This page contains a Flash digital edition of a book.
SPOTLIGHT: COVER FEATURE


Three Steps to BYOD Heaven We will leave the last word to the chief security architect at NetIQ, Michael Angelo, who told Infosecurity that the key to implementing a successful BYOD scheme is defi ning the use of the device, the risks involved in that usage, and the risk to the corporation.


“When it comes to bringing personal devices into the workplace, information security professionals need to enable the CEO to make an informed decision by explaining what the risks are of bringing consumer IT into the workplace and how it can be managed”, Angelo explains. That risk, he imparts, needs to be discussed across three different levels: the risk to the corporation and its assets,


such as IP, customer data, and business plans; the risk to the assets of the customer and their personally identifi able information; and the risk in as far as what BYOD means for the employee, their assets, and any business or personal information that may be held on the device.


“Only by communicating the potential threat to information or the company’s reputation”, Angelo concludes, “can the IT department enable the CEO to make an informed decision regarding BYOD”.


Head-to-head FOR:


Peter Cox, CEO of UM Labs, argues that the BYOD tide is unstoppable and any attempt to control it will fail. “Security departments that attempt policies prohibiting BYOD spend all their time in a futile effort to enforce the policy at the detriment of the real security issues”, Cox warns, adding “from a security standpoint it is far better to embrace it and turn it to an advantage.” With correct policy in place he sees no reason why the CEO, or anyone else, should leave their iPad at home. “Many organizations – including a number of law enforcement bodies – are actively pursuing BYOD policies and are extending the security controls beyond data by harnessing the power of tablets and smartphones to encrypt both calls and voicemails”, Cox told us. “The BYOD policy enables these additional security controls to be implemented while at the same time reducing operational costs, because user-owned devices are likely to be upgraded more frequently than devices on corporate contracts and because the cost of a corporate contract can be avoided by piggy-backing on a personal contract.”


AGAINST:


spotlight cover page: ipad


Pavel Luka, CTO at ESET, argues that while it may seem like a good idea to let the CEO and other employees use their favorite hardware, those people responsible for corporate security have good reason not to agree. “A typical corporate laptop would have full-disk encryption, a security solution deployed and up-to-date patches installed regularly by skilled professionals, and the user would have no admin rights and therefore limited possibility to do something stupid”, Luka insists.


He continues: “some say that virtualization enables safe BYOD, running a tied up and secured corporate virtual machine for work or even just a thin client on a personal device, but I think there are still considerable risks such as key-logging malware”. As far as the actual question of should the CEO leave his/ her iPad at home, Luka provides us with the perfect answer: “they should ask their CISO”.


www.infosecurity-magazine.com /// 27


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60