The Use Of Computers In Enterprises

Published Date: 02 Nov 2017

The use of computers in enterprises has come a long way in terms of evolution of computers in the corporate environment.

Taking a look at the history of personal computers and how they have evolved over time as a mass-market consumer electronic device; this history may be effectively traced to sometime around 1977 with the discovery/development of microcomputers even though some mainframe computers had been applied as single-user systems earlier (Wikipedia, 2011).

In the early days, computers were very expensive and exclusive devices, which were acquired only by large enterprises that could part with a "premium" for the purchase of computers. Back then, computers were designed and developed mainly as mainframe systems. They required an awful lot of skill and specialization to be able to operate them.

Due to the high costs and relatively steep skill requirements to operate computers, they remained a "corporate technology" for several years with most computer implementations in educational, government or corporate environments. Even at that, it was organizations with deep pockets that could afford the "luxury" of computer ownership.

During this period (in the 1950’s), computers were generally used for commercial and scientific purposes and as a result, the major computer manufacturers did not commit sufficient resources to the development of small competitive computer systems.

In all of this, as far back as 1945, when most of the activities related to computer development and use were linked to large mainframe computers, there is record of a prediction by Vannever Bush in an article "As we may think" describing a "future device for individual use" called "Memex" in which a person stores all his books, records and communications… that may be consulted with exceeding speed and flexibility." (Allan, 2001)

At the time, computers were standalone infrastructures with limited/no connectivity to other computers. The security requirements were at most basic –you practically needed to have physical access to the mainframe systems or, at the least, one of the terminals to be able to access the mainframes.

Until the early 1970’s most of the efforts to provide computer security had been centered on the environments where all persons coming in contact with the systems shared a common clearance and where the principal effort for computer security had been directed at providing procedural controls, especially those associated with external (physical) access to the computer systems and their files and proper marking of the information found on the systems (Anderson, 1972)

Security was primarily about protecting the "physical" mainframe systems from unauthorized access.

Entry of Security and Risk Management to Computer systems

As computer systems continued to grow and develop in terms of functionality, processing power and storage capability, the dependence on computer systems also grew in like manner. The importance and need for secure computer programs started becoming a front burner issue. Also, there was a growing need to provide shared use of computer systems; these computer systems (majorly implemented in government, military and educational environments) contained information resources with different sensitivity/classification levels.

Computer security started becoming a serious issue for organizations using computers as the need to protect the information on the systems and to ensure that users of the system were not accessing information resources that they shouldn’t be accessing.

Research in to operating systems access controls was beginning to gain grounds by the early 1970’s as access control was seen primarily as the basis for computer security. Several models were being developed and the period 1972 – 1974 was characterized by a significant increase in computer security issues (The MITRE Corporation, 1976).

Over time personal computers started to gain increasing popularity and were showing up in homes at a very rapid rate. Despite the fact that these personal computers were still in early development stages, compared to what exists today, the world didn’t know better and so they were adequate for the need.

By that time, security and risk management in computer systems had gone beyond access controls to application security and OS security. Networks were being developed and the Internet was gaining grounds. Portable computers were gaining a lot of ground with the increasing popularity of laptops and other portable computers. Computer security was no longer "just" about physical access and secure applications and operation systems. The idea of the enterprise perimeter was borne. Organizations were quickly beginning to realize that in order to keep their information systems secure and to protect from unauthorized access especially outside threats, the perimeter of the enterprise had to be secured.

Since the organization typically provided the workstations accessing its perimeter, it was very easy and convenient for the security administrators to configure the workstations to a standard configuration setting that ensured that the security administrators had effective controls over what was done on the workstations. Moreover, the majority of workstations were desktop computers, which never left the enterprise perimeter. It was therefore safe to assume that the perimeter of the enterprise was the "safe" zone and that any system within the perimeter was (or could be) protected using the enterprise defense systems which typically included firewall appliances, proxy servers, antivirus and anti malware applications, active directory and group policies etc.

