94 research outputs found

    Bring your own device: an overview of risk assessment

    Get PDF
    As organizations constantly strive to improve strategies for ICT management, one of the major challenges they must tackle is bring your own device (BYOD). BYOD is a term that collectively refers to the related technologies, concepts, and policies in which employees are allowed to access internal corporate IT resources, such as databases and applications, using their personal mobile devices like smartphones, laptop computers, and tablet PCs [1]. It is a side effect of the consumerization of IT, a term used to describe the growing tendency of the new information technologies to emerge first in the consumer market and then spread into business and government organizations [2]. Basically, employees want to act in an any-devices, anywhere work style, performing personal activities during work and working activities during personal time [2]. There are several risks associated with BYOD [3, p. 63], and the big gaps in BYOD policies adopted by today\u27s organizations [4, p. 194] show that the solution to BYOD is not well understood. This article establishes a background to understand BYOD risks by considering conditions that increase the occurrence of these risks and the consequences of the risks occurring. It then aims to present the most commonly adopted BYOD solutions, their limitations, and remedies, as well as important policy considerations for successfully implementing them

    Capturing Policies for BYOD

    Get PDF

    Consumerization of IT: Risk Mitigation Strategies and Good Practices. Responding to the Emerging Threat Environment.

    Get PDF
    This report presents security policies that can be deployed to mitigate risks that are related with the trend of Consumerization of IT (COIT) and Bring Your Own Device (BYOD). The aim of this document is to identify mitigation strategies, policies and controls for the risks identified in this area

    Secure portable execution and storage environments: A capability to improve security for remote working

    Get PDF
    Remote working is a practice that provides economic benefits to both the employing organisation and the individual. However, evidence suggests that organisations implementing remote working have limited appreciation of the security risks, particularly those impacting upon the confidentiality and integrity of information and also on the integrity and availability of the remote worker’s computing environment. Other research suggests that an organisation that does appreciate these risks may veto remote working, resulting in a loss of economic benefits. With the implementation of high speed broadband, remote working is forecast to grow and therefore it is appropriate that improved approaches to managing security risks are researched. This research explores the use of secure portable execution and storage environments (secure PESEs) to improve information security for the remote work categories of telework, and mobile and deployed working. This thesis with publication makes an original contribution to improving remote work information security through the development of a body of knowledge (consisting of design models and design instantiations) and the assertion of a nascent design theory. The research was conducted using design science research (DSR), a paradigm where the research philosophies are grounded in design and construction. Following an assessment of both the remote work information security issues and threats, and preparation of a set of functional requirements, a secure PESE concept was defined. The concept is represented by a set of attributes that encompass the security properties of preserving the confidentiality, integrity and availability of the computing environment and data. A computing environment that conforms to the concept is considered to be a secure PESE, the implementation of which consists of a highly portable device utilising secure storage and an up-loadable (on to a PC) secure execution environment. The secure storage and execution environment combine to address the information security risks in the remote work location. A research gap was identified as no existing ‘secure PESE like’ device fully conformed to the concept, enabling a research problem and objectives to be defined. Novel secure storage and execution environments were developed and used to construct a secure PESE suitable for commercial remote work and a high assurance secure PESE suitable for security critical remote work. The commercial secure PESE was trialled with an existing telework team looking to improve security and the high assurance secure PESE was trialled within an organisation that had previously vetoed remote working due to the sensitivity of the data it processed. An evaluation of the research findings found that the objectives had been satisfied. Using DSR evaluation frameworks it was determined that the body of knowledge had improved an area of study with sufficient evidence generated to assert a nascent design theory for secure PESEs. The thesis highlights the limitations of the research while opportunities for future work are also identified. This thesis presents ten published papers coupled with additional doctoral research (that was not published) which postulates the research argument that ‘secure PESEs can be used to manage information security risks within the remote work environment’

    Capturing mobile security policies precisely

    Get PDF
    The security policies of mobile devices that describe how we should use these devices are often informally specified. Users have preferences for some apps over others. Some users may avoid apps which can access large amounts of their personal data, whilst others may not care. A user is unlikely to write down these policies or describe them using a formal policy language. This is unfortunate as without a formal description of the policy we cannot precisely reason about them. We cannot help users to pick the apps they want if we cannot describe their policies. Companies have mobile security policies that definehowan employee should use smart phone devices and tablet computers from home at work. A company might describe the policy in a natural language document for employees to read and agree to. They might also use some software installed on employee’s devices to enforce the company rules. Without a link between the specification of the policy in the natural language document and the implementation of the policy with the tool, understanding how they are related can be hard. This thesis looks at developing an authorisation logic, called AppPAL, to capture the informal security policies of the mobile ecosystem, which we define as the interactions surrounding the use of mobile devices in a particular setting. This includes the policies of the users, the devices, the app stores, and the environments the users bring the devices into. Whilst earlier work has looked on checking and enforcing policies with low-level controls, this work aims to capture these informal policy’s intents and the trust relationships within them separating the policy specification from its enforcement. This allows us to analyse the informal policies precisely, and reason about how they are used. We show how AppPAL instantiates SecPAL, a policy language designed for access control in distributed environments. We describe AppPAL’s implementation as an authorisation logic for mobile ecosystems. We show how we can check AppPAL policies for common errors. Using AppPAL we show that policies describing users privacy preferences do not seem to match the apps users install. We explore the di↵erences between app stores and how to create new ones based on policy. We look at five BYOD policies and discover previously unexamined idioms within them. This suggests aspects of BYOD policies not managed by current BYOD tools

    A Study of the Application of a Bring Your Own Device Strategy in an Elementary School

