Facing the Reality

The world is like that. There are challenges and you have to face it. No way can you escape. And if you try to escape, challenges would outrun you and eventually cease your motion. That is the reality. And this reality holds good for enterprises too.

With enterprises expanding their ambit in order to offer more and more services to their customers, they are being compelled to expand their network capabilities and are taking every step to fulfil the customer's needs. And in the chase of catering to the needs of customers, enterprises have no other options than to empower their processes including the workforce.

This empowerment, besides others, involves granting use of all kind of mobility devices by the employees in the network. With delivering services anytime, anywhere becoming the norm in the corporate world, enterprises are taking the bet and allowing their workforce to use their mobility devices beyond the office premises, beyond the office hours. This exposes enterprises to security issues in multiplicity and with different magnitudes.

The Changing Dynamics

Over the years, the dynamics of an enterprise network have changed phenomenally. Earlier the network consisted of 'physical and in-premise' components. The access devices used to be solitary desktops and services were accessed over physical cabled broadband networks.

Over the years it has changed to mobility devices like laptops, tablets, and smartphones, and the services are being received over the air on various wireless networks like 3G, 4G, WiMax and Wi-Fi. These new devices now being used by the employees of an organization serve multiple purposes for the end user.

At one end, it is a tool for the user to be part of Social Media like Facebook, Twitter; at the other end, the user expects to work on corporate information on the same device. Major security challenge for a corporate on these devices is to secure the corporate information delivery while allowing the users to still access Social Media and personal content on these mobile devices.

This pops up a challenge for the CIOs who now have to maintain and control a network that is no more restricted to his own territory. So it means the network security has to be designed in a manner to provide the corporate information on-demand while keeping intact the personal usage of the new devices.

There are three major trends sweeping through the enterprise:

• The rapid rise of the consumerized endpoint,
• The onset of virtualization and cloud computing, and
• The growing use of high-definition video conferencing.

“Each of these critical technologies is transforming business and forcing a fundamental shift in how security is developed and deployed,” says Mahesh Gupta, vice president, borderless networks, Cisco India & Saarc.

These trends are making the demand of network security grow across industries. Customers are asking the vendors to innovate to address new network and security dynamics and develop new security architectures and solutions rather than pushing the same old point product strategies. It has become imperative for companies to build protection with secure usage practices and policies in their risk management strategies.

No Escaping BYOD

BYOD is a reality in the modern world and organizations adopting BYOD has seen multi-fold benefits of adopting BYOD. This is a very popular solution not only from end user perspective but also from the finance perspective. While BYOD is here to stay, companies feel that it poses a security threat as any malware or virus residing on the user owned device can enter the corporate network.

But there are ways to deal with this through solutions like NAC (Network Access Control), MDM (Mobile Device management). These technologies individually or in combination will provide a complete solution for implementing BYOD in the organization. “I think an organization should as a first step analyze the potential threats, as it might differ from organization to another,” says Nilesh Goradia, head, pre-sales, India sub-continent, Citrix.

Once the same has been outlined, there should be analysis of the technologies available to mitigate the potential security risks, after the technology has been decided a company should devise a compete policy surrounding BYOD, which defines the entire process surrounding BYOD in the organization.

The emergence of the BYOD phenomenon has forced companies to re-evaluate the types of computing devices, their employees can and will use, and how they will be securely connected to corporate networks.

Enterprise mobility delivers on productivity because employees know how to use, and enjoy using, their own devices. BYOD can also reduce capital expenditure as businesses can leverage devices employees may already be paying for.

In addition, employees often take better care of devices they have selected and purchased. “However, the rise of BYOD culture also brings its own problems for businesses; it can increase productivity but can leave an organization with a risk assessment nightmare,” says Shantanu Ghosh, VP & MD, India product operations, Symantec.

Most of today's mobile devices operate in an eco-system outside of the enterprise's control. Many employees synchronize their devices with at least one public cloud-based service as well as home computers. This can leave sensitive data stored in insecure locations; not to mention the risks associated with corporate email being sent through personal accounts and file sharing services.

