Balancing security, business case for consumer products in enterprise

Security managers looking to curb their network risks struggle with employees' desire to use consumer-oriented devices and services like smartphones, USB drives and social media.

SAN FRANCISCO -- Dave Cullinane's chief of staff on the eBay security team is a nimble 25-year-old woman, one who at times can astound by simultaneously juggling her laptop and iPhone and pulling data from each device in perfect harmony, much to the joy of productivity mavens everywhere. For Cullinane, who isn't 25 anymore, to tell his Web 2.0-generation colleague that her favorite mobile or other consumer-oriented device isn't welcome inside the corporate walls because of security concerns would be a mistake.

RSA Conference 2010

For all the latest news, podcasts and more direct info from the show floor in San Francisco, visit our RSA Conference 2010 special news coverage page.
"It would hurt me because she's good and I need her. And it would hurt the company," Cullinane said during a panel on embracing consumerization and security at RSA Conference 2010. Consumer devices, such as the iPhone and USB drives, along with the use of social media, are quickly becoming a preferred means of personal communication and data exchange for many in the workforce. And now, that's creeping into the corporate culture.

"This is the fundamental way they're using the Internet," Cullinane said. "It's becoming apparent to us that's where eBay access is coming from. I have a whole bunch of stuff to do around [consumerization]."

Companies are probably more eager to leverage consumer tools, such as social media for marketing and customer outreach, but mobile applications are also big business drivers. Cullinane said an eight-month old eBay iPhone application has already generated $50 million in revenue. The mobile app was a no-brainer for eBay, especially after seeing a statistic that 48% of AT&T traffic comes from the iPhone. EBay responded with a simple application that customers loved, Cullinane said, adding that now he must up the ante around managing risks introduced by it.

"I need to sit with the folks at Apple and have discussions around the risks this presents; what is the new threat scenario, how to talk to the business to make maximum use of this technology, and how to build something secure enough to use in an efficient manner," he said.

For Stacey Halota, CISO of the Washington Post Company, social media and devices, such as the Kindle book and document reader, present similar risk profiles to her enterprise. The Washington Post Co. is more than the franchise newspaper; it consists of 12 decentralized major media businesses, several smaller ventures and a global workforce of 35,000. Not only does Halota have to deal with a new interactive way customers receive her product, but she has to contend with the need to market products over social networks -- all without a centralized data center. The key for her, and most enterprises in her situation, is gaining a high-level view of the company's business processes in order to best assess risk. She does so with an enterprise GRC tool, which maps information assets to business processes, giving her a dashboard view of assets and helping her prioritize response and remediation.

Halota said her company has migrated away from traditional methods of acceptable usage policies. "We found it useful to look at patterns of data," she said. "One of the things I look at to shape policies to make them useful and enforceable, is to look at how information is used by monitoring it with tools and doing user interviews."

Also in her arsenal is network behavior anomaly detection, which tells her how people are using data. The NBAD technology watches the data enter and leave the network, and feeds it into a dashboard view.

"We allow Facebook and other similar technologies. This gives me another baseline of what's normal here, and we get alerts if something is not normal. If something is not patched or getting antivirus signatures, NBAD gives you a window as to why."

Monitoring tools such as NBAD help security organizations enforce policies, which are the building block controls for any new business initiative, such as the enablement of consumer technologies in the enterprise. The State Department isn't immune to the craving for social media and consumer tools. Being a stodgy government agency, a strict policy is the first building block to ward off risks introduced over the Web and even via USB drives used by diplomats, for example, exchanging data overseas with colleagues or counterparts.

RSA Conference 2010 Twitter updates

For up-to-the-minute RSA news and show information updates, be sure to check out the SearchSecurity.com Twitter.
Chris Lukas, division chief of the cyber threat analysis unit at the Department of State, has extraordinary data protection needs, and those have to be balanced against the desire to bring convenient technologies into the enterprise, such as USB drives. However, no personally owned USBs are allowed, Lukas said, pointing toward the Department of Defense, which last month lifted a 15-month ban on USB drives. USBs, in particular those with autorun features enabled, were banned because they were used to distribute malware among government workers, leading to data loss and other network intrusions. Social media is also tightly regulated, but embraced; for example, Secretary of State Hillary Clinton, Lukas said, is using Facebook to market foreign policy initiatives.

Lukas said he's keeping these risks in check by leveraging the agency's cybercrime analysis and intelligence capabilities to examine the full scope of threats to the State Department, and melding those with a technical analysis team well versed in malware, reverse engineering and packet analysis. Finally, Lukas said his Red Cell team of penetration testers conducts full-scope tests against State Department systems and networks.

"How do we do risk management? The state department set up continuous monitoring for vulnerabilities, compliance and configuration issues," Lukas explained. "The analysis gives us a score for our presence at 280 posts worldwide. If Paris gets a B, and Berlin a C, they immediately know where to tune according to the risks we see. If we see USB keys used for exploits and systems vulnerable to exploits, we tune the scores up or down based on what we're seeing. With Facebook, we take those users and create a special category in threat scoring; if we have 50 people authorized for diplomacy creation, we can increase the risk score for their machines. If a decision maker sees a vulnerable system, it rises up and we take mitigation action."

In the end, the introduction of consumer-based products into the enterprise isn't much different than any other application that improves productivity and efficiency; those too are often rushed to market without security in mind.

"The challenge is balancing the needs of the business against security," Halota said. "You need to get your hands around the risk."

Dig deeper on Consumer technology in the enterprise

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchEnterpriseDesktop

SearchVirtualDesktop

SearchVMware

SearchCIO

SearchSecurity

Close