Firewalls for BYOD, Hacktivism and Today’s Highly Distributed “Network”

IT Managers Aren’t The Only Ones Aware of The BYOD Trend – Attackers are Too! Is Your Security Strategy Ready?

This article is the third installment in my “firewall” series. (Read Part I, Part II)

Bring Your Own Device (BYOD) and hacktivism: this is the language of today’s IT decision makers. Their challenge is architecting networks that can survive and thrive within these new market motions by enabling a highly mobile workforce.

For corporate IT departments, security strategy used to be about control. If you could sanction which devices could connect to networks, you could manage device and connection security. Now the challenge is enabling productivity. Allowing employees to bring the smartphones and tablets of their choice to work environments isn’t merely about keeping them happy; it’s about allowing them to work more efficiently using the productivity and enterprise applications that have become a mainstay on these devices. Consider how many of us use note-taking and expense-reporting applications. While they may not be company sanctioned, they help manage critical information, turning our handhelds into extensions of the company’s network and intellectual property stores.

IT managers aren’t the only ones aware of this BYOD trend – attackers are too. Whether their aim is to promote a cause (hacktivism) or turn a profit, our mobile devices constitute perhaps the easiest way to do so. This means security strategy becomes about pervasiveness – from any device to any point of connectivity into the business network – access policies, and protections from unwanted or unknown traffic and data.

If you’re reading and think your firm is too small to worry about this, think again. When it comes to digital theft, no business is immune. Headlines are full of local grocery store and family-owned auto sales firms whose Internet-connected point of sale devices and customer databases were compromised. Thieves want credit card and identity information and, if your spot in the world deals with this information or connects to it, that spot becomes a place of potential vulnerability.

So if you’re an IT manager or security stakeholder that has to manage a highly distributed network with many small or large branch locations as well as a mobile workforce, how do you regain control and assure protections to corporate intellectual property without imposing limits and restrictions on users and their devices? The answer is you need to consider a security strategy that accounts for the entirety of the network and its access points. Consider how connectivity and data flows will take place in your network. For the typical “campus and branch” (aka hub and spoke) or highly distributed network, you’ll need to provision each branch location with the following:

1. Device qualification: for mobile devices, tablets and laptops, you’ll want the means to scan the device to make sure all the credentials needed to on-board the device to your network are up-to-date. Non-compliant devices should be quarantined and updated with the right security configuration before joining

2. User authentication: for today’s hyper-connected and mobile workforce, you’ll need the means to associate multiple devices with a single user and allow them privileges on the network regardless of location. Better solutions will allow you to combine device, location and user information into an authorization policy that can give differentiated access privileges.

3. User and application level policy enforcement: with the preponderance of today’s threats aiming at applications and web use, you’ll need advanced security measures that look for application embedded malware and complex attacks. These types of protections are most effective when they are continuously applied but computationally intensive. Look for solutions that have good performance metrics with advanced security features turned on.

4. Control of devices for data leakage: since our smartphones and tablets are turning into extensions of our laptops and databases, you’ll want to consider continuous protections of the device itself. Centrally managed solutions that ensure data protection, access control, remote location and device wiping can help you mitigate a great many of the risks without impeding use.

Some other considerations as you build out your security strategy are performance and resilience. You’ll have an array of options here for how to ultimately proceed, so you may want to create your “shopping list” or requirements here. Devices providing security and connectivity at your retail or spoke location need to be every bit as high performing and available as the hub or data center aggregation devices to which they connect. You’re looking to handle bandwidth-hungry applications with wire speed and multiples layers of redundancy at the retail or spoke location without the security penalties or “taxes” that a lot of the legacy products used to incur. Better solutions will consolidate routing, switching, access and security features in one device so that implementation at multiple locations remains cost effective.

So what is the moral to this installation of this three part firewall series? The BYOD phenomenon is bringing with it tremendous opportunity for employee productivity gains as long as the bad guys looking to exploit it are kept at bay. The best way to protect and manage networks in this environment is with a holistic strategy, one that comprises all device types, connection needs, and application use. Siloed network management isn’t as effective because it creates communications gaps in the definition and application of security policies and results in significantly more complex administration. So, be sure that the access controls that govern your data center also extend to all of your network access points including those we hold in our palms.