Cloud and BYOD
-
Upload
lets-talk-bt-benelux -
Category
Business
-
view
1.234 -
download
0
description
Transcript of Cloud and BYOD
Lambert Hofstra Principal Consultant
Cloud and BYOD What do they mean for your security policy?
Why Cloud and BYOD?
• Cloud, BYOD: what is it?
• Hype or beneficial?
• Is it really new?
• Why do we need them?
• Why should I change my security policy?
Cloud and BYOD - Impact on security policy 2
What are Policies?
If you think technology can solve your security problems, then you
don't understand the problems and you don't understand the
technology”
Bruce Schneier
“
Security Standards (More detailed)
- define how a policy must be implemented
Security Policy (High level)
- define what organisation will do to protect information
Security Procedures
- steps to implement objective policies and standards
Security Guideline
A collection of suggestons for best practice
Not required, but strongly recommended
Cloud and BYOD - Impact on security policy 3
Impact of BYOD
Cloud and BYOD - Impact on security policy 4
•Default was: only data on company supplied and controlled devices
•Now:
• Devices not owned
• Devices not controlled
• Many different devices and versions
•Make sure Policy addresses BYOD specific risks!
But we have Remote Wipe!!!
• Not always accepted or effective as policy
• Employees will delay reporting lost device
• Company could be liable for wiping private data
• Does not provide 100% protection:
• No protection against malware attack
• No protection against human error
• Limited protection against targetted attacks
• Limited protection against theft or loss of device
• Better solution is device encryption with strong password/pin
• Whole device or in “company sandbox”
• Not available for all device types
Cloud and BYOD - Impact on security policy 5
Technical solutions
• Web based
+: data in company datacenter, not on remote device
-: no synchronized view of company and private data
• Sandbox
+: company data in a secure environment (sandbox)
-: limited synchronized view of company and private data
• Standard tooling
+: uniform view of company and private data (e.g. agenda)
-: company data in uncontrolled environment
• Dedicated App
+: can be made secure
-: no synchronized view of company and private data
-: cost of development
Cloud and BYOD - Impact on security policy 6
So what should I do?
• Find balance between functionality and security
• Providing functionality benificial to company
• Define what data is allowed on BYOD without significant risk
• Don’t rely solely on technical solutions
• Users will try to bypass
• Involve employees in fight against data loss
• Educate how they can help
• Make them accountable
• Define BYOD policy to match this balance:
• Awareness of importance of data
• Examples of risks in a BYOD environment
• Best practices on how to deal with company data
Cloud and BYOD - Impact on security policy 7
Questions?
Cloud and BYOD - Impact on security policy 8