a data protection breach.  Is there any managing director or senior partner who would welcome the scrutiny of the Information Commissioners Officer?

So what is the answer?  The straight forward answer is not to allow it and I am not going to advocate the use of BYOD here.  There are number of reasons why you shouldn’t and perhaps only one reason why you should.  While employee satisfaction is clearly important the main advantage to employers comes down to cost.  By allowing BYOD there are potential savings in ICT infrastructure, as in effect you are passing (somewhat unfairly) the burden of upgrades to your staff.  You could even offer staff an annual bonus for using their own devices and to share the cost of upgrading and still save money.  A very convincing argument in favour of BYOD was also presented on ZDNet (http://www.zdnet.com/blog/virtualization/byod-the-inevitable-reality/3953) although I would disagree (obviously) with the views on security and argue that this is where governance comes in (see below).    

However, as I said earlier if you do so you relinquish control which in my view will always be too high a price.  Now some will argue that as soon as you provide staff with a Smartphone or Laptop you lose control of these devices the second they walk off the premises so why worry about using BYOD.  However, I would contend that this is where governance comes in.  Issuing staff with company owned devices means you determine (among others): 

• What devices are permitted;
• The operating system and how it is kept secure with the latest security updates and patches;
• The strength and quality of passwords used;
• What anti-malware software is used and perhaps more importantly how it is updated:
• How data is stored and protected on the device;
• How and where the device connects to the internet;
• What removable media (eg. USB memory sticks, CDs, etc) is permitted.

And with governance and compliance checking you can ensure that the above points are always maintained and that the device is used in accordance with your companies acceptable use policies.  Can you honestly say your staff will be as vigilant in protecting their own devices, have a look at this regarding passwords on mobile phones (http://www.scmagazineuk.com/consumers-failing-to-take-mobile-security-seriously-says-sophos/article/209294/).  You may also want to consider that your staff will also probably let their friends and family use their devices but will be less inclined to do so with a company owned device.    

To support my view I have a challenge for you.  Take a look at the advice for an effective cyber defence provided by the UK Government’s Centre for the Protection of Critical National Infrastructure (http://www.cpni.gov.uk/advice/infosec/Critical-controls) and see how allowing BYOD compares against the advice provided.  You might also want to see how your organisation’s ICT infrastructure meets the listed controls while you’re on, particularly if you are holding large volumes of customer personal data.     

So should/can BYOD work for you?  My answer is no on both counts.  My advice is organisations that want to protect their own information and that of their clients should even consider implementing an information security management system.  Such as that provided by the International Standards Organisation 27001 standard, which provides a structured series of controls a part of which will assist organisations in implementing a business-supporting and secure ICT programme.    

However and despite my claim I wouldn’t advocate the use of BYOD, if you find yourself in a position where you have no choice.  There are some steps you can take to reduce the risk (if only slightly) of BYOD: 

1. Identify what types of devices will be permitted and which won’t;
2. Authorise permitted devices and block all others;
3. Segregate particularly sensitive company/client data on the network and consider what access will be permitted from remote devices;
4. Insist on specific encryption standards for data storage and using WiFi;
5. Insist that anti-malware is installed, kept up to date and the device is regularly scanned;
6. Insist that a remote emergency wiping capability is added to the device for if the device is lost/stolen;
7. Keep up to date with the latest threats and vulnerabilities and have a policy in place for responding accordingly;
8. Develop, educate and enforce BYOD policies that cover Steps 1 to 7 and:

•  Immediate actions if the device is lost or stolen
• The impact on a staff member’s expectation to privacy when connecting their device to the company network;
• How the device can connect to company networks;
• Acceptable use for email and the internet;
• The wiping of data when a staff member upgrades/replaces their device;
• The wiping of data when a staff member leaves the company.

Consider compliance checking on devices to ensure the above is occurring;

Consider what support options the company might offer for the devices.

Dave Wharton, Senior Security Consultant, Advent IM

FOI and the Great British Public

A Guardian article yesterday said that Civil Servants feel that The Freedom of Information Act (FOI) has not improved Government.

You can read it here if you missed it.

You’ve got to have a system.

I agree with the bulk of this article. I am not totally convinced that “Joe or Joanne Bloggs” were ever really sure what FOI is meant for.

