The dark side of the bring your own device (BYOD) trend, epitomized by unauthorized smartphones in the workplace, upsets the security practices of many businesses. The trend isn’t going away. In fact, it is accelerating, and puts in the spotlight a security mistake many businesses make.
The mistake: approaching security as a product rather than a process.
“Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products,” noted security expert Bruce Schneier more than a decade ago. But his words continue to go unheeded by some businesses.
With this in mind, Alcatel-Lucent (News - Alert) recently released a white paper, Enterprise Security Strategy, which explains the security process it follows for its Enterprise Business Group for data and voice solutions.
The Alcatel-Lucent strategy is a user-centric approach to security. According to the white paper: “User-centric security is about answering people’s needs in ways that preserve the integrity of the enterprise network and its assets…For user-centric security to be realized, enterprises must create a secure environment within which end users can go about their business.”
Seven steps to a more secure enterprise in a BYOD world
Alcatel-Lucent follows a seven-step security flaw remediation process with its Enterprise Business Group.
- The first step is receiving an alert at the corporate level that there might be a security issue. It can come via email or a web site form the company has set up for such alert notices. The company also keeps tabs on the Cert-IST vulnerability advisory list, which is another place business partners might post security concerns.
- Once the security issue has been submitted, a security coordinator on the corporate level enters the issue in an internal alert database that dates the submission and assigns it a tracking number.
- With the security concern now identified by the Enterprise Business Group, Product Security Primes (PSPs) for all affected product lines are then notified by email. Each product line is assigned a PSP to oversee security for the line, and the list of PSPs to be notified is determined by filters based on keywords that the PSP has entered about the product line. PSPs maintain the keywords for their particular line.
- Upon notification, each PSP analyzes the vulnerability bulletin and determines if the product line is actually at risk. If the PSP decides the product line is at risk—or is unsure—the PSP opens a high priority ticket in the product’s database of defects to address the problem.
- If the PSP needs more information before making a determination of vulnerability, he or she contacts the issuer of the alert, Alcatel-Lucent explained.
- Next, the PSP identifies a temporary workaround until the problem is fixed, and this workaround is published on the business partner web site. The workaround is called an Alcatel-Lucent Security Advisory (ASA).
- Once a workaround is in place, the product maintenance team develops a solution that undergoes quality assurance testing as specified in the product’s development plan. When a solution has been found and tested, Alcatel-Lucent’s Technical Support Service publishes the fix on the business partner web site.
Far from just a product that attempts to safeguard security, this seven-step security process helps Alcatel-Lucent’s Enterprise Business Group quickly assess and correct any security-related issues no matter the source or the nature of the threat. It is something to consider for any large enterprise as part of its overall security and risk management practices, especially in looking at how to get control over the impact of BYOD.
Edited by Peter Bernstein