With mobile devices and apps saturating the workplace, employees are using their own devices for work, rather than waiting for company-issued tools. This wave of BYOD has also emerged as a result of the pervasiveness of personal mobile devices, making it both cost-effective and convenient to leverage one device for both personal and work purposes.
Consumer-driven technology has changed the IT industry, introducing multiple unsecured and unstandardised personal devices into the workplace. Enterprises now need to deal with the security risks those devices introduce into their environments, as well as find a way to centrally manage said devices in order to strengthen their security profiles.
Authentication and defence in depth
Defence-in depth is the concept of building layers of different technology solutions to secure your IT infrastructure. But as the IT model changes to a perimeterless environment, with data now located both in the cloud and on-premises, older security solutions are falling by the wayside.
There are two increasingly commonplace conditions in the workplace model requiring a solution which makes corporate networks and resources available whenever and wherever: employees working remotely at all hours, and large enterprises employing armies of vendors and subcontractors as outsourcing becomes more cost-effective.
Cloud-based, or web-based services can provide affordable and convenient remote access to these corporate resources; also known in the industry as software as a service (SaaS). Common examples of SaaS include Google Apps, DropBox, Salesforce, and Box. SaaS has become popular as it is a more cost-effective way to outsource hardware and software hosting and maintenance to providers, which reduces the need to hire an in-house team of staff to support the same services.
As a result, data and applications no longer exist only on-premises. That also means cloud-based systems are most likely housing sensitive data, whether that’s proprietary business information, customer financial data, protected health information, etc.
Consequently, remote access to these systems via web-based logins is an easy and extremely valuable target for attackers targeting internal company networks. But all is not doom and gloom. Two-factor authentication is a basic security technology that can protect you against the many risks and threats presented by BYOD:
Open WiFi networks
Hackers can easily set up an open WiFi network in places like coffee shops and invite users to join. However, the primary risk is having your username and passwords stolen - which a modern, out-of-band two-factor authentication solution obviates by using a separate channel to verify a user’s identity.
Attackers intercept browsing sessions and send spoofed login pages that appear to be credible sites, fooling users into entering their credentials. Think of the possibilities: fake online banking pages, employee remote access logins, etc. With two-factor, attackers can’t intercept a push notification sent directly to your phone, allowing you to still maintain control over your account access even if they have your password.
One password to rule them all
Users often recycle passwords across multiple accounts, including personal and work accounts. Two-factor makes the quality of your password much less important as it provides an extra layer of security that doesn’t rely on user behaviour.
Malware email attachments
Two-factor can’t really prevent a user from downloading an attachment in an email that appears to be credible, ultimately executing malware on their device. But it can stop the success of a phishing email, since attackers would need access to your user’s physical authentication device to get access to your business applications.
Cloud storage - a goldmine
Another known issue is that employees that may be uploading sensitive company information to their personal accounts with weak or no security controls in place. General best practices and some compliance requirements mandate strong authentication in front of any sensitive data, such as two-factor to protect remote access for PCI DSS compliance. Similarly, the FFIEC requires more than just one factor for certain online banking activity, like large transactions.
If just one security solution can solve all of these issues, that’s a pretty good deal. Instead of more security, try a better security tool to mitigate the several different risks brought to light with BYOD - such as two-factor authentication.
Thu Pham, Information Security Journalist at Duo Security