Currently have a client who are looking to encourage Bring Your Own Device for their students and some potential staff. All access would be via a web facing portal or access to remote desktop farm via https website. The wireless networks in place are segregated in a way that you cannot access the corporate network. So this would essentially be an internet connection which would connect in as if working from home.
I am trying to investigate whether there is enough security here or if they should be implementing a network access control system and mobile device management systems for better management and security.
Does anyone have any thoughts on this? As my security knowledge is very high level.
Thanks
You need to be a member of Global Risk Community to add comments!
Replies
I also should have mentioned that they would only be accessing from the wireless network.
One thing I never thought of when I was looking at data leakage was snipping data, locking the screen as a resolution which Bernd mentioned, I will now be adding this into that test.
Cheers!
Ricky Meechan said:
Thank you very much for all of your replies.
The students are only their own work, The staff (which has not yet been encouraged) would be accessing more sensitive data (student records, health care data etc.)
I raised a high recommendation regarding data leakage prevention which included areas such as allowing uploading to uncontrolled cloud storage, allowing copy of data from the remote desktop session to uncontrolled machines, enforcing data/hardware encryption on sensitive data leaving the site and controlling attachments etc being downloaded from webmail solutions amongst others.
I also raised as a separate recommendation that they request a security penetration test on their wireless network as well as the external penetration test they had plans to purchase.
The security in place around the network and remote working solution was adequate. I think with these steps in place they can trial it and see how they get one.
The whole idea for them to go down the BYOD route was to save money, I don't like the idea personally and think it is more hassle than it is worth and probably not that cheaper if done correctly. But each to their own!
Ricky, there are a lot good suggestions here. Since I am based in Germany it may be that German law would be different then where you reside.
Anyhow, besides what especially Betsy pointed out I would make sure that all people who want/need to connect have to sign an NDA. Make sure that strict enforcements are included in a very clear and straight forward written Policy. As a matter of fact you will reduce internal offenders/inside hackers by 60 to 80% making that point up front.
2nd thing I would implement is certainly a very well defined firewall keeping the users from doing illegal things from out of the internal W-LAN-system. Make sure to have a policy in place here, too. Just imagine some guy starts to share child pornography, making up an online shop for drugs, trades Music or Videos online or whatever illegal thing (get my point?) and the Feds are coming in… here you could not be sure which equipment would be confiscated (which would lead to unclear and maybe unmanageable downtime). Maybe even Internet Access is while working on the Net prohibited as a solution similar to VPN allowing only one tunnel to be opened at a time??
3rd thing I would check – especially if the data accessed is critical or secret: is it possible to lock the screen with e.g. code from being copied/snipped? On the other hand: if people are allowed to print you would need a solution here, too.
4th – Check, if data is vital to your customer, if an Endpoint Protection Solution is increasing the security level to the desired state.
And – certainly all the other security measures you would apply to an online shop will apply also to your final solution.
Completely agree with Betsy :)
I would recommend you do this on a trial basis with one to three people. If nothing untoward - like someone attempting to hack the system - happens, then expand the number of users with their own devices. Again, test and continue repeating this cycle until everyone has access who has requested it. Also, I would say anyone who violates the trust or hacks the system is expelled immediately and let the whole group know this will put all at risk, too.
Depends on the risk, I would start by asking the following:
What type of data are the students and staff accessing? Is there potential for it to be sensitive? E.g health care data or personally identifiable information?
Are there any concerns of sensitive data being removed from the network resources and downloaded onto a personal device?
What does the wireless network have to do with this? is the only way the staff and students would be able to access this resource?Is there anything in place to stop someone from directly connecting a personal device to the internal network via a network jack?
If there are no serious concerns about the type of data that is being accessed, that the network resource they are accessing has been segregated appropriately and that there's monitoring in place for anomalous activity- all i'd recommend is that they implement 2factor authentication and remind end users to install anti-virus software and keep their software up to date.
Hi,
In fact the web base access is sufficient security and no harm to the company network since the people can access anywhere they want with user log in and password. When you don't want someone to log in into the system, you only need to deactivate the user name and password.
The access control you only need to do is to monitor the access right of granted users and make sure they can't log in when they are no longer eligible to access into the system.
Hope this helps
In my view there is never enough security. Be sure and implement a network access control system and mobile device management system. Why not?
We may allow cloud sharing with secure passwords.
A complex situation. My observation is that the individuals bringing their own devices will do their darndest to bypass the security. So the security has to expect hacking. Companies can find it hard to believe their own staff would do such a thing but they do. The benefits may be worth it but my advice is proceed with caution and expect the worst.