For BYOD, Data Security Precedes Device Security

From security challenges on the BYOD front to some of the lesser known facets of online security, Fran Rosch, VP and GM of Information Security, Symantec throws light on the varied security needs. He shares that encrypting the data before it leaves the enterprise is advisable as controlling the data in the cloud might be almost impossible. Read on for more advice suggestions from him.
What is the biggest security challenge for enterprises on the BYOD front?

One big mistake that enterprises make is that they try and secure the employee-owned devices as they would have when these devices, and subsequently the data on them, was within the enterprise. The challenge is to make these devices secure and yet user-friendly by segregating information. One has to realise that the device needs to be secured not for the sake of the device but for the information that is on the device.

Another issue is that a lot of uneasiness is created for the user as he/she doesn’t want all the information they access, URLs, media, etc. to be reported back to the enterprise. That is why application-specific security fits the bill over device-specific security . This is something CIOs and CISOs need to realise immediately so that the BYOD initiative is not looked upon with uneasiness and suspicion, but with trust and acceptance.

What works best for securing devices when applications are running in the cloud?

The point of authenticating identity using a single gateway to access any cloud application is the best bet. At this point, the user has a single authentication and a single gateway which works from a productivity standpoint and allows the CIO to provision and control users from a singular spot. The CIO can then apply a number of controls to that gateway and data rather than have control over the entire device. Subsequently, technologies like data loss prevention can be leveraged. Data needs to be classified according to its importance and controls made effective accordingly. This can be combined with the identity information of the user and a sophisticated system to manage security outside the enterprise will be generated. Encrypting the data before it leaves the enterprise is advisable as we know controlling the data in the cloud might be almost impossible, but encryption can protect it to a large extent even if it falls into the wrong hands.
Considering the growth in e-commerce transactions, can companies really make their customers feel as comfortable as they would in a physical world?

The biggest concern there right now is security. Companies will focus on building an e-commerce trust for their website and brand which will ensure the customers that their information is being properly encrypted and will not be inappropriately accessed. This will be ingrained in the image of the brand and that’s important. When a customer walks into the store all is done to make him/her feel comfortable. The same thing needs to be applied online - how do you make the customer comfortable and feel secure to ensure that they can trust the site? People will give over their credit card in a physical shop but online it’s another matter. SSL certificates need to be sought and acquiring a seal of approval on the site lets the customer know that the e-commerce portal is safe for transactions.

Besides having this for customers, it’s good for website hygiene to have the site scanned for threats every single day. If this is not done, the companies risk being blacklisted by the search engines that can devastate the trust factor for the brand. Doing a vulnerability scan should be on the agenda to figure out why and from where the website is vulnerable.

Any lesser known facets of online security?

Companies need to be aware of the fact that online advertising can create security concerns. Any website receives major funding from advertisements. These ads are distributed from ad providers and networks. Having malicious ads on the website or e-commerce portal can do serious reputational damage. The consumer goes to many websites within the time frame that he/she visits that particular website, and doesn’t even know how he/she got the malware. This makes detection a long process. This isn’t viewed as a top tier problem today but will gain attention once people realise that advertising has become a means to distribute malware. Not much research and development has been done on this because the problem hasn’t gone bad enough, but we’re tracking this phenomenon and have some products in beta to address it. Regular scans of ad tags (publishers that draw in the ad to the website) are recommended at the moment.