21 Aug 2019

The Age of BYOD: Cyber-Security in the Defence and Public Sector

David Critchley, UK Regional Director, MobileIron examines the adoption of BYOD and its potential cyber security risks.

The drive for more cost-efficient IT strategies and the promotion of a more flexible approach to working across wider Government has set the conditions for the adoption of BYOD as a viable option within the UK Ministry of Defence (UK MOD). An additional number of public sector organisations are implementing Bring Your Own Device (BYOD) programs (such as Camden Council, which has recently seen its BYOD adoption soar by 240% as a step towards maximising productivity while minimising cost that encourages employees to work from their own devices. This is a strategy that is proactively being adopted in the public sector as it is a highly cost-effective initiative for government departments and their employees, the biggest caveat is the perceived compromised cyber security.

The Cyber Security Breaches Survey of 2019 suggests that 44% of businesses have implemented a BYOD program and 60% of businesses use cloud computing services to store their data. The reality is probably even higher, when you take into account shadow IT and employees using devices and apps IT don’t have visibility of (MobileIron’s internal analytics suggest even with corporate issued devices, in a population of 5000 devices over 350 will have side loaded or third party ‘unofficial’ applications). Given the sensitivity of the data that these businesses deal with on a daily basis, it is of paramount importance for these organisations to implement sustainable, reliable and scalable solutions to prevent a data breach that could cost a large amount of money and cause widespread distrust if they occur. These solutions are now technically capable of managing the increased sensitivity of Defence data with the same rigour and control.

The potential move towards acceptance of Bring Your Own Device (BYOD) within the UK MOD is also continuing apace. Moving from a definitive non-acceptance policy in 2012, through the Financial Times reporting in 2014 about limited use, to the most recent Challenge Innovation paper in June 2019, a potential change in mindset to embrace more modern working practices is evident.

The recent BYOD Challenge / Innovation call from the MOD highlights some of the perceived issues and challenges that the MOD believes it still faces introducing BYOD into the MODNET domain. These include but are not limited to; Multiple User types (Personas), Authentication issues and operating within the MOD’s current Security position. All of these issues are not unique to the MOD or the public sector and have been addressed by industry through the use of different access permissions and profiles, certificate authentication at device and server level and accreditation of software builds against internationally recognised standards. With the NCSC Commercial Product Assurance (CPA) process currently under review and potentially changing to one of Commercial Vendor Assurance the MOD can leverage internationally recognised security and accreditation standards such as the Common Criteria and The United States’ National Security Agency (NSA) National Information Assurance Programme (NIAP) in order to provide the required evidence and mitigate the risk of using non-accredited software.

As cloud services and mobile devices become increasingly commonplace in an organisation’s day-to-day operations, IT decision makers have acknowledged that the traditional perimeter security approach is no longer a viable option for organisations that work with data on a massive scale. The influx of personal mobile and laptop devices in the work environment calls for the increased security that a zero-trust approach provides. A recent Freedom of Information (FoI) request looking into the number of mobile and laptop devices lost by staff from nine Ministerial departments. The request revealed that between the nine departments, 508 mobile and laptop devices have been lost between January and April 2019 alone, serving as a stark reminder that government departments need to put security concerns at the forefront of any mobility strategy. This included eight lost MoD devices containing sensitive data.

Zero-trust is the security concept based on the belief that organisations should not trust anything, both inside and outside their perimeters. A zero-trust security concept assumes that everyone who is attempting to connect to the organisation’s network has been compromised and thus, needs to be verified. It calls for the verification of a series of factors before a device can gain access to the organisation’s data and resources. This verification process is crucial in managing the multitude of different platforms and operating systems that a BYOD capability would present. The concept is a direct response to the unmanaged, post-perimeter workspace, and is therefore, crucial in mitigating cyber attacks and the maintenance of data security.

The zero-trust architecture is designed to prevent an attacker from moving across a network laterally – meaning the hacker is unable to make their way through a network to reach the assets they seek. Traditional security methods exclusively prevent external threats which results in hackers having the ability to run rampant and unchecked after they have penetrated the network. Zero-trust responds to this security flaw by allowing access to data and resources after a series of verifications focused on identity, the device used, data access permissions and gateway. These factors are used to verify every device that attempts to join the organisation’s network, creating an environment that protects sensitive data from internal and external threats.

The timeline and complexity of implementing the strategy depends on the magnitude of the MOD’s data infrastructure, size of the user population and the flexibility of the organisation to adapt to change. Implementing this strategy may be a daunting task, taking into consideration the correlation between the size of an organisation and the complexity of the infrastructure that it has to re-evaluate and re-platform. Although it demands for the organisation to unwind legacy workflow, processes and systems, deploying zero-trust provides an organisation with an unprecedented level of security and safe-keeping of valuable data. The thorough approach to security makes the strategy a suitable cyber security measure for the public sector and any organisation that deals with highly confidential, large quantities of data.

Times are changing and threat vectors increasing, we need a new approach to cybersecurity. Zero-trust is the best way for government departments, including the MoD, to remain secure in this ever-changing landscape.

If you would like to join our community and read more articles like this then please click here.

The post The Age of BYOD: Cyber-Security in the Defence and Public Sector appeared first on Defence Online.