BYOD introduces new, possibly unsecured and non-compliant devices inside the network walls and to sensitive business information which can easily leave the organization on a device that may have weak security or in many cases no security at all.

A security and compliance hole is forcing a re-think of how to best secure the organization and its business data. Companies want to embrace a BYOD program, but need to be able to fill those holes in order to do so. The other consideration is that some statistics show that people today are 15 times more likely to lose their phones than their laptop.

One of the challenges with bringing your own technology is that regardless of who owns the device, in the event of a security incident the organisation is still responsible to ensure the incident is dealt with, the damage contained and the risk mitigated to ensure it does not happen.

In the event of data loss, the organization may still suffer in particular if confidential information is leaked including customer and employee data, financial information, and intellectual property to name a few.

The Threats

Major challenge with data on smartphone is of data theft when a smartphone is lost or stolen. Losing confidential data can mean a lot for an individual or a corporate. While the use of smartphones is unavoidable, corporates are adopting technologies like Mobile Device Management to prevent data theft while the device is lost or stolen.

This allows remote wipe of the data in case of the mobile getting lost or stolen. Another potential solution is store the data on cloud and synchronize with the mobile device for offline access, this also allows a feature to remotely wipe the data in case of the smartphone being lost or stolen.

“Unfortunately along with the massive popularity of smartphone devices is the increase in Malware written to exploit the devices and the data stored on the smartphone as well as in increase in rogue apps,” says Michael Sentonas, vice president and chief technology Officer, APAC, McAfee.

According to Gartner, worldwide security services spending was at $35.1 bn in 2011, up from $31.1 bn in 2010. Further, the market is forecast to total $38.3 bn in 2012, and surpass $49.1 bn in 2015.

The influx of mobile devices in the enterprise brings a variety of challenges, security being the biggest, that IT departments need to address. “Unmanaged devices are inherently risky and should be carefully screened for the right security updates and patch levels before they are allowed onto the network,” adds Gupta of Cisco.

Outsourcing Security Management

In countries like Japan and South Korea, the security of the networks has moved towards an outsourced management kind of environment. In India, outsourcing of security is still a tough decision for network managers. Slowly the outlook is changing and there has been a rise in the management services space.

Though the enterprises are shying from completely handing over the security to a third party, remote management from a central location is taking off.

Security management should be outsourced to a reliable Managed Security Service Providers (MSSPs). “It's wiser for enterprises to outsource their network security concerns to experts,” says Eric Hemmendinger, head, Managed Security Solutions (MSS) Product Management, Tata Communications.

He believes enterprises need to focus on their core business rather than investing time and money on non-core business. The business models that can be adopted include: Managing Security Infrastructure from the partner's location Security Operation Center (SOC), or building a captive Security Operation Center (SOC) within the customer's premises.

What the CIOs Need to do

It is a little strange but generally what happens is the person carrying the most critical information also carries the most liberal IT policies on his/her device. Anything can be downloaded without screening so that experience is good. Now the time has arrived to identify the critical access points and focus in strengthening these access points separately.

“In addition every enterprise must keep an updated inventory of each devise within system through MDM, may it be of a third party agent also,” says Bhavin Barbhaya, vice president, sales (network infrastructure), AGC Networks. Major suggestion would be to adopt information delivery to mobile devices as a strategy.

Most organizations have failed devising the right solutions for mobility devices because they have adopted a piece-meal approach to delivering information on mobile devices and then there are 5 different technologies running within the organization trying to cater to different needs of the end users.

“I would say mobility devices are here to stay and there is no way where we can ignore the information delivery needs to these mobile devices, hence this call for a more strategic approach towards mobility devices,” says Goradia of Citrix.

A CIO has a tough task. He has to ensure the security of the network, but also work within a specified budget. He is under pressure to optimize the RoI on one hand, while having to serve the latest upgrades on the other. He has to plan his security policy and architecture keeping long-term goals in mind and also deal with multiple vendors in a fast-changing technology environment.