Of course, there have been some crackpot, waste of time requests. That was always going to happen. But to quote our Commerical Director, “Freedom of Information – nice idea, but it’s not being used to any great effect by the public. This seems to driven by an apparent apathy. ” She goes on to say, “The country gives the appearance sometimes of being politically disinterested – just look at the turn out for local elections. The key question is, if it’s purpose was to engage the public was it just poorly promoted or is the Great British Public just indifferent and apathetic?”

Good question. It seems to me that the more local it gets, the interested people get, as Local Government appears to receive more FOI requests (shame they aren’t quite so keen on turning out for elections but there we are). This may indicate a disconnect with Central Government and lack of interest or that people generally want more information about the ‘in my backyard’ type of question.

So what do people think of FOI? There seems to be confusion between FOI and Data Protection Act – again think about how these have been presented to the public and it may not be so surprising. Few people realise that organisations have an obligation to maintain a publication scheme and few public organsations proactively market their publication schemes.

FOI seems to come into its own for journalists looking for information – sometimes justified, sometimes salacious, for their stories. This is in danger of bringing the whole scheme into disrepute and that would be a shame.

I spoke to Mike Gillespie, our MD about this yesterday and he said, “Yes, however don’t lose sight that this report discussed in the article, was written by civil servants, and civil servants have to process FOI requests…” So imagine that now it is beginning to be viewed and discussed as a “costly burden” means there may be changes ahead.

The new EU General Data Protection Regulation and the right to be forgotten

The new EU General Data Protection Regulation, to provide greater harmonization of data protection rules across Europe,  will be published on 26 January.  So what? 

The right to be forgotten? If Data Protection principles are being adhered to, is it really a change?

Well, rather than being something radically different or new for organisations and data controllers to get to grips with, the new Regulation trumpets compliance with two of our existing data protection principles; Personal data shall not be kept for longer than is necessary, and Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA).

For example, the much-heralded ‘le droit à l’oubli’ clause (‘the right to be forgotten’ apparently, although my school boy French was limited to ordering half a kilo of sausages with predictably hilarious results) will require person’s internet histories to be deleted after use (e.g. cookies) has incited some rather inflammatory statements in some areas.  Data protection compliance has been likened to some onerous kill-joy like Blakey from the bawdy 1970s television programme ‘On The Buses’ (http://www.scmagazineuk.com/new-data-protection-laws-will-see-blakey-in-every-business/article/218287/?DCMP=EMC-SCUK_Newswire).  However, in the end this is just applying the well-worn requirement to retain information for only as long as you require and then permanently delete it.

Likewise, the ‘new’ Regulation also addresses extra-territorial actions by third countries such as the USA Patriot Act and the USA Foreign Intelligence Surveillance Act and imposes barriers for foreign judicial authorities to access European data.  This issue became international news recently when a US court requested European Twitter account details (http://www.bbc.co.uk/news/world-us-canada-12459989).  However when all is said and done the Regulation is only reinforcing what we should all be doing anyway; i.e. not transmitting personal data outside the EEA unless there is a good and lawful reason (for the UK these are set out in Schedule 4 of the Data Protection Act – http://www.legislation.gov.uk/ukpga/1998/29/schedule/4).

The Regulation is also published against the growing issue of Cloud-based computing platforms, where service providers experience host client data globally is and it is not always clear that all of the information is permanently deleted when the client goes elsewhere.

So how do organisations ensure compliance with data protection against a backdrop of technological change, increased costs and a more competitive market place?

Well, I am sorry if it is a disappointment to you, but you do not all need to go out and get a ‘Blakey’ (anyway, there are not enough of us to go around!)

• Firstly, identify accountable business ‘experts’ to be responsible for your business data, including compliance with statutory requirements like data protection (they could also be ‘on point’ for information security and business continuity in their areas, but I digress);
• Secondly, talk to and coordinate these business representatives to find out where your organisation’s personal data is (a small governance team would be ideal).  It is amazing where it ends up (e.g. cookies) and you can’t look after it until you know where it is;
• Next, identify the legal, regulatory, contractual, best practice and business requirements for your business information; and
• Finally conduct regular assessments of your compliance against these requirements so you can monitor progress (or otherwise).

Advent IM Consultant – Mark Goddard

The safest place to keep your data…”Cloud” or “Train”..?

How will “Cloud” compete with “Train”?

We all know that the Cloud is the place to store all your data right? We used to think that “Train” was the best place to store our data and some traditionalists, such as the person who left the Olympic Security plans on “Train” clearly think it’s still the best data storage option. Of course, there is also “Taxi”  – still popular but you can only get your data to go on a maximum 20 mile round trip, so it’s a bit limited really. Not as limited as “Pub” though this is a data storage concept that is still hanging around after all these years.

