For many years the Jericho forum has been talking about de-perimeterisation. The basic premise being that as more services become cloud oriented and are accessed with BYOD technology, large elements of the corporate data set are now stored outside of the corporate perimeter.
In looking at the security of such a system, a fundamental question arises. Can you trust the end user devices themselves?
The article “In 2015, security will start with the handset” looks at some of the progress needed in making the handset trustworthy. But this seems a very different position to most organisations looking at BYOD, where the basic premise is (or should be) the BYOD devices cannot be trusted, so you need to control the information flow to them.
I’d argue, today, there is not a right answer – you need to assess the risks in the specific context of a specific situation.
A managed end-user device, in a controlled environment where all the updates have been applied, where an anti-malware solution operates, with at-rest data encryption could offer a perfectly suitable solution to access corporate data from a set of known applications.
On the other hand, a 3 year old Android device, that has never been patched and been used to browse the Internet may not be a great choice for viewing secret data.
It all depends on understanding the risk. To understand the risk, requires understanding the specifics of the user handset. The document set “End User Devices Security and Configuration Guidance” is a really good starting point.
Can we help you with understanding the security risks of your device? An example of how we helped a customer with booting their device securely can be found in the Blog “Booting Linux Securely“.
Today marks the beginning of an exciting week for me. I am on site at one of our major clients installing an Information Exchange Gateway demonstrator that I’ve been working on for the last few months. Over that time I’ve seen a growing amount of interest in Information Exchange Gateways (IEGs) from various military organisations, so I decided that it was the right time to start a mini series of blog articles on the topic. Continue reading “An introduction to Information Exchange Gateways”
Rather than bring you the 12 Days of Christmas, we’ve done the 12 themes of 2014 instead! A look back at what has been making the headlines in the world of Information Security (and beyond) this year. Take a moment to relive the year…… Continue reading “The 12 Themes of 2014”
As more and more people talk about security, I hear the terms threat, vulnerability, mitigation and risk used. Often in what I believe is the wrong context.
There are lots of attempts to define the terms, write taxonomies etc. There is little point in duplicating this, however, here is how I think about the terms…
Continue reading “Cyber Threat Glossary – By Example”
At home, I have invested in good quality locks on my doors and windows, conforming to the standard required by my insurance company. In addition to that I have also invested in an intruder alarm.
Continue reading “Why have I got an Intruder Alarm?”
Now that’s a catchy headline to get your attention! What does it mean, and why blog about it on Cyber Matters?
In short, the policy note published by the Cabinet Office today (Sept 26 2014) says that from October 1st, the Cyber Essentials Scheme is mandatory:
Continue reading “UK Public Procurement Policy Note 09/14”
Last week I attended the IAAC Annual Symposium. One of the elements of the conference is a poster display where vendors and universities have the opportunity to display their latest research.
Continue reading “Information Based Security”
You will no doubt have seen by now the news that naughty photos of celebrities have appeared on the internet.
It’s the story that has everything – cyber security, the dangers of the cloud, online safety and a little bit of smut thrown in for good measure.
Continue reading “The Day the Technology and Entertainment News Headlines Were the Same: Hackers and Nude Celebs”