Wednesday, October 10, 2012

Microsoft Security Newsletter – September 2012


Welcome to September's Security Newsletter!
This month's newsletter focuses on personal devices in the workplace, often times referred to as "Bring Your Own Device," or BYOD. BYOD is a very hot topic these days as organizations grapple with the challenge of managing the risks involved in allowing corporate data to be placed on personal devices such as smart phones. At face value, BYOD has the potential to be a win-win proposition. However, depending on how BYOD is implemented and managed, it could be a Pandora's box.

The primary challenge is that some of the devices employees decide to bring to work may not have basic security or management capabilities. This challenge is compounded by the risks associated with connecting to social networks and by the diverse ways organizations and people are choosing to connect and share data today – such as the utilization of cloud services. We recently conducted a study to find out more about how personal devices are being used in the business environment. Our study found that:
  • 67% of people are using personal devices in the workplace whether it's officially sanctioned by the organization or not.
  • 53% of organizations officially condone BYOD in some way, but only 22% of organizations support them through their IT department.
  • Cost savings resulting from employees using their own PCs and mobile devices is often a driving factor to BYOD. Less than half of organizations provide any financial subsidy for users who supply their own equipment.
  • A majority of companies are somewhat or very concerned about the risk of data breaches or intellectual property leaks.
BYOD does have distinct advantages. From the standpoint of the IT department, BYOD is generally seen as a cost-cutting measure because the burden of supplying the equipment is shifted to the employees. Some organizations subsidize BYOD policies with a per diem to offset the costs for users, but it still results in lower costs for the organization by relieving IT of its traditional role of maintenance and support.

Another advantage of BYOD is that individuals tend to upgrade and embrace new platforms and technologies much faster than businesses. The organization benefits from being able to take advantage of cutting edge tools and features without the pain of deploying new hardware to the entire company.

From the user's perspective, BYOD means using devices and applications that are more familiar. Empowering users with the ability to choose which hardware and platforms they use creates more satisfied and productive workers. It also allows them to carry a single mobile device instead of one for work and another for personal use.

The list of smart personal devices capable of connecting to private and public networks is rapidly and constantly expanding. For chief information security officers (CISOs) and chief security officers (CSOs), managing an ever growing list of devices and applications isn't a sustainable model. Some of the security professionals I have talked to are shifting their focus to managing the data instead of the devices. They have concluded that device security is only a proxy for data security; if they can't effectively manage the security of the devices that employees bring to work, they will focus on managing the security of the data itself. I think the industry recognizes the importance of securing personal devices and are making steps toward better management controls in the future.

If you are interested in learning more about BYOD, I encourage you to read these blog posts recently published on the topic:

Best regards,
Tim Rains, Director
Microsoft Trustworthy Computing
Top Stories
Don't Let BYOD Backfire on Your Business
There are several reasons for organizations to at least consider adopting BYOD; however compliance mandates and security issues are two large hurdles that should be carefully considered when weighing the pros and cons of BYOD. See why, even if those issues are managed, BYOD can go down a path that neutralizes the benefits and turns into a source of employee dissatisfaction.
Working Toward a Privacy Framework for the "Big Data" Era
Over the past several months, Microsoft has been talking with some of the world's foremost privacy thinkers, including representatives of regulatory bodies, government policymakers, academia, and industry to explore alternate models for privacy in a modern information economy. Learn more about these discussions and the types of issues being raised.
Microsoft Security Response Center Progress Report 2012
The Microsoft Security Response Center (MSRC) recently published its annual MSRC Progress Report. This year's report provides the latest information on the progress of various security initiatives that share information to foster deeper industry collaboration around software security, increase community-based defenses, and better protect customers from malware. Check out the new report today.
Security Guidance
Consumerization of IT Jump Start
Get a high-level overview of the consumerization of IT and BYOD trend, then delve into more detail with demonstrations of key IT scenarios related to supporting this trend in an enterprise organization:
Microsoft Technologies for Consumerization
Explore the technologies that can help you embrace the latest trends in consumerization while maintaining control over your IT environment.
Consumerization of IT FAQ
Get answers to common questions about the consumerization of IT trend including recommendations on how to approach mixed-OS environments, smartphones, and desktop virtualization.
Infrastructure Planning and Design Guide for User State Virtualization
Windows user state virtualization (USV) can help IT find the right balance between centralized management of business-critical data and a rich user desktop experience. This guide offers instructions on how to gather relevant user and IT requirements, then compare and contrast Windows USV technologies (Folder Redirection, Offline Files, and Roaming User Profiles) in light of scenarios that are relevant to your business.
Network Access Protection Deployment Guide
Learn how to deploy Network Access Protection (NAP), an extensible platform that provides infrastructure components and an application programming interface (API) for adding components that verify and remediate a computer's health and enforce various types of network access or communication.
Managing "BYO" PCs in the Enterprise
Find tips and insights to help you more securely manage Windows on ARM (WOA) PCs and configure basic security and data protection policies.
Community Update
MVP Article of the Month: Managing Mobile Devices with System Center
Mobile device management capabilities integrated directly into System Center Configuration Manager 2012, which continues to support Windows Phone 7 and offer management support for the iPhone and for Google Android-based phones. Explore the issues you must consider, however, in order to achieve effective mobile device management.
Cloud Security Corner
Cloud Computing: Data Privacy in the Cloud
Explore several steps that you can, and should, take to ensure the security of your corporate data when moving to the cloud.
This Month's Security Bulletins
Microsoft Security Bulletin Summary for September 2012

Important
September 2012 Security Bulletin Resources:
Security Events and Training
Get Started with a System Center Certification
Want to help businesses manage client computers and devices? Get certified with a System Center 2012 Configuration Manager certification today and become a trusted service provider for your business.

No comments: