Developing security policies for cloud-based BYOD environments

To ensure security in a cloud-based BYOD environment, you need a complete and unambiguous security policy. This article describes the potential risks surrounding jailbreak, shared device issues, and how to protect enterprise assets by developing a security policy that is appropriate for all devices.

Overview

Term of this article

Bes:blackberry Enterprise Server

BYOD: self-owned equipment

IaaS: Infrastructure as a service

Jailbreak: Avoid devices that restrict installation of applications and patches that are not allowed by device manufacturers.

MDM: Mobile Device Management

PaaS: Platform as a service

RFID: Radio Frequency identification

Rim:research in Motion,inc.

SaaS: Software as a service

Wireless eavesdroppers: Someone who uses a computer, smartphone, or PDA in a car to find a wireless signal in a unsecured network.

Walking wireless eavesdroppers: Similar to wireless eavesdroppers, but walking; a walking hacker, he connects his device to a Wi-Fi access point.

You can't jailbreak your BlackBerry like an iPad (and iPhone) user escapes your device. Unlike Apple, the BlackBerry allows a number of third-party applications to be used on the device. IPad users have escaped from their mobile phones to access certain types of applications, and BlackBerry users already have access to such applications. If the BlackBerry user does not find the Third-party software they want, they may try to jailbreak the BlackBerry Playbook, install Android and Apple software. Of course, they have to bear the risk of invalid escape equipment warranty.

There are two jailbreak methods that can break the security on the BYOD device and install a third-party application. The first approach involves user interaction with the device and does not allow a remote attacker to compromise user data or device integrity. The user must have the device and have a valid user certificate for the device. At a minimum, the user can make changes that require:

Share a device network to another device or computer (for example, via Myfi, an IPAD app that supports sharing as a WiFi hotspot)

As root user, access an authorized user account on the device

As an authorized developer, change the default settings for the device by entering the developer mode. If the user is not an authorized developer, the developer model may compromise integrity.

The second jailbreak method involves less user interaction. A remote hacker sends a software bug that uses a Web page to get root access on all devices. This situation occurs only when a user accesses a dangerous page.

Nightmare scenario #1: Infected BYOD

Bob's company allows him to use the personal BlackBerry as a recognized BYOD to access SaaS applications. The company did not ask Bob if there were any other personal devices. Bob didn't even tell the company he had a iPad2, a MacBook and a laptop at home.

One day at home

Bob broke out of his own iPad2 and then installed the MyWi as a WiFi hotspot for the following operations:

Use the personal Blackberry that your company allows as a wireless modem (via Bluetooth).

Connect his Macbook and notebook to iPad2.

All personal devices are connected to the Internet via WiFi.

Bob uses his laptop to access the Web page, which contains a malicious software bug. The flaw infects all devices through an IPad unencrypted wireless connection (connected to the corporate network).

Disconnect all devices from the WiFi connection to the corporate network, and Bob reconnect the infected BlackBerry and access the SaaS application as a stand-alone modem. Disconnect the device from the cloud when the application downloads the data to the BlackBerry.

The next day in the office

Bob goes back to the company to meet with C-level executives. When he opened his company's allowed BlackBerry, he found that the downloaded data and all the company information turned into useless rubbish, and it was too late, and the missing information included:

Corporate Contacts

Company Calendar

SaaS Access Information

Blackberry Login

See more highlights of this column: http://www.bianceng.cnhttp://www.bianceng.cn/Servers/cloud-computing/