For IT administrators and security administrators at the time, risk management in the enterprise network as regards the "infrastructure" was controllable as far as the systems deployed to users were properly setup (including all necessary hardening features applicable); based on the risk that was being addressed. Users typically did not have administrative privileges on their systems and so could not change security settings except explicitly permitted to do so. Confidential data could be kept within the enterprise by applying the appropriate information classification and handling policies of the enterprise onto the enterprise-owned systems.

The Consumerization of IT – the arrival of BYOD

Over the years, the price of personal computers became more affordable resulting in end-users being able to afford and own computer systems –in some cases faster and newer computers than the organization they worked with offered. The success of the Apple Mac Books (at the time, were rarely the enterprise choice for workstations – probably still the case today) combined with some aesthetics in the looks and feel and the tendency for fanatical following also contributed in part to this trend. This, besides that of the email and document processing smartphones that were plaguing the enterprise messaging and collaboration services, made it difficult for the IT and security administrators to stem the tide of the term that is often referred to as the consumerization of IT. This led to situations where personal computing devices began to encroach on the corporate environment. Some of it was borne out of the need of certain users to be more productive by doing some work at home on personal computers.

In the same vein, executives were acquiring new mobile devices ranging from Blackberries to smart phones, tablet devices etc. and were requesting to have them configured for use on the enterprise infrastructure.

Not surprisingly, the initial tendency was for the IT and Security administrators to refuse, saying: "that’s not consistent with our policy"! This kind of resistance often meant one of two outcomes:

IT & Security administrators resist & the users research workarounds

IT & Security administrators yield to the pressure

IT & Security Administrators resist & the users research workarounds:

Whenever the choice was to resist, users, because of their natural tendency to take accept change, would typically look for workarounds to ensure that they got their systems connected to the enterprise information systems. This could extend from getting corporate email on personal computers, smartphones, tablet devices etc. to getting their personal computers connected to the enterprise LAN.

This scenario resulted in a new type of threat to the enterprise network. The "inquisitive insider" threat was beginning to put the enterprise at risk. IT and security administrators could no longer focus on the perimeter defense systems for protection of the enterprise systems, they had to shift to "endpoint" protection and also had to focus and dealing with the insider threat.

IT & Security administrators yield to the pressure

Alternatively, the IT administrators either easily yielded or forcefully submitted to the pressure from users to get their devices hooked up to the enterprise. Some of it was borne out of an understanding that the employees were genuinely trying to get more productive by doing some work at home using home computing resources. In some cases, it was majorly the upwardly mobile executives with the resources to acquire the newest gadgets and request them to be connected to the enterprise information systems for enhanced productivity on the move that drove such initiatives into the culture of the enterprise.

Gradually, IT and Security administrators started providing support to end user devices ranging from smartphones to personal computers and the alternate wasn’t working as the volume of influx was clearly overbearing.

When employees bring their devices to the enterprise and use them to share files outside the office, it becomes difficult for IT and security administrators to maintain visibility and control. With this trend, users request to use the technologies of their choice within the enterprise; this kills enterprise standardization. It is a symptom of a "shift" in the expectation of users in workplaces. This rapid shift in expectation of workplace users to be permitted to bring their own devices/technologies to the workplace is what has not become popularly known as "Bring Your Own Device" (BYOD).

Benefits and challenges of BYOD

While it is easy to blame the vendors that develop consumer products (Apple, Google, Blackberry Samsung etc.) for setting the stage for the consumerization of IT by inventing sufficient support for enterprise, the blame game misses the point that BYOD is a reflection of the changes that have come to stay in the enterprise information systems are deployed. The development of very easy to use personal devices has encouraged users to "own" and "desire to use" their personal devices within the enterprise workspace.

Today’s IT users are more technically savvy and sophisticated than ever before. They go for the technologies they prefer if they perceive that the technologies provided by the enterprise do not meet their needs (some of such needs could be controversial e.g. rigid IT Security policies).

