Cloud Security & BYOD: It’s Bigger Than Just the Device

By Paul Mazzucco, TierPoint Chief Security Officer Paul Mazzucco

Bring-Your-Own-Device (BYOD) is huge in business IT these days. It is the changing face of corporate workstation infrastructure and it’s also out of control.

I mean that literally: the majority of businesses do not currently control BYOD access and device usage with adequate security safeguards. Consider:

  1. 90% of IT professionals involved with mobile device management, policy development or security support are developing such policies
  2. And yet 90% also say they do not have the capability to stop employees using their personal mobile devices to access enterprise systems

Complicating the problem: most companies seriously miscalculate their risk because they consider only the device, not the server or application infrastructure as well. Many companies can’t even identify what mobile devices are on their networks, much less what’s being accessed or changed. Only 32% of organizations worldwide even conduct security audits of systems being accessed by employee devices!

Add to this the fear and reluctance many employees have in letting IT Security have access to their devices for the sake of security and you can easily see the uphill battle we are facing.

Every business is a potential target

Miscalculated risk and inadequate security controls, in turn, leave companies vulnerable to hackers and insiders alike, with security issues ranging from data leakage and insider attacks to malware and intrusion (like the epic hacks that hit Target in 2013 and, more recently, Home Depot).

It’s all about low-hanging fruit. Hackers are less and less able to get through the sophisticated firewalls and routing infrastructure that most modern-day cloud providers can give you. Nobody leaves all their ports open; nobody of any substance presents client environment to the outside world without first locking down the things that hackers used to exploit immediately.

And because all the cloud providers have adopted so many new layers of security, hackers are starting to push back on one of the easiest attack vectors today: BYOD.

Left to their own devices, humans are the weak link

So BYOD is our biggest concern these days, and it’s because the least-secure piece of an infrastructure is the human element. Human behavior hasn’t changed, and hasn’t kept up with, the advent of this new technology.

In fact, what we find from a behavioral aspect is that, because professional clouds are so secure now, people have a false sense of security in how their data is managed on the inside.

iPhones, Android, iPads, Kindle tablets, all of these are now the new gateways for hackers who want to get inside these machines, sit dormant (for an average of 204 days), and wait until there’s an opportunity for them to look at screenshots, look at what traffic is flowing, and see from the inside-out if there’s the ability to go in and actually exploit something inside a company’s operations.

Cloud security that blows hackers out of the sky

Would it surprise you to learn that a professionally built and administered cloud can actually remediate BYOD risks? It shouldn’t. Security research firm Alert Logic found 28% fewer incident types among customers of cloud hosting providers than those utilizing enterprise data center environments. That’s because a company like TierPoint does nothing but monitor it all the time, to keep it fortress-grade secure.

According to the Cloud Security Alliance (a consortium of companies including Microsoft and Google):

“Enterprises should be able to remotely wipe the apps and data in a secure container, should a device be lost or stolen, or if an employee leaves the company. In addition, enterprises should ensure that mobile workers can perform all their work-related tasks with apps that have been officially provisioned by the enterprise.”

That’s easier said than done, of course; but that’s exactly where the cloud comes in.

Not just any cloud will do, however. Even though your employees most likely rely on personal cloud-providers like Dropbox to secure confidential company files, third-party security practices are ultimately opaque and not under your control. (That’s where the term “Shadow IT” comes from.)

Instead, we have specific guidelines regarding what to look for in cloud providers, with explicit action steps you can take on your end to secure your BYOD program. We’ve detailed our recommendations in our new white paper, “BYOD: Is this exploding trend a security time-bomb?” (Hint: the answer is only ‘yes’ if you don’t follow best practices to secure yourself).

I invite you to download the paper today. It could help save you the kind of costly migraine Target and Home Depot know all too well these days.