BYOD and the app security risk
With more and more companies adopting bring-your-own-device policies to access corporate data, education is sorely needed to plug gaping security holes many apps needlessly leave those devices exposed to.
In an interview with TelecomAsia, Stree Naidu, VP for Asia Pacific and Japan for Imperva, said that the end-user is the weak link.
While the industry has done so much work on technologies to track for data leakage, role-based access management and security in the traditional 9-5 corporate four-walled office, the gaping security risk remains the users themselves with their smart devices, Naidu said.
Too many apps allow access to a phone book, email or even SMS and call records. The EULAs and fine print that users click through without a thought make gathering and profiling that information perfectly legal, if unethical.
Naidu said that while in some cases, such as verification of a phone number for messaging services, there may be a legitimate need to check an SMS, but there is never a legitimate need for perpetual access to these private messages.
“Why does the Facebook app need to access your SMS?” he asked.
This is where the telco comes in, or should come in. Telcos need to spend time educating consumers about the dangers of these apps and become a strong voice to demand that Google and Apple (not to mention Microsoft and BlackBerry) make the fine print expressed in an clear manner to users and developers alike so they can make an informed decision.
This is similar to what happened through the anti-spam battle and now all mailing lists have clear opt-in and opt-out options.
To see the extent of what unfettered access can lead to, Naidu used the example of the app xobni (inbox spelled backwards). this app can go through your email phone and social networks and generate a report on the amount of access, keywords searched, who gets the most email, at which times and on what topics. It can even bring up that person’s social media profiles and photos in the report. While legitimate as an enhanced address book, the same information in the wrong hands is very dangerous. It becomes downright scary when the user or CIO realises that many apps users are installing without a second thought provide access to all of that information.
The other major attack vector telcos face is security for one of their most valuable assets in the modern era - source code for online games. Naidu he had just returned from Korea where he met with a telco that had hired Imperva to strengthen internal security to prevent source for the online game from being accessed by those who did not have any legitimate need, or to prevent employees from downloading all the source code before leaving for a competitor.
External users going into the network to steal code was also an ongoing concern.
In the modern workplace, staff are preparing presentations on their iPads and storing work files on Dropbox. This might have legitimate use and indeed, users need to work offline while on a long flight, or a manager should be able to reply to a work email that came in while he was looking up his daughter’s Facebook status.
One telco in Japan is releasing 50,000 iPads on its staff and part of the exercise is to see how they can increase productivity while keeping endpoints secure. Nobody quite knows what the solution is right now.
But part of the solution is to add visibility, tracking and auditing of these end-points to flag abnormal trends and ensure that those most at risk adhere to best practices.
Sarbanes Oxley has a requirement for strong passwords to be periodically refreshed. The Monetary Authority of Singapore requires banks to have audit trails of who has been accessing what data, for instance. That is what is needed, but on a wider scale.
Of course, the other threat is that despite the device being secure, governments may demand access to that data, such as what happened recently in India and now in the UK. How does he balance that call for national security versus personal or corporate security?
“I’m a supporter of this trend. Most governments have people’s safety in mind. They are not eavesdropping for access to information.
“[But] if they are going to embark on eavesdropping, they need a secure infrastructure,” he added, alluding to Bradley Manning and the Wikileaks incident.