Age is another significant factor in the consumerization of IT. A certain percentage of the current day workforce has always had technology all their lives. They grew up not knowing a world without the Internet. This "Internet-generation" often brings innovation and fresh ideas to the workplace, yet often want immediate gratification. They are usually unwilling to wait for a few months for the latest technologies and generally display a huge (sometimes overly) tendency for early technology adoption.

Although there may be benefits like greater productivity (e.g. having email on the go, saving work to personal clouds and bring able to access and update them on several disparate devices etc.), there may be some direct conflict associated with personal devices and the organization’s IT security policies. Such conflicts tend to put information systems at risk.

Project Objectives - Risk Management in BYOD environment

For a lot of enterprises, when it comes to enterprise operations, the tendency is to take a device-centered approach to information systems. This approach largely remained effective when all employees were constrained to the employer-supplied computers and information systems. With this approach, there usually would be some standardization in the type and configuration of the end-user systems. This standardization combined with centralization of administration and control made it easy for IT Security administrators to manage the risk to information systems.

Some of the end-user system management initiatives in the centralized administration were focused on securing the image on the systems – this was relatively easy to achieve as the computer systems were usually connected to the corporate network anyway. This image provided a standard configuration that contained the OS, applications, data and personal settings required for effective day-to-day operation in the enterprise.

Today, the enterprise landscape has changed, presenting a complex computing landscape with a substantial number of users working with several disparate devices all accessing the enterprise information systems and simultaneously accessing the internet as well as other uncontrolled networks. These systems typically run all sorts of un-managed and unstandardized applications from all sorts of sources.

In order to be able to effectively manage information security in such an environment, a BYOD environment, IT security administrators need to develop a user-centered strategy towards information risk management.

Information security deals with the preservation of confidentiality, integrity and availability of information, in addition other properties such as authenticity, accountability, non-repudiation and reliability and can also be involved (BS ISO/IEC 27001, 2005).

Risk management on the other hand is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations’ missions (NIST SP 800-30, 2002).

Information Risk management therefore deals with coordinated activities to direct and control an organization’s information systems with regards to risk.

This project aims at developing an effective information risk management framework for managing risks in an environment where BYOD is implemented.

Introduction to BYOD

The increasing trend for anytime, anywhere network access in the corporate workplace has actively promoted the use of personal mobile devices (laptops, smartphones, tablets, storage devices etc.). (Aruba Networks Inc., 2012). This trend has promoted the entrance of these devices in the corporate workplace and educational institutions in quite significant numbers (Vanson Bourne, 2013). Some employees expect to use their personally selected smartphones, tablets, laptops, and other devices from Apple, Google, Research In Motion (RIM) and other platform providers for work and are actively promoting the trend (Forrester Consulting Inc., 2012).

Email appears to be one of the favorite mediums for corporate communication. It was widely accepted by the business community as the first broad electronic communication medium and was the first 'e-revolution' in business communication (Wikipedia, 2013). An attempt by employees to have mobile email for increased productivity easily results use of their personal devices for email communication.

As functionality of mobile phones increase, their capability for corporate workplace information processing also increases. This trend can be extended to other employee "acquirable" technologies (storage media, laptops, tablet devices cloud storage etc.). An increase in this trend, is being experienced area of IT where consumer-owned, privately-used information technology, including Social Networking, Cloud Storage, mail, smart phones, tablets, etc. is becoming part of professional IT now known as the consumerization of it (COIT) (ENISA, 2012).

According to the European Network and Information Security Agency (ENISA), BYOD can be considered as the device-centric part of COIT (ENISA, 2012). It is the trend where, with the permission and support of IT and security administrators, employees use their privately owned devices for job-related activities. It is worthy of note that the IT administrators actually permit and/or support the use of the devices for business information processing.

