WYOD: believe the hype?
As the popularity of wearable technology continues to grow, Nick Rines looks at the security issues universities will face
Every September a new student intake arrives at universities from all over the world equipped with a wide variety of IT devices. As consumers, they expect seamless and secure wireless availability for bring your own device (BYOD), and now wear your own device (WYOD). There is a belief by some that security measures are urgently needed by universities in order to avoid data breaches from WYOD, but others insist this is simply media hype.
BYOD reached critical mass in 2010 with the rapid sales of tablets, and with most students owning at least two devices requiring wireless connection this presents universities with network challenges rarely experienced outside campus environments.
Traditionally universities were able to offer personal communications a long way in advance of anything available domestically, but with the introduction of household wireless, this changed. As consumers, students now expect to have connections that are as good as those at home, coffee shops, fast food outlets, on trains and a myriad of other public places.
“We’d traditionally viewed wired as good enough for everybody,” said Brunel University Network and Data Centre Manager, Simon Furber, adding: “What became very clear was that wired wasn’t good enough. Wired was not their typical user experience.”
In 2012 Brunel’s student union insisted on wireless access before starting negotiations on 2013 rents. It was then recognised that a BYOD network was needed.
Brunel had worked with Cisco for many years, and turned to it for an integrated service with security built in. A complete package was provided that automated policy enforcement, security and authentication, and network management. It is not sensitive to what device is used, or how users connect.
An identity services engine (ISE) was applied, which can detect blacklisted users, and allows managers to see in real time who is on the network, along with the numbers and types of device. ISE is matched against Brunel’s active directory, and conference visitors are managed by a delegate management system, plus day guests are granted access by staff members.
Until now such systems have proved more than adequate, but they may reach a new level of need when WYOD starts to become adopted in a wholesale fashion, as it inevitably will. The problem is that there is no universal agreement on whether WYOD will come with new security problems, and if so what they are specifically.
At the moment Google Glass, smartwatches such as Pebble and iWatch, and fitness wearables are something of a novelty, but when students adopt wearable tech in patterns similar to tablets, as they are predicted to do, a new set of security challenges could be created. The big impact, if it comes, will be from visuals (glasses) and smartwatches through which tasks can be performed covertly and uploaded onto Dropbox or other outside services. But to a large degree this applies to smartphones and tablets.
Visuals present a unique challenge because they can record everything the wearer sees. It is not difficult to understand the security implications, and different types of wearables are on the way. Sony has filed a patent for a Smartwig. While this sounds comedic it is actually a serious proposition, and indicative of how far companies are prepared to go in developing wearable technology.
The security risk, of course, comes from data loss and device exploitation. This could be in the form of image capture, or the storage of data and other forms of sensitive information. While the actual user may have no malicious intentions there is no device that has not yet been hacked, and the potential losses of information could be very serious.
There is a school of thought that universities should consider a separate wireless network for wearables that cannot be connected to sensitive information. But to many this is an extreme and unnecessary measure.
According to a recent survey by network software specialists Ipswitch, most UK universities are unprepared for what WYOD will bring. Although 99% of those polled have invested in networks, most have no plan for dealing with WYOD.
Dr Kevin Curran, Reader In Computer Science at the University of Ulster, understands the challenges from both a technical perspective and as someone involved in daily campus life. “Wearables come with their own specific security challenges, but the principles of security apply to all mobile devices. The moment they are put down and out of sight they are vulnerable. What should be happening is the encouragement of users to create demarcation between what is personal and what is not, and on devices there should be a secure partition between the two,” said Curran.
“Most people use laptops and tablets for work and leisure. It is therefore helpful to create a mindset that recognises that these are two different activities that are only compatible in terms of the technology they sit within. Device containerisation is something that should always be strongly considered with the work side being properly protected.’
Curran advocated making sure students are fully aware of campus IT protocol. “Even with the best intentions it is human nature that this will not be 100% effective, but it is important to make students aware of security protocol at the earliest possible opportunity.”
Curran recommends the introduction of staff and student rules that include addressing specific situations. For example, if a device goes missing for whatever reason, the owner should report it and all relevant passwords changed. If a wipe is needed it should be built into the rules and known from the moment staff and students join a network.
In addition, he strongly advocates good planning. The potential for financial, legal and reputation damage is too high not to have robust policies, standards, procedures or technology functions, and monitoring in place. At the earliest opportunity everyone who uses a system should be made aware of the importance of protocol and their responsibilities.
According to Enni Carboni, Executive Vice President of customer solutions at Ipswitch, all wearable devices should be run through a security protocol. He also
said the inevitable proliferation of wearables will also raise other concerns. The sheer number of devices flitting on and off networks presents other data management problems. Data loads have to be monitored, and in order to avoid bottlenecks it means bandwidth has to be tracked. But this is true of smartphones, tablets and laptops.
Bob Tarzey, who has special focus on IT security and network systems management at IT research and analysis company Quocirca, believes that many people are overreacting to media scare stories. “I suspect over-excitement by the press is hyping this subject up. There is no need to panic. So far the sales of wearables are low, and good BYOD policies should be enough,” said Tarzey.
“Recording or uploading information onto a personal archive or Dropbox is just as likely to happen with BYOD as with wearables. The difference is that with a camera its is obvious what someone is doing and with glasses it’s not, but if people are intent on malicious behaviour there is not much that can be done once they have access to whatever it is that is of interest.”
Tarzey recommended that managers ensure current BYOD rules are robust, and monitor closely enabling any changes based on solid existing procedure.
The two points most parties agree on are preparation and planning, even if no immediate steps are taken. “Planning early even if action is not necessary is important,’ said the University of Ulster’s Kevin Curran.
“This not only involves systems, but also training. Any technical preparation should be matched by the preparation of relevant personnel.”
Nobody disputes that WYOD will at some stage become popular to the point of being ubiquitous.How wearables will develop, and what security challenges will look like in the future are a matter of speculation. The minimum recommended response to the current situation with WYOD is ensuring protocol on BYOD is robust, and that staff and students are made aware of rules and responsibilities. Beyond this there is no accepted course of action. Watch this space for developments.