Some considerations to BYOD

Bring Your Own Device, and its derivatives Choose Your Own Device or Deliver Your Own Device, has been doing the rounds for some time now, with mixed results and a number of organisations still waiting for things to mature before taking the leap into the seemingly unknown.

What is certain is that the increase in effective mobile devices and flexible working patterns has brought this higher up on the horizon of a lot of organisations, if not necessarily top of their upcoming priorities.

As we move into 2015 and see more coupling of internet devices and the blurring or work and personal boundaries we thought it pertinent to draw out some considerations when approaching the BYOD question.

Firstly it is worth saying that BYOD is NOT just a security issue. It is as much a HR / Policy decision alongside IT enablement, end-user-device and mobility strategies.

Considerations

The foundation stone for me is in developing these end-user-device and mobility strategies and foremost, if BYOD is the preferred option, developing an effective policy detailing what and how these devices can be used, and most importantly what business related data can be utilised through these devices. This policy must be clear, concise and easily understood. This is especially pertinent where you hold Personal Identifiable Information or really any customer data. You will, or certainly should, have legislated policies in the handling and distribution of such data. There are many legal issues to iron out here. Do not underestimate the role of HR and Legal teams in helping to build your BYOD strategy. That said lets introduce a heavy dose of realism into the picture.

I all likelihood your business data is already being shared and worked on devices outside of your control. Employees regularly send data home to work on, often for ease and comfort, or for the ability to utilise applications and tools that are not available in the work environment. You may be aware and fully accepting of this, or blissfully unaware, but make no bones about it, it does happen! You should really already be aware of this risk and ideally have it measured, understood and managed; whilst also being aware and prepared for potential security incidents of data loss through this channel. If so preparing for the potential security implications of data loss through BYOD should not be a surprise or an overly onerous task. That said planning for security incidents should be a high priority in your BYOD implementation strategy, especially as the devices themselves may be more attractive for elements such as device theft than the corporate supplied devices.

In terms of device theft you should consider how you can ensure that corporate data is still protected or cleared (wiped) off the device, and whether you can differentiate between business and personal applications and data.

One additional aspect that BYOD does bring is the potential for Cloud integration, even in as simple a remit as device backups. If you control what data can be accessed via these devices you have a certain amount of assurance that cloud based backups will not result in potential sensitive data leakage. You may already be a cloud integrated organisation, but this is potential a cloud based data store that you have little, or no control over.

In terms of accessing data through personal devices you should ensure that users authenticate, as they would from a corporate device, before accessing any business data. However, although a certain risk reducer this does also introduce an increased likelihood in corporate authentication credentials being compromised. The simple fact here being that you have far less control over the protection of the device itself and are more reliant on the user providing adequate security for their own device, both physical and technical. A potential option here is to have separate authentication credentials for specific BYOD access, though this also brings the overhead of more accounts to manage and of course monitor.

The access itself is equally less controlled than general remote access into the corporate estate. Usually remote access is governed by VPNs and possibly two-factor authentication however BYOD will bring with it more widespread access routes over untrusted networks. Dependant on the data you allow to be accessed consideration needs to made as to how data is transmitted between the corporate environment and the device. Encryption is the most common control in this aspect of access, most commonly VPNs using TLS or IPsec and HTTPS sessions. Each of these has an overhead and should be balanced, from a risk perspective, with the usability and ease of access. If access is too restricted, flaky, or brings with it a poor user experience then users will find alternative methods for accessing data.

Of course once the data is on the device you need to consider the value and controls required to protect the data. Data stored on such a device is at greater risk due to the fact that an adversary who gets hold of the device has more time to undertake offline attacks to get at the data. A common approach is to separate the personal and corporate data on the device. There are now effectively two personas or partitions on the device, one of which you care about and one less so. This segregation of data can again affect user performance, and can also be tricky to implement, especially as each device will work in different manners and applications on the device may access data stores differently. These applications may also share data with cloud services / storage automatically, and may well share data internally such as contacts or calendar details. Consideration here should also be taken on how the device itself is accessed and the potential ramifications to any business data. For example is a four digit passcode sufficient, bearing in mind that it is the user’s device and not the organisations. Can you be explicit in saying how access to a personal device is managed, and even if you can is this something you can control?

 Regarding applications you should consider only allowing known and approved applications to access business data or systems. This is most commonly referred to as Application Whitelisting and essentially from a BYOD perspective to allow only known applications, from known devices and known users to access business data. You should remember that non-approved applications may still try and access business data stored on the device or the corporate estate itself. Being a personal device you have little to no control over what the user can install, or of course uninstall on the device. Whitelisting comes in two main varieties, either through the manufacturers’ approved ‘store” or via an MDM solution if this is to be organisation specific.

Alongside the user control of what apps run on the device also comes the spectre of jailbreaking. Not only is any organisational store potentially bypassed, but so is the manufacturer’s store. Consideration should be made to solutions being jailbreaking aware. This then fits nicely into the theme of monitoring.

In terms of monitoring there will be nowhere near as much audit data available from a personally owned device as a corporate device. You should consider what event and audit data you can collect, any privacy concerns therein, and what it can tell you about potential misuse or threats to the organisation or its data. The most readily available aspects in terms of monitoring are generally use of business e-mail and web browsing, as well as hopefully the aforementioned jailbreaking.

That’s a fair bit to get your head round, though none are insurmountable if BYOD is your chosen route, and of course all come down to your corporate risk appetite centred on the value of data and access into the corporate estate. You decisions here should be pragmatic and appropriate for the level of risk you deem that needs to be managed.

Oh one final thing for your consideration. Where you are allowing personal devices to access and store personal data what happens when the user leaves the organisation or decides to upgrade or change their device? A final consideration is to ensure you have processes in place to ensure that corporate data and accesses are not exposed by device transfer, redundancy or disposal.