When employees bring their own devices to the corporate workplace, the devices come relatively uncontrolled compared to the enterprise policies. The devices come in many forms, shapes and sizes and vary in functionality and capability. These devices can very broadly be categorized into the following:

Smart Phones

Tablets and handheld devices

Laptops and PC’s

Storage devices

Smartphones:

These devices are the commonest devices appearing within the enterprise perimeter. A 2011 survey in the United States by the CTIA revealed that there are more mobile phones than humans (CTIA - The Wireless Association, 2011). People generally take their smartphones with them wherever they go and gradually lean on the functionality and capability of the smartphones for extra productivity. Such entrants usually start with employees trying to get corporate email on their mobile devices, when refused, they begin to forward corporate email to personal email boxes (Yahoo, Gmail etc.). Eventually, executives and senior management start asking for similar access and the rest becomes history –IT eventually begin to support smartphones.

Tablets and Handheld Devices:

Tablets are very similar to smartphones but often have the advantage of larger screens and, possibly, more processing power and storage capacity. They are able to deliver on most of the functionality of smartphones but tend to offer the benefit of being more comfortable on the eyes for most users and longer lasting battery life. They also tend to offer more in terms of relevant applications for basic document processing. Tablets tend to be a favorite for executives and gamers. Thanks to the iPad and Android tablets alike, a lot of mobile surfing, emailing and minor document processing is happening on tablet devices with several hundreds of thousands of applications to choose from.

Laptops and PC’s:

Computers are by far, the most popular devices for delivering day-to-day work in the enterprise. They have also become so ubiquitous that a very significant number of enterprise workers can boast of owning one computer at home. Due to the way we generally work with computers, we tend to develop a "certain" relationship with these devices that are at the core of our day-to-day life. Processing power, unavailability of applications or just sentimental attachments are some of the reasons that users tend to bring their personal computers (laptops especially) to the enterprise network. Personal computers being used by employees at work for official work purposes have the ability to be at par or higher in capability to enterprise provided counterparts. They can therefore do as much as the enterprise provided workstations while also having less enterprise protection.

Storage Devices:

With rapid developments in computer storage technologies, the last decade has seen a rapid evolution from 2.5" 1.44Mb to almost invisible 64GB flash drives. Portable storage devices have been at the heart of several high It is therefore no surprise that Wikileaks and like organizations are getting a lot of confidential corporate and state information shipped out of the enterprise perimeter and state networks without authorization.

In 2010, TheGuardian.co.uk reported about how an innocuous-looking memory stick, no longer than a couple of fingernails, came into the hands of a Guardian reporter early in 2010. The device was so small it would hang easily on a key ring. But its contents sent shockwaves through the world's chancelleries and delivered what one official described as "an epic blow" to US diplomacy (Leigh, 2010).

All of these broad categories of personal devices appearing within the enterprise environment are being used for both personal and business purposes. However, sensitivity and criticality of business and personal information on these devices can vary by a very wide margin, yet being handled in the same way. They are continuously being adopted in the business environments and in some cases have become an integral part or a convenient extension of the business enterprise information systems.

In a recent SANS Mobility/BYOD Security Survey on over 500 IT professionals, only 9% of the respondents "felt" completely aware of all the mobile devices accessing their enterprise infrastructure (Johnson, 2012). This raises the following questions

How does one manage what he has no awareness of?

What really is the risk associated with employees bringing their own devices to the enterprise?

What risks are organizations faced with that embrace BYOD?

The Information Security Objectives

Taking a closer look at the ISO27001 definition of information security and its key properties: Information security deals with the preservation of confidentiality, integrity and availability of information, in addition other properties such as authenticity, accountability, non-repudiation and reliability and can also be involved (BS ISO/IEC 27001, 2005).

Confidentiality: the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

Integrity: the property of safeguarding the accuracy and completeness of (information) assets.

Availability: the property of being accessible and usable upon demand by an authorized entity.

Authenticity: The ability to ensure that the information originates or is endorsed from the source, which is attributed to that information (Tipton & Henry, 2007)

Accountability: the property that ensures that the actions of an entity may be traced uniquely to the entity

Repudiation: denial by one of the entities involved in a communication of having participated in all or part of the communication.

