YES YOU CAN BYOD - HOW ABOUT SECURITY?

BYOD (Bring Your Own Device), refers to the recent trend of employees bringing personally owned mobile devices, smartphones / tablets, items like the iPhone and iPad, to the work place, and using those devices and databases. [1]

Due to the continued consumerization of IT, customers and employees will continue to demand consumer-like experiences when interacting with corporate systems. According to a Gartner report, by 2013, more than 80 percent of enterprises will support the use of tablets. Furthermore, by 2014, more than 90 percent of enterprises will support corporate applications on personal devices. [2]

Enterprises have found that it would be almost impossible to completely stop this trend, and that it is better to manage instead of completely banning usage of mobile devices. According to Forrester Research, iPad, Blackberry, Android and more. Indications are that number’s only going to increase.[3] A BYOD lock-down could hinder creativity and impact on productivity and morale, there is a need to empower users to be able to do more and faster.

BYOD has several advantages for the Enterprise, which include, increase of employee and contractor productivity, facilitate better collaboration amongst teams, support a mobile workforce, increase user satisfaction, enhance customer service, shorten decision-making cycle times and lower costs

There are, however, security challenges presented by smart devices accessing corporate data and therefore there is a requirement to address these challenges. The two major issues to the BYOD culture are mainly:

Confidentiality of information assets: How do you ensure the security of data transmitted over personal smart devices? There is possibility of corporate data loss and leakage, as users move freely with company data corporate information and lead to compliance issues and legal liability. How about personal privacy, with the corporate data and personal data of users residing on the same device. According to the Cloud Security Alliance report on top mobile threats, the single most threat to adoption of mobile solutions is data loss from stolen, lost or decommissioned devices.[4]

Availability of resources: There is a great possibility of introduction of malware by these devices, given that device health could be unknown, since users are likely to connect them onto some other networks. As well, due to another trend of Bring your own apps (BYOA), it is likely that users could install rogue apps on these devices, consequently compromising the corporate network.

To manage the security challenges of BYOD, we consider combining two approaches: Administrative approach and Technical approach.

Administrative approach: Develop a corporate BYOD policy

Before we even begin to address the challenges to security of BYOD, one of the most important aspect to consider is who owns the device?. The device could be owned by the organization in which case, the organization can have it "locked down" and dictate how it will be configured and used. However if the user owns the device, she/he could have it configured the way she/he deems fit and install all kinds of apps, which may be diffrent from the corporate standard

The corporate BYOD policy therefore should be able to consider the following:

Employees / users should own the policy: you should include employees in the discussion and make them co-owners of a BYOD policy, developing policies which employees are not comfortable with could lead to them trying to bypass and circumvent the same rules, which cannot be good for productivity

Smart device standards and baseline should be well documented; an acceptance baseline establishes a list of acceptable smart device specifications, covering both hardware and OS.Users and procurement staff have to be guided on what devices are allowed or not, and why. In Uganda for example, there are lots of counterfeit devices and imitations, which could fail to meet corporate standards. Recently, the Uganda Communication Commission (UCC) - the communication regulatory authority in the country has indicated that it will be disconnecting counterfeit devices. In neighboring Kenya action has already been taken and over 1.5 mimllion phones switched off. [5] Therefore it's important that at the buying stage workers know the right devices and specification

User agreements have to be signed with users. BYOD introduces an element of both corporate and personal liability, the agreements have to clearly state who is responsible for what. For example are the employees willing to accept it if their employer restricts the ways in which they can use their privately owned devices. How do you recover data from a device of an employee who is leaving the organization or recover a company device from such a user? How do you handle device expenses and reimbursements, do the employees agree to secure wipe for both personal and corporate data in case the device is stolen? Etc...

Access control / Classification of data: you should be able to specify who can access information, specify how and when it can be accessed, and under which conditions. There is a need to know the data your organization has, its value and where it resides. There is also a requirement to have an accurate inventory of all IT devices – company- and user-owned.

Who provides support for the smart devices and the applications your users are accessing, is it the organization’s IT team or is it a provider that the users outsource themselves. This is very important for the security of company data that resides on the user device.

