BYOD – Risks and Mitigations

Bring Your Own Device (BYOD) is a policy that allows employees to bring their own devices to the workplace and use them there. This attracts and helps keep employees happy. At the same time, it saves a few bucks to the company as they may not need to procure new hardware. But BYOD implies that an employee can use his own device to access and use corporate resources.

This brings security risks to an organisation:

  • People outside the company can get access.  Access by company outsiders can happen due to devices being stolen or by people leaving the company.
  • Devices leave the company environment.  Devices brought outside the company offices are still carrying important information and may be used to access insecure networks elsewhere.
  • Devices might not be updated with the latest security patches.  BYOD devices might not be protected as extensively as the devices that are under direct control by the companies IT department.

 To limit the downside and keep possible damage to a minimum, it helps to:

  • Have a clear policy and rules to enforce it.  A well thought out policy about BYOD allows an organisation to set rules that everyone understands including the reasoning behind them, that is why they are needed.
  • Have an active mobile device management solution.  Even if there are no mobile devices owned by the company itself, there needs to be mobile device management to keep the company-controlled data and applications separated from the private ones.
  • Use strong authentication and encryption methods.  Strong authentication enables an organisation to identify and hold accountable the owners of stolen devices. Encryption can also keep communications and data safe from prying eyes.

BYOD allows a more fluid and flexible working environment. At the same time, it pokes the perimeter of a company with new security risks. In mitigating these, a strong cybersecurity policy and clear security controls must be implemented as we touched on in this article.


Docker Security Concerns

Docker is a popular platform for OS-level virtualization instances known as containers. Flexible containerization is completely changing the way we build and maintain applications at scale.

With positivity and momentum of growth in mind, we must keep information security in mind. Let’s take a look at four potential threats and strategies to help secure your container deployments:

1. Vulnerable images:  Anyone can publish a new repository on Docker Hub, so check that you’re familiar with the project maintainer before deploying. Running untested builds from spurious sources may lead to the unintentional introduction of vulnerable components, or even malicious code execution. It is best to check for the official Docker Store and “Certified” program that offers a variety of assured and deployment-ready packages. Paid plans on the Hub feature a “Security Scanning” tool that can check images for known vulnerabilities.

2. IAM breaches:  Cloud providers, such as Amazon Web Services, aim to provide hardened Identity and Access Management (IAM) role structures by default. These can be used in tandem with your Elastic Compute Cloud (EC2) instances for example to ensure your users have been issued the appropriate access rights as per the Principle of Least Privilege. When deploying containers ensure that your registry is sufficiently protected, possibly with two-factor authentication.

3. Excess resource usage: By default, a Docker container has no resource constraints. As a result, actively deploying containers without resource limits could lead to severely degraded host performance. Make sure to set limits on memory, bandwidth and disk usage to mitigate performance issues. Such issues could be caused also by malicious code (such as denial of service code execution).

4. Container breakouts: An adversary that gains access to one of your containers should not be able to move laterally to other containers or the Docker host. However, Docker is evolving quickly and privilege escalation exploits may arise, so take care to build infrastructure with a layered defense-in-depth approach in mind.