Reliability: The probability that a system or service will perform in a satisfactory manner for a given period of time when used under specific operating conditions (Tipton & Henry, 2007, p. 966)

For the purpose of this report, focus would be mainly on confidentiality, integrity and availability of information. These three information security objectives are the core of information security and are referred to as the information security triad –the CIA.

Information Security Risks associated with BYOD

Confidentiality:

The risk to confidentiality of information, from the definition above, is the unauthorized disclosure of information. Breach of confidentiality is a major risk area with BYOD adoption. There are many ways in which BYOD puts the confidentiality of information at risk. Theft, loss or sharing of personal computing devices as some of the few ways in which BYOD devices put confidentiality of information at risk.

Due to the size and mobility of BYOD devices it is always too easy for the devices to be lost or stolen; this means that all the information on the device is "physically" available to a third party the moment the device is lost or stolen. With tiny thumb drives carrying several gigabytes of data around, the information disclosed may be quite substantial.

Besides loss and theft, there is an increasing trend in information and device sharing strongly promoted by social media. In an effort to gain followership on social media, employees are increasingly releasing and publishing content on social media channels. Use of their personal devices means that the controls by the information security team to restrict access to some social media sites is thwarted. Smartphones are being used to take high-resolution pictures of confidential documents and they are being sent out of the enterprise without any of the enterprise defense systems being able to stop them. Information is being released on social media sites even before it gets finalized and the corresponding insider threat to confidentiality.

Whenever confidentially of information is breached, it is always almost impossible to "undo" the impact. How does one un-learn what he has already learnt? How does one recover electronic information that is already in unknown locations? A case in point is the recent US Cable leaks by Wikileaks. The moment the information was released on the Internet, it was accessed, downloaded and stored by everyone that and any form of interest in its content on the Internet. It was immediately impossible to undo the damage that had been done.

Integrity:

Integrity deals with the completeness and accuracy of information. Any unauthorized modification of information or modification by an authorized party in an unauthorized way is a compromise of integrity of information. With portable media devices traversing the controlled enterprise perimeter with all the defense systems –antivirus, proxy servers, content filtering gateways, firewall appliances, network security zones etc. to less-controlled (sometimes uncontrolled) user/public environments the tendency for information modifying malware to infect and alter information increases. Employees copy corporate information to the physical or cloud storage devices or even via email to their devices to work on at a later time. This compromised information then finds its way back into the enterprise having appended itself to personal information systems, emails etc. Sometimes, unauthorized modification can be as a result of processing on disparate applications across multiple platforms. A scenario in which an MS Excel spreadsheet containing sensitive data (validated) is edited on a document processing application installed on a tablet device that doesn’t support some of the functions or formulas used to validate the contents of the spreadsheet as prepared on the authorized enterprise document processing application. The app installed on the tablet therefore truncates all unsupported content leaving the resulting document inaccurate.

Availability

Since September 2011 (a.k.a 9-11) many organizations have come to realize the importance of business continuity and disaster recovery initiatives. To this end, policies and processes and technology get deployed to ensure that critical business services are able to resume after significant incidents. However, whenever personal information systems are used in the enterprise environment, they typically don’t get included in the business continuity and disaster recovery plans. As such, an employee using his personal laptop for office work may not be getting his critical work files backed up along with those of the enterprise systems, which are centrally managed. The day the laptop fails or gets missing and the contents are no longer accessible, all non-backed up critical information may be lost forever resulting in a compromise of availability.

Opportunities (Potential benefits) associated with BYOD

It is worthy to acknowledge that BYOD is not exclusively associated with threats to information systems; rather, there are quite a number of benefits associated with BYOD. Some of them are as listed below:

Cost savings for the organization due to less expenditure for procuring information systems (laptops, smart phones, storage devices, scanners, additional employee internet subscriptions to work from home etc.)

