Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Cloud and BYOD: A combo that can improve enterprise security

Can the combination of the cloud and BYOD lessen the headaches of security admins? Ed Moyle explains how a mix of the two can ease security woes.

When it comes to bring your own device (BYOD) in the enterprise, there's no doubt about it: Adoption is exploding. Data from the 2013 ISACA Risk/Reward Barometer found that 50% of enterprises already explicitly allow BYOD. Compare these results with the 2012 findings, in which only 33% of those surveyed used a personal device for work purposes, and you can see that the rapid pace of adoption is hard to ignore.

The transformative changes resulting from the cloud can have a beneficial impact on BYOD.

The BYOD trend comes on the heels of another adoption wave in enterprise IT: cloud computing. Much like BYOD, the cloud exploded onto the technology scene and continues to expand its footprint throughout the enterprise. This means that technology pros are struggling to accommodate a plethora of disparate employee-owned devices while at the same time being bombarded with a parallel wave of often externally hosted cloud platforms, applications and infrastructure.

While all this change is understandably a source of heartburn for many, it can be good news when viewed jointly. Why? Because in many cases, the transformative changes resulting from the cloud can have a beneficial impact on BYOD, meaning that cloud adoption can be directly leveraged to help secure BYOD devices or that cloud efforts can enable the secure use of BYOD in the first place.

Don't believe me? Let's take a look at a couple of examples to see how and why using BYOD in conjunction with the cloud can add security value to an enterprise.

Application design and assumptions

The first point has to do with design assumptions in the cloud, particularly as it relates to Software as a Service (SaaS) applications. To see this phenomenon in action, consider two scenarios: one, an externally hosted and Internet-facing SaaS application used to support business activities; the other, a legacy application that's internally deployed and kept in a tightly controlled area within the enterprise.

Obviously not all applications are created equal and application functionality, type of data accessed, business criticality, user access/roles, authentication and so forth all influence the security profile of any application. That said, there is one crucial difference between these two scenarios, namely, the SaaS application is already Internet-facing and is designed/architected to operate in that context. The Internet is a hostile place for apps; the network is untrusted by definition, malware and scanning traffic are a near-constant background hum, the vast majority of page requests are going to come from anonymous sources that will never authenticate, etc. This means that the application can't assume (like an internally-deployed legacy application might) that network traffic is private. It also can't assume that all traffic will originate from trusted hosts or that remote peers will treat it with "kid gloves" from a scanning/attack perspective.

The legacy application, on the other hand, may have been designed and deployed around a different set of constraints. For example, it might assume that only people on the internal network will connect to it from trusted and hardened endpoints. It might also assume that application scanning or determined attack will be a rarity. These assumptions, in a BYOD context, can be quite dangerous. An employee-owned device (at least in many shops) is less tightly controlled than a managed endpoint. There may, for example, be reduced levels of trust in the device which will make client-side caching of data more problematic. The point is, starting with the assumption of an untrusted, possibly "hostile" client translates better to BYOD, which is, in many cases, a less-trusted and possibly less-protected client.

Data protection

In addition to this question of application context, there's also a question about the data itself. The ISACA survey referenced earlier, for example, highlights data protection as a historical barrier to BYOD adoption. Issues such as concerns about employees' handling of sensitive data as well as loss of data control both topped the charts as key reasons organizations prohibit BYOD (39% and 33% respectively). The point is, when it comes to BYOD, data security matters.

However, this issue of data protection is one that organizations embracing the cloud are already struggling with and have been for some time. Consumer-oriented services in the cloud targeting data sharing, data synchronization and data storage (think Dropbox) are already a source of concern. As a consequence, many of those organizations are already pursuing methods designed to layer security into what the consumer-oriented services offer or designed to offer similar functionality but with "enterprise-grade" security built in.

These services that provide similar features but with security in mind have an immediate applicability to a BYOD use case. Why? Because those services are about controlling data proliferation regardless of the device or location it's proliferating to. This means that these services already assume that synchronization and sharing will happen, so are therefore equipped to handle it when it does happen by making sure it is done securely.

For organizations that do not have this capability already in place, the temptation might be there for a user to share data via a consumer-oriented storage service which might not have the level of security controls and vetting that their organization would be comfortable with. By providing a mechanism to enforce data protection and retain corporate control over data in the cloud, enterprises can ensure data security regardless of who originally provisioned the device (the enterprise or the employee) in a BYOD context.

Putting it all together

Historically, when we think of BYOD protection mechanisms, we tend to think of specialized tools like mobile device management, mobile application management, desktop and application virtualization, and so on. And, in fact, these can have a role to play in an organization's BYOD strategy. But the move to the cloud can also help pave the way for BYOD, specifically because of the multi-tenanted nature of the cloud and the diversity of devices that any given cloud service might need to support. BYOD -- where homogeneity of endpoint also cannot be assumed -- shares some of the assumptions.

The point is that cloud services aren't necessarily always a source of more pain when it comes to BYOD, though sometimes it may feel that way. There are, of course, security challenges with both BYOD and the cloud when viewed individually, but when used together, many times existing investments made in the cloud can help offset some of the security pain associated with BYOD -- especially when it comes to SaaS applications and data sharing.

About the author:
Ed Moyle is the director of emerging business and technology at ISACA. He previously worked as senior security strategist at Savvis Inc. and as senior manager at Computer Task Group. Prior to that, he served as vice president and information security officer at Merrill Lynch Investment Managers.

Dig Deeper on Cloud Computing Software as a Service (SaaS) Security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How has adopting BYOD in conjunction with the cloud eased your organization's security woes?
I would broadly agree that cloud/SaaS deployments are typically developed with security principles prioritised, and by adopting this approach for BYOD users, the security risk is lessened or removed from the BYOD endpoint.
However, architecting the network and application deployment to make it as segregated and secure as possible ought to be a given anyway. Security best practices should always be applied: don’t let anyone have access to anything they don’t need to, not just by firewalling externally and internally between users and secure servers, but at a user rights level too.
Consideration should be made for secure operations from the ground up, so a hardened build standard for the platform and database system is essential, continuously monitored for vulnerabilities and potential breaches.
Mark Kedgley