I don’t want to scare away potential readers here – though let’s be realistic, it’s just me and the cat – but I want to write up some thoughts on IT security policy and particularly … BYOD (I know. I’m sorry, I’m sorry. Please come back?).
This came up at work recently, as it seems to do on a regular basis. As far as I can tell there’s two distinct camps, which I will caricature as follows:
1. The Power User. “Check out this shiny new tablet I bought! Let me just chuck it on the corporate wifi and add my email account. What do you mean only authorised devices are allowed on the wifi? This is ridiculous: it’s becoming abundantly clear to me that corporate IT do nothing but sit on their arses and make my life difficult. In fact, I will further my argument with a comparison between IT and Nazi Germany. QED, bitches.”
(sneaking “bitches” in by paragraph three: who said corporate BYOD policy couldn’t be fun?)
2. The Network Nazi. “Good grief, have you seen how mindbogglingly insecure the average mobile device is? It’s like a feeding frenzy of your user data: advertising companies are sucking it off left right and centre, Google and Apple are tracking every move you make, and to top it all the NSA is probably listening to everything you say. And that’s before we even get to the malware, which is so prolific as to be basically the norm. If you think I’m letting any of these virus-encrusted repositories of security disaster anywhere near my network then you’ve got another think coming, mister.”
The two groups then typically engage in a constructive debate, where each side makes silly noises and denigrates the other’s heritage. The Power User then goes and adds their tablet to the wifi anyway, the Network Nazi throws up their hands in despair at the intractable issue – perhaps engaging in some MAC address blocking to slow the Power User down a bit – and the situation settles back down for another few months.
Here’s an article that came up with some convenient statistics. 65% of IT departments basically ignore the problem, or tell people not to connect personal devices to the network, or whatever. As an aside, forget all the silly justifications for BYOD “boosting productivity”: the only reason people ever connect their personal devices to the corporate network is so they don’t have to pay for 3G data to browse Facebook.
The problem with the no-personal-devices approach is that if someone wants to connect their phone to your network, they’re going to make it happen. So you have 802.1x and NAC on your corporate wireless network. They’ll just set up a rogue access point, with no security, connected to the non-802.1x enabled Netgear hub that’s been sitting under their desk for ten years. If you’re administering a network within one building, you’ve got a chance of spotting this. Even a campus, if you wander around occasionally with NetStumbler or have APs that can do rogue access point detection. An organisation with multiple campuses? Good luck with that.
Or if they’re important enough they’ll just tell your boss to make it happen, and you’ll have to make an exception to your vaunted policy-that-really-isn’t-a-policy so the CEO’s daughter’s Macbook can access the Internet. Perhaps you’ll write down the exceptions in a little list, so one day you can do something about it.
So, what to do? It’s entirely true mobile devices of all types are an absolute disaster for corporate security, and the situation isn’t getting better. Information on them is almost certainly going to leak. But as an administrator, I have to take a nuanced approach: if I ban the use of personal devices on corporate wifi, I can tell you that all that happens is that people do it anyway and don’t tell you – and typically do it in such a way that’s even more insecure.
The best approach I’ve come up with is a “yes, but… ” answer: “yes, you can use your malware ridden personal phone for corporate data because it’s not like I can stop you. But we’ll connect you to a separate wireless SSID that has a firewall between it and important systems, you’ll need to set up a passcode, and turn on two-factor-authentication, and I’m going to help you out with some quick education on security. And come and chat to me if anything looks dodgy and we’ll change your password”. The user walks away surprised that they got a helpful response: and I get an opportunity to do some education and steer people in something like a better direction in terms of security awareness.
This applies to other areas of security policy as well: I’m a firm believer in the argument that over-the-top password policies actually decrease security.
Unfortunately, codifying this attitude into auditor-friendly corporate policy is tough, and requires a lot of convincing. BYOD is a sucky problem, but enforcing strict controls – being the Network Nazi – doesn’t work. User education might, sometimes. And having people tell you that they’re doing something is better than them doing it behind your back.
I’m open to better suggestions.