More productive workforce –teleworking, ability to work from home and remote places

Cost savings on deployment of remote access connectivity for workforce to access work files from remote locations due to employee owned cloud storage services

Increased operational efficiency due to increased employee productivity at no additional costs to the organization.

Less user support requirements as employees are often capable of providing first line of support for their own devices/technologies.

BYOD Risk Assessment

Risk Assessment Parameters

In order to be able to effectively manage the risks associated with adoption of BYOD, it is important to clearly understand the risks. According to NIST, risk assessment is the first step towards risk management (NIST SP 800-30, 2002).

We therefore proceed to perform a scoped risk assessment exercise, based on the NIST SP 800-30 on the earlier identified categories of BYOD devices. This assessment would give some informed insight into details of the risks associated with BOYD and help direct risk management efforts towards the desired objectives. The adopted risk assessment process, as borrowed from the NIST SP 800-30, is summarized in the flow diagram below.

Figure : NIST Risk Assessment Process Flow Chart (NIST SP 800-30 , 2002)

To successfully conduct the risk assessment exercise, there is a need to define some risk assessment parameters. The following parameters listed below are therefore defined for the purpose of this assessment.

Information/Data Classification

Likelihood

Impact Severity

Information Classification

Information Classification

Description

Public

Information that is safe to be disclosed to the public

Internal Use Only

Information that is safe to be circulated/disclosed internally within the organization but not permitted to be disclosed to external parties

Confidential

Information that needs to be disclosed strictly on a need-to-know basis

Likelihood Ratings

Likelihood Levels

Description

High

Likely to occur once every six months or less

The threat-source is highly capable and motivated; AND

Controls to prevent the threat-source exploiting the vulnerability are deficient

Medium

Likely to occur once every year

The threat-source is capable and motivated; BUT

Controls in place may impede the threat-source exploiting the vulnerability

Low

Likely to occur two – three times every five years

The threat-source lacks capability and motivation, OR

Controls to prevent (or significantly impede) the threat-source exploiting the vulnerability are in place

Impact Ratings

Impact Ranking

Description

Low

A breach/compromise of the asset will have a minor effect on the system/supported business operations and will require minimal effort to repair or reconfigure the system

Medium

A breach/compromise of the asset may cause damage to the reputation of the business/system management, and/or notable loss of confidence in the business and services as the asset is considered "mission critical" to business operations. Service would be significantly degraded. It will require expenditure of significant resources to repair.

High

A breach/compromise of the asset may cause business or system extended outage or to be permanently shutdown, resulting in the need to consider implementing processing recovery plan options. It may also result in complete compromise of business, information or customer services

Risk Ranking Matrix

Likelihood

(L)

Impact Severity Level (Potential Impact on Business Operations)

(I)

Low

Medium

High

Medium

High

Medium

Low

Medium

Low

Low

Low

Risk Assessment

Taking a close look at the output of the risk assessment, the following conclusions can be drawn:

Embracing BYOD has minimal risk implications on already public information; in rare cases of privileged user indulgence, there could be serious cases of Denial of Service or unauthorized modification of information.

Risk increases with use of classified information BYOD devices with the impact increasing with the sensitivity of the information –In this case, confidentiality seems to have the highest impact

Risk exposure is similar for internal use information and confidential information with the "impact" increasing with the information sensitivity.

Smartphones and tablet devices pose very similar threats to information systems when used as BYOD devices

Applicable Controls: ISO27001

The next step in the NIST Risk management process is the recommendation of applicable controls. For this the 133 controls in the ISO27001:2005 Standard are evaluated for their applicability. All the 133 controls in the ISO27001:2005 standard are pretty much generic and are supposed be suitable for any type of organization irrespective of the type, size or nature. The implementation specifics may however vary depending on the organization and the specifics of the risks being managed.

The ISO27001 standard follows the Plan-do Check-Act cyclic model of the ISO Management standards. Ensuring that the senior management team of an organization where ISO27001 is implemented is responsible for information security