It’s time to start treating every device as if it’s infected

Christmas has come and gone and, if gadget sales figures are anything to go by, many people were given mobile phones, PCs, laptops and tablets as gifts.

It’s an IT department nightmare. Most of the shiny new gadgets – iPads, iPhones, Samsung devices, Nexus devices and countless more – will make their way into the enterprise, and that will result in increased security risk.

Workers will want and expect the same level of access to their data they get on their work PC or mobile device. It’s a tough battle for IT to find that balance between enabling workers to do their jobs and protecting all that vital and sensitive data.

BYOD, of course, is not a new phenomenon. It’s something IT departments have been dealing with for years… but it is resulting in a fundamental change to the way organisations are approaching security or ‘should approach security’ may be a better way of putting it, because we are still seeing a lot of businesses that haven’t gotten to grips with it yet.

These changes being driven by BYOD are reflective of the wider industry, and are not necessarily a bad thing. The traditional approach to security simply isn’t working anymore. Companies are still being hacked and sensitive data, credentials and money are still being stolen.

The perimeter has shifted; no longer is it all about the data centre. The perimeter is now the device, wherever that may be. But devices are not worth protecting. The value is in the data; it’s in the applications on that device. Protect those and suddenly an organisation’s security feels much stronger. Focus security on protecting the data that is flying across your network, from data centre to device.

One way of coping with the influx of employee-owned devices is to contain the device into personal and business identities. When in business mode the worker can only access what the business lets them, such as emails or IT-approved apps. When in personal mode, the user can do whatever they want without fear of crossover with the business identity. But obviously this doesn’t work for all requirements

Here’s another tip: Treat every device as if it’s infected, as if it’s a threat. Starting from that viewpoint will ensure a business focuses its protection on the right target, protecting what’s important: the data and the application. Transparently check the device, provide access to apps based on the context of the session, not the user and the device. Then create dynamic policies that can grant access, check for compromised sessions and dynamically adapt to the threats in real-time.

This means moving security away from protecting physical devices and end-points and adopting a more context-based approach. Who, which, where, and what are all key questions to consider when looking at security. Who is attempting to connect to the network? Which device are they using? Where are they trying to connect from? What are they trying to access? Next Generation is not enough; we need to consider what next-next generation security looks like.

Doing this instead of a blanket approach to security means a business will be much more agile and be able to respond to specific and emerging security threats. This helps workers get their work done without compromising sensitive information, keeping everyone happy.

Image: David Shackelford