“I found this on the back seat of a Taxi.”

OK,  joking aside, are businesses and organisations going into the Cloud fully armed with information? If they aren’t, then they may as well stick with Train and Taxi. We have put together a guide to help inform, dispel some myths – as we see them, and give some real clarity and guidance. With sincere thanks to our gifted and expert Consultants.

SC Magazine published an interesting piece just before Christmas on Cloud computing (http://www.scmagazineuk.com/loglogic-the-public-Cloud-will-be-breached-next-year/article/219907/).

Amongst the issues identified in the article were:

• That Cloud-based infrastructure has a distinctive threat profile (right);
• That the answer to Cloud security is through compliance and standards (to a degree); and
• That Cloud service providers should be regulated by an independent body (we don’t agree).

These three assertions are worth some further digging and clarification.

The distinguishing threats relating to Cloud services have been well publicised but here is a quick run-down of our top Cloud-based information security threats:

I.            System Complexity – Public Cloud services offered by providers have a serious underlying complication—subscribing organisations typically share components and resources with other subscribers that are unknown to them. Threats to network and computing infrastructures continue to increase each year and have become more sophisticated. Having to share an infrastructure with unknown outside parties can be a major drawback for some applications and requires a high level of assurance for the strength of the security mechanisms used for logical separation.

II.            Shared Multi-tenancy – While not unique to Cloud computing, logical separation is a non-trivial problem that is exacerbated by the scale of Cloud computing.  An attacker could also pose as a subscriber to exploit vulnerabilities from within the Cloud environment to gain unauthorized access.

III.            The Internet – Applications and data that were previously accessed from the confines an organisation’s network, but moved to the Cloud, must now face increased risk from network threats that were previously defended against at the perimeter of the organisation’s network and from new threats that target the exposed end-points.

IV.            Compliance – When information crosses borders the governing legal, privacy, and regulatory regimes can be ambiguous and raise a variety of concerns. Consequently, constraints on the trans-border flow of sensitive data, as well as the requirements on the protection afforded the data, have become the subject of national and regional privacy and security laws and regulations. Among the concerns to be addressed are whether the laws in the jurisdiction where the data was collected permit the flow, whether those laws continue to apply to the data post transfer, and whether the laws at the destination present additional risks or benefits.

V.            Loss of control – Remote administrative access as the single means of managing the assets of the organisation held in the Cloud also increases risk, compared with a traditional data centre, where administrative access to platforms can be restricted to direct or internal connections

VI.            Mechanism cracking – With Cloud computing, a task that would take five days to run on a single computer takes only 20 minutes to accomplish on a cluster of 400 virtual machines. Because cryptography is used widely in authentication, data confidentiality and integrity, and other security mechanisms, these mechanisms become, in effect, less effective with the availability of cryptographic key cracking Cloud services. Granted this isn’t just a Cloud based threat – traditional types of system are also possible targets.

VII.            Insider Access / Threat – Data processed or stored outside the confines of an organisation, its firewall, and other security controls bring with it an inherent level of risk. The insider security threat is a well-known issue for most organisations and, despite the name, applies as well to outsourced Cloud services. With the Cloud, insider threats go beyond those posed by current or former employees to include contractors, organisational affiliates, and other parties that have received access to an organisation’s networks, systems, and data to carry out or facilitate operations. Incidents may involve various types of fraud, sabotage of information resources, and theft of confidential information. Incidents may also be caused unintentionally—for instance, a bank employee sending out sensitive customer information to the wrong Google mail account.

VIII.            Data Ownership - The organisation’s ownership rights over the data must be firmly established in the service contract to enable a basis for trust. The continuing controversy over privacy and data ownership rights for social networking users illustrates the impact that ambiguous terms can have on the parties involved. Ideally, the contract should state clearly that the organisation retains ownership over all its data; that the Cloud provider acquires no rights or licenses through the agreement to use the data for its own purposes, including intellectual property rights or licenses; and that the Cloud provider does not acquire and may not claim any ownership interest in the data.

