In a recent blog, we discussed the definition of a data breach, concluding that the consensus is moving toward a broader definition of the term. We also discussed how, in the strictest sense, it’s your defenses that are being breached—your data is being compromised when a “data breach” occurs.
This blog entry connects unsecured network access to increased risk for data compromise—commonly called a data breach—in a concrete way. We’re talking specifically about BYOD and guest devices, and failure to properly secure the way in which they connect to the network. When people discuss BYOD security, often they focus only on encryption for wireless data over the air. As we will see, that’s an important element, but it’s not the whole story.
Before we get started, please note that this is far from an exhaustive list of ways that improper security measures around network access can imperil sensitive data. And although our blog title references unsecured Wi-Fi, the first two points below are also relevant to devices that access the network over a wired connection.
Lack of role-based network access for BYOD and guest users leaves the door open for data breaches
Secure network access means access on a need-to-know basis. Not every breach is the stuff of hoody-wearing cybercriminals hiding in the shadows. Many data breaches come from unintended disclosure. Well-meaning stakeholders sometimes make mistakes and disclose data improperly. The more people that have access to a given set of data, the more likely someone will make that kind of mistake. As much as we don’t like to think about it, stakeholders can also disclose sensitive data intentionally.
A sound data governance strategy requires that users should be able to access only those network resources appropriate to their role in the organization. Policy-based controls are a cornerstone of such a strategy, and if you don’t enable these controls, it leaves the door open to data compromise. If you don’t have the means to define and manage policies to restrict access, the chance of a breach is greater.
Even within the organization, when someone not authorized to view certain data does so, that’s a breach. To pick a very specific example, call center employees should not have access to the server containing an Excel file with employee payroll data. Role-based policy capability for network access is essential, and lack of differentiated network access risks data compromise.
Failure to perform a security posture check for BYOD and guest users can lead to trouble, too
Most of us would agree that BYOD programs increase employee productivity. And visitors to most environments expect easy connectivity for their devices, just as employees do—whether the location is an office, government agency worksite, public venue, school, college or most anywhere. That’s a lot of unmanaged devices accessing the network—either over wireless or via a wired connection. IT teams don’t control those devices the way they can for IT-owned devices, and if not managed properly this can also leave the door open to a data breach.
Failure to perform an up-front security posture check before BYOD and guest devices connect is a risk area as well. Malware is one of the leading causes of data breaches—for example, keyloggers that capture every character typed into the keyboard of an infected device. You don’t want malware like that spreading into your environment. If you let an employee connect their BYOD laptop without checking that anti-malware has been installed, that’s a security hole that needs to be plugged. More than that, the malware signatures for that software need to be up to date. A security posture check during network onboarding can make sure that BYOD and guest devices employ basic security measures.
Most tech-savvy users of mobile devices have a PIN enabled in their phone or tablet. But imagine what would happen if an employee connects their BYOD phone to the network, which thereby gains access to network resources housing confidential data. Suppose it’s a new phone and they don’t have a PIN enabled yet. Then someone steals the phone.
The network does not know the thief isn’t the employee, and the device can still access those same network resources. This is where lack of a security posture check leaves the door open to data compromise. A proper security posture check would have included remediation for that device—just require that employees have a PIN enabled before they can connect.
Unencrypted wireless data traffic is another IT security hole
This section discusses a security hole that applies only to wireless access. Unless you encrypt data traffic in transit between wireless access points and devices, prying eyes can view it using commercially available network analysis tools. (The same way anyone can spy on what you do over an open public Wi-Fi connection at the local coffee shop).
Of course, many websites are themselves encrypted these days. But often not all page components are encrypted, and users have no way of knowing which components those are. Mobile applications may or may not encrypt their data traffic. App developers have an incentive not to encrypt data traffic, because encryption imposes overhead on the back-end systems that support their apps.
In an enterprise environment, you might think anyone would be crazy not to encrypt wireless traffic over the air. But MAC authentication—one of the default methods for connecting devices—does not encrypt wireless data traffic. (Read more about the security flaws in default methods for network onboarding and authentication.) It’s also not unheard of for IT to provide one or more open SSIDs in some environments—if only for guest users—especially when the organization lacks a system for secure network onboarding. Whatever the circumstances, unencrypted data traffic is a risk area.
One way to plug these (and other) network security holes
Fortunately, you can easily plug these and other network security holes that result from unsecured access mechanisms. Just deploy a system for secure onboarding and network authentication. Here at Ruckus, we believe that our own Cloudpath Enrollment System offers the industry’s best combination of ease of deployment and powerful security features. If the security risks discussed in this blog concern you, now’s a great time to explore this offering—start with our new product overview video. Then dig deeper on the product page, where you can even request a live online demo when you’re ready.