    Get PDF
    Numerous studies have been published on the efficacy of a Bring Your Own Device (BYOD) Acceptable Use Policy (AUP) at the U.S. secondary and postsecondary school levels to increase student access to technology. However, there is a lack of data on the efficacy of a BYOD AUP to increase elementary student technology access. The purpose of this descriptive case study was to determine if a BYOD AUP at the U.S. K-5 level would increase students\u27 access to technology as necessitated by the implementation of the Common Core State Standards (CCSS). This study was grounded in social transmission and transformative theories. The phenomenon of a northwest suburban elementary school BYOD implementation was examined by documenting the perceptions, attitudes, beliefs, lived experiences, and practices of administrators and teachers. This study used interview and classroom observation of a purposive selection of 3 elementary educators, the principal, and superintendent. Coding of data according to key words lead to analysis according to nodes and themes. Triangulation of multiple data sources and member checking helped to establish the credibility of data. Study findings documented increased access to technology for elementary students, best practices and steps to implementation. Study recommendations for elementary educators and administrators considering BYOD include consensus building, AUP, technology infrastructure, communications, professional development, classroom management, and lesson design to inform the field on elementary BYOD. Study findings facilitate social change by providing BYOD implementation recommendations, increasing elementary student access to technology at a reduced cost to districts and schools

    AUTOMATED NETWORK SECURITY WITH EXCEPTIONS USING SDN

    Get PDF
    Campus networks have recently experienced a proliferation of devices ranging from personal use devices (e.g. smartphones, laptops, tablets), to special-purpose network equipment (e.g. firewalls, network address translation boxes, network caches, load balancers, virtual private network servers, and authentication servers), as well as special-purpose systems (badge readers, IP phones, cameras, location trackers, etc.). To establish directives and regulations regarding the ways in which these heterogeneous systems are allowed to interact with each other and the network infrastructure, organizations typically appoint policy writing committees (PWCs) to create acceptable use policy (AUP) documents describing the rules and behavioral guidelines that all campus network interactions must abide by. While users are the audience for AUP documents produced by an organization\u27s PWC, network administrators are the responsible party enforcing the contents of such policies using low-level CLI instructions and configuration files that are typically difficult to understand and are almost impossible to show that they do, in fact, enforce the AUPs. In other words, mapping the contents of imprecise unstructured sentences into technical configurations is a challenging task that relies on the interpretation and expertise of the network operator carrying out the policy enforcement. Moreover, there are multiple places where policy enforcement can take place. For example, policies governing servers (e.g., web, mail, and file servers) are often encoded into the server\u27s configuration files. However, from a security perspective, conflating policy enforcement with server configuration is a dangerous practice because minor server misconfigurations could open up avenues for security exploits. On the other hand, policies that are enforced in the network tend to rarely change over time and are often based on one-size-fits-all policies that can severely limit the fast-paced dynamics of emerging research workflows found in campus networks. This dissertation addresses the above problems by leveraging recent advances in Software-Defined Networking (SDN) to support systems that enable novel in-network approaches developed to support an organization\u27s network security policies. Namely, we introduce PoLanCO, a human-readable yet technically-precise policy language that serves as a middle-ground between the imprecise statements found in AUPs and the technical low-level mechanisms used to implement them. Real-world examples show that PoLanCO is capable of implementing a wide range of policies found in campus networks. In addition, we also present the concept of Network Security Caps, an enforcement layer that separates server/device functionality from policy enforcement. A Network Security Cap intercepts packets coming from, and going to, servers and ensures policy compliance before allowing network devices to process packets using the traditional forwarding mechanisms. Lastly, we propose the on-demand security exceptions model to cope with the dynamics of emerging research workflows that are not suited for a one-size-fits-all security approach. In the proposed model, network users and providers establish trust relationships that can be used to temporarily bypass the policy compliance checks applied to general-purpose traffic -- typically by network appliances that perform Deep Packet Inspection, thereby creating network bottlenecks. We describe the components of a prototype exception system as well as experiments showing that through short-lived exceptions researchers can realize significant improvements for their special-purpose traffic

    A Transformação Digital nas Pequenas e Médias Empresas: Utilização e impacto das tecnologias móveis e sociais no caso angolano

    Get PDF
    O desenvolvimento das tecnologias de informação e comunicação proporcionou à sociedade facilidades para a solução de muitas tarefas, bem como o aumento das vendas, expansão da marca e internacionalização das empresas. Interessadas em sobreviver no mercado, as pequenas e médias empresas recorrem a tecnologias de fácil utilização e de baixo custo, mas muito eficientes, para enfrentarem a competitividade num mercado composto por grandes empresas e com muitos recursos. As tecnologias móveis e as redes sociais, são as ferramentas que encaixam no perfil das pequenas e médias empresas. Esse trabalho, estuda a implementação e o impacto das tecnologias de informação e comunicação móveis, bem como das redes sociais, no seio das pequenas e médias empresas angolanas, além de avaliar até que ponto as empresas estão alinhadas com a tecnologia digital. Os resultados encontrados, mostram um setor muito distante da digitalização nos seus processos de negócio, e com uma exploração deficiente dos recursos que estas tecnologias oferecem para as empresas, assim como uma classe empresarial ainda muito distante de conseguir resultados positivos com a sua implementação no negócio. Os custos da Internet, a falta de Know-how dos colaboradores, a falta de alinhamento dos objetivos da empresa com as soluções tecnológicas e a inexistência de estratégias que garantam uma implementação inteligente destas tecnologias são as principais dificuldades que as pequenas e médias empresas enfrentam em Angola.info:eu-repo/semantics/publishedVersio
    • …
    corecore