Lambert Hofstra Principal Consultant

Cloud and BYOD What do they mean for your security policy?

Why Cloud and BYOD?

• Cloud, BYOD: what is it?

• Hype or beneficial?

• Is it really new?

• Why do we need them?

• Why should I change my security policy?

Cloud and BYOD - Impact on security policy 2

What are Policies?

If you think technology can solve your security problems, then you

don't understand the problems and you don't understand the

technology”

Bruce Schneier

“

Security Standards (More detailed)

- define how a policy must be implemented

Security Policy (High level)

- define what organisation will do to protect information

Security Procedures

- steps to implement objective policies and standards

Security Guideline

A collection of suggestons for best practice

Not required, but strongly recommended

Cloud and BYOD - Impact on security policy 3

Impact of BYOD

Cloud and BYOD - Impact on security policy 4

•Default was: only data on company supplied and controlled devices

•Now:

• Devices not owned

• Devices not controlled

• Many different devices and versions

•Make sure Policy addresses BYOD specific risks!

But we have Remote Wipe!!!

• Not always accepted or effective as policy

• Employees will delay reporting lost device

• Company could be liable for wiping private data

• Does not provide 100% protection:

• No protection against malware attack

• No protection against human error

• Limited protection against targetted attacks

• Limited protection against theft or loss of device

• Better solution is device encryption with strong password/pin

• Whole device or in “company sandbox”

• Not available for all device types

Cloud and BYOD - Impact on security policy 5

Technical solutions

• Web based

+: data in company datacenter, not on remote device

-: no synchronized view of company and private data

• Sandbox

+: company data in a secure environment (sandbox)

-: limited synchronized view of company and private data

• Standard tooling

+: uniform view of company and private data (e.g. agenda)

-: company data in uncontrolled environment

• Dedicated App

+: can be made secure

-: no synchronized view of company and private data

-: cost of development

Cloud and BYOD - Impact on security policy 6

So what should I do?

• Find balance between functionality and security

• Providing functionality benificial to company

• Define what data is allowed on BYOD without significant risk

• Don’t rely solely on technical solutions

• Users will try to bypass

• Involve employees in fight against data loss

• Educate how they can help

• Make them accountable

• Define BYOD policy to match this balance:

• Awareness of importance of data

• Examples of risks in a BYOD environment

• Best practices on how to deal with company data

Cloud and BYOD - Impact on security policy 7

Questions?

Cloud and BYOD - Impact on security policy 8