IX.            Data Sanitisation - The data sanitisation practices that a Cloud provider implements have obvious implications for security. Sanitisation is the removal of sensitive data from a storage device, including servers, in various situations, such as when a storage device is removed from service or moved elsewhere to be stored. Data sanitisation also applies to backup copies made for recovery and restoration of service, and also residual data remaining upon termination of service. In a Cloud computing environment, data from one subscriber is physically combined with the data of other subscribers, which can complicate matters. For instance, many examples exist of researchers obtaining used drives from online auctions and other sources and recovering large amounts of sensitive information from them.

So what is the answer to these Cloud-based security conundrums?  Compliance with information security standards as Mr Churchward* suggests.  Well, in part is the rather cryptic answer to that one, I think.  There are some very good information security standards and control sets out there (COBIT, ISO/IEC27001:2005 and the UK government’s HMG Information Assurance Standards being just some examples).  However, every experienced information security professional will know or have known at least one organisation for which the having the standard is the means as well as the ends and that frustratingly they maintain a visage of information security competency when the assessor arrives for their next audit but that in-between audits security is just a byword for inconvenience.  So if

The sight of a Cloud services provider brandishing a given security certification is not sufficient assurance, what is?  We suggest these three steps to Cloud contractual heaven:

1. The right to audit.  And then do it.  And don’t pick a service provider who is based a 36 hour flight away unless you – and your management – are prepared to send someone to their data centre to do the audit!
2. Talk to prospective service providers about the threats above.  If they are coy, defensive, or babble techno-speak make sure you are content to receive the same level of effrontery when you have a query, business interruption scenario or concern about your data.
3. Does the would-be service provider sub-contract out its storage, security, administration or anything else?  The very flexibility of Cloud-based services means your data or responsibility of your data can be syndicated out by your nominal provider in the blink of an eye.  You wouldn’t sub-contract out your office space so readily would you…?

On the point of standards, it is probably worth clarifying a couple of points for the unwary arising from the SC Magazine article:

• ISO/IEC27001:2005 is the international (not just UK) standard for Information Security Management Systems.  ISO/IEC27002:2005 is the accompanying guidance for the implementation of the security controls listed in Annex A of ISO/IEC27001:2005;
• Neither ISO/IEC27001:2005 or ISO/IEC27002:2005 mention Cloud computing however most of the 133 controls are or could be applicable to a Cloud computing environment.  The explicit inclusion of reference to Cloud services is amongst proposals for changes to the Standard in the future; and
• There are already two approved international standards for Cloud-based technology relevant to security (http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=53458 and http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=59388), though they are definitely for the propeller-heads amongst you!!

And what of Mr Churchward’s* assertion that “we need something externally policed, not self-certified, and a recognised industry body”?  Well, I am not sure we agree insomuch as regulatory, and enforcement bodies already exist for all sorts of activities relating to information security, Cloud-based or otherwise, and it seems an unnecessary burden to introduce another.  Bodies with an interest in maintaining and improving Cloud security include statutory regulators such as the Information Commissioner’s Office (ICO), and indeed the Irish Data Protection Commissioner is currently working with one well-known international Cloud operation (Facebook) to improve their compliance arrangements (http://dataprotection.ie/viewdoc.asp?DocID=1175&m=f).

So to wrap up, we recommend that organisations considering entering in to agreements with Cloud service providers:

Conduct appropriate due diligence before doing so, including a full risk assessment, considering the risks laid out above;

1. Make sure that they have the right contractual security clauses in place falling out from the risk assessment (e.g. if data sanitisation is a major issue for your organisation, make sure it is robustly referenced in the contract); and
2. Ensure that your external service providers, including Cloud operators, are part of your audit and assurance programme (this programme should also be risk based – looking at the higher priority areas more frequently and in more depth).

www.advent-IM.co.uk

*LogLogic CEO Guy Churchward – quoted in SC Magazine article

Integrated Security – Mike Gillespie

As promised the follow up to Mike’s speaking engagements and a chance to watch and listen to his expert comment and opinion on system integration.

With thanks to Gallagher for the invitation to speak at their Command Centre V7 launch event.

Ellie

www.advent-im.co.uk

 

Security System Integration – follow up on Mike’s speaking dates

I am in the process of editing the video of Mike’s speaking engagements. This should be up and running next week at some point and will feature on the website and on our YouTube channel. I will post details here.

We know that integrating security systems works to both save cost and improve efficiency. We also know that integrating security and Building Management systems can take this to a whole new level. Watch this space.

Knock Knowe – astonishing house and landscape design at Earlston

Knock Knowe – astonishing house and landscape design at Earlston.