“Compliance is not security, but security can be compliant – with a set of requirements and guidelines that ensure data is confidential to authorised users, has integrity, has not been changed or modified, and is available on demand,” says Anton Jacobsz, Managing Director at Networks Unlimited, an African value-added distributor of NETSCOUT solutions across the continent.
Compliance is about making choices to implement security controls in an organisation aimed at keeping data safe and secure, but also available. Critical data like customer lists and corporate secrets, would be useless if it were not available to employees.
To protect data, think of all the bad things that could happen to the data, the devices it resides on, and the networks that carry the devices. This process is designed to identify risk and build a set of requirements that will mitigate it – in a threat model. Threat modeling identifies resources of interest to hackers and thieves and brainstorms the feasible threats, vulnerabilities, and available security controls.
TechTarget defines it as a procedure for optimising network security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system. In this context, a threat is a potential or actual adverse event that may be malicious (such as a denial of service) or incidental (such as the failure of a storage device), and that can compromise the assets of an enterprise.
One must assume there will be attacks, because you need to make data available for use, and one or more attacks will be successful. If you look at security as a process, it becomes a series of battles where you will win some, lose some, and hope you don’t lose a lot.
Some guidelines for managing and securing mobile devices in the enterprise are for IT to restrict access to hardware and software; manage wireless interfaces, monitor and report exceptions; require authentication to access company resources; and restrict app installation.
To meet the above goals, it is recommended to first identify the devices that an organisation intends to support in terms of their features, such as: network services including cellular, wireless, Bluetooth and Near Field Communication; and built-in vs. non-removable storage. Also consider external, removable storage (Flash memory, USB) and digital cameras.
Then, build a threat model for worst-case scenarios, followed by a compliance policy to combat these, such as: use of untrusted networks, interaction with untrusted systems, use of untrusted content over the network, and use of global positioning system and location services.
“We have realised that organisations across Africa are faced with the challenge of developing a WiFi compliance policy. NETSCOUT’s AirMagnet solutions in the region can however play an active role by enabling detection, planning, compliance monitoring and troubleshooting of all smart devices, thereby successfully harmonising BYODs into an organisation’s IT, governance and security infrastructure,” concludes Jacobsz.