On Monday, I wrote about the challenges of fundamental BYOD security. Today I continue my conversation with Brian Tokuyoshi, senior product marketing manager with Palo Alto Networks, focusing on a multi-layered approach to BYOD security.
Using a multi-layered security approach is pretty common for the network, and I don’t know a security expert who doesn’t recommend going that route. But what works for the network doesn’t necessarily work for mobile, as Tokuyoshi told me:
BYOD changes a lot of assumptions that previously existed in the multi-layered security approach. One, you can't necessarily depend on the endpoint protecting itself. Two, the network security layers may not be effective against mobile threats. Three, we need far better integration of the traditional security technologies sharing criteria and context than what we've seen to date in order to manage mobile security effectively.
The problem with counting on using endpoint security as the base layer is that the IT and security staff have to rely on the device’s owner to apply basic security practices. And we know from experience and countless surveys on the topic that that isn’t happening on a consistent basis.
So if you can’t depend on endpoint security, how do you create the multi-layered security approach? Tokuyoshi said to first look at it in two parts: One, how do you protect the device, and two, how do you protect your network from compromised devices? But that’s not without some serious challenges.
Addressing the first point, Tokuyoshi said organizations need threat prevention technologies attuned to mobile malware:
Your network-based malware solution may only be focused on Windows malware and exploits, and may not even have signatures for mobile threats. Think about all of the technologies involved in a comprehensive threat prevention practice -- IPS, malware signatures, dealing with unknown malware, URL filtering, DNS filtering, etc. and one really must ask hard questions on whether any of these things understand mobile threats.
The challenges of adding the layer to protect the network, Tokuyoshi said, are that you need very good controls over governing who can get on the network with a particular device, and then, even more importantly, you need to determine whether or not you can control what they access:
For instance, some devices are running older, unpatched versions of Android. Categorically, these devices are riskier than a current, up to date device. The organization has to be able to discern what types of devices are running, make sure they're properly configured, understand who's using them, before being able to make the decision on whether to provide access to a corporate application.
Throwing bundles of point products at mobile security won't provide the contextual information to make these types of policy decision, he added. More than just having multiple layers, we need smarter layers that exchange context for mobile security, paired with good policy criteria and threat intelligence.
Tokuyoshi ended his conversation with me with these words of wisdom:
We're just scratching the surface for the potential of mobility. If we don't build mobile strategies upon a foundation of security, then there's surely going to be a low ceiling to what you can let employees do with it. Realizing the full benefits of mobile computing will depend on the security that makes these future applications possible.