Awareness training: It’s vital to provide awareness training on BYOD and the BYOD policy. You need to address issues like employees feeling that monitoring or managing their personal devices tantamount to invasion of privacy. Also awareness training helps you emphasize the need to make sure that the apps people use on their mobile devices come from a trusted reliable source, such as an app store. I have also seen Organizations that have set up an enterprise app store, with a repository of all allowed and tested apps. Users can submit their apps to IT, only when they have been tested and approved, can they be then added to the corporate app store.

Technical approach

The technical approach involves use of technology to enforce the BYOD policy as well manage the security issues of BYOD (and BYOA for that matter). Some of the technologies involved in managing BYOD issues include the following:

Mobile device management (MDM) is a comprehensive mobility management solution that combines all tools, security and technical support needed to help organizations effectively manage, support and secure their mobile environment - allowing mobile devices and content to be secured and controlled remotely. A good MDM solution should be able to provide control, and protect the enterprise end-to-end, across the device, application, network, and data layers. An MDM solution lets you manage the entire mobile device life-cycle from enrollment to security, monitoring, mobile application management (MAM), including remote install or removal of applications and support. There are also options for integration with the corporate directory service, VPN and Wi-Fi with your MDM solution. Some of the leading vendors in this arena include: MobileIron, Soti, Zenprise, Good Technology and AirWatch.

Network access controls (NAC) - help to establish exactly who and what is connecting to the corporate network and control the level of access the devices have to the corporate network. This should include as well the capability of logging and monitoring of devices and data, monitor and profile mobile network traffic and user behavior, showing in real-time all devices on your network, including devices that you don’t own. Provide alerts of device integrity status and of unauthorized access, leakage of sensitive corporate data, and mobile compliance violations. NAC solutions help to enforce compliance with security policies and ensure block jail broken iOS devices from your network.

Encryption of corporate data on mobile devices- This includes full-disk or folder-level encryption. Encryption should cover both data at rest on devices (on device memory and external cards) as well as data in motion from and to the device like e-mails, using S/MIME for example.

Remote locking or wiping of lost/stolen devices – this should allow for remote lock of the device in case it is misplaced, while a complete secure wipe of the device applies in case it is stolen. There are options for selective wipe, where only corporate data and apps can be wiped without touching personal data of the user, selectively wiping personally owned devices of enterprise data once the employee leaves the company.

Remote OS patching and/or upgrades – to ensure that the devices are up-to-date with the latest security patches and OS updates, and that these devices are not easily compromised due to unattended to vulnerabilities, which in turn could affect the corporate network. You need to ensure that these devices have the correct OS versions and applicable patches.

Application access control (Mobile) - This includes identity and authentication management of users and device, to the corporate network. The solution should be able to grant granular access to mobile apps on an app-by-app basis, and segregate critical business apps from non-compliant or potentially malicious apps. See an inventory of apps running in your enterprise, provide an enterprise app store where IT can make available or push packages of apps to devices, roles, and groups in a secure and organized way, black-list/white-list apps that negatively affect employee productivity or break with company or regulatory compliance, prevent users from opening apps that are unapproved or out-of-compliance.

Digital rights management (DRM) – is about protection for digital media and copyrights. You need to ensure that unauthorized redistribution of digital media and corporate data is minimized. DRM technology focuses on making it impossible to steal corporate content, and involves preventing unauthorized data back-ups and restricting copy and paste of corporate data.

Mobile anti-malware, anti-virus and endpoint security – to protect against malware introduced by smart devices that could compromise corporate security. Other technical measures that could be considered include, secure offline storage of data, enforced PIN codes for mobile devices, data leakage prevention and multi factor authentication

Today's employee is looking for the freedom to work in new ways and innovate, the bring your own device (BYOD) trend is one such opportunity, but the challenges that come with BYOD could be a bottle neck. However, a good BYOD policy coupled with the technology to enforce the policy could go a long way in addressing these challenges; this is because the BYOD culture is here to stay.

References:

  1. Wikipedia. What is Bring Your Own Device (BYOD)? 2012; Available from: http://en.wikipedia.org/wiki/Bring_your_own_device.
  2. Gartner, Gartner's Top Predictions for IT Organizations and Users, 2011 and Beyond, 2011.
  3. Forrester Research, The Rise of Wannabe and Maverick Mobile Workers., 2011
  4. Cloud Security Alliance , C., Top Mobile Threats, 2012
  5. Mugabe, David., UCC warns over fake phones, in The New Vision 2012.

 By Thomas Bbosa, CISSP