Mobile devices come in all shapes and sizes, from smartphones, notebooks and tablets, to the new-breed hybrid convertibles and detatchables that made headlines at the Consumer Electronics Show 2015. While mobility boosts enterprise employee efficiency by delivering “anywhere access” to business data and systems, it obliterates what’s left of the increasingly ineffective corporate network perimeter. This has driven the clamour for BYOD policies
Many security managers have already discovered the disconcerting implications: less control than ever over enterprise data access from a myriad of consumer devices—including a groundswell of BYOD —and more difficulty determining which devices are accessing which systems and data.
So it’s no surprise that as the use of personal devices grows and becomes pervasive inside and outside the office, employers are struggling to enable the secure use of BYOD’s. Anthony Peters, director of information technology at Burr Pilger Mayer Inc., a 400-strong financial services firm headquartered in San Francisco, said his tidy, policy driven corporate BlackBerry world was shattered several years ago by the Apple iPhone craze.
“Today, we’re almost entirely BYOD” Peters said. “We allow iPhone 4GS and above, Windows Mobile and Android. We have just 7 BlackBerrys left that I’m hoping to retire soon.”
Getting a handle on BYOD risks
BYOD’s pose many business risks, some widely recognised and others less-understood. The Security for Business Innovation Council—a team composed of Global 1000 information security leaders—cited lost or stolen BYODs as its top concern. The danger here is clear: Although BYODs that go missing may well contain sensitive data, according to Osterman Research, less than 1 in 4 can be remotely wiped.
What’s more, employers often cannot assess data breach exposure on unmanaged BYODs. “It comes down to losing control of your data,” Martin said. “When email is retrieved [over cellular] and opened on a BYOD, I lose visibility into data access. In a phishing attack, I’d have no idea it even happened, and I [would] lose any chance of [forensic investigation].”
When BYODs bypass inbound filters normally applied to corporate devices, they’re vulnerable to malware—a fast-growing risk, particularly in regard to Android devices. BYODs that bypass outbound filters elevate risk of non-compliance with data privacy laws and regulatory requirements. As BYOD use grows, so will the frequency of these risky behaviors.
It’s tempting to tackle these risks by locking BYODs down just like corporate devices, but organizations that have tried run head-long into personal privacy barriers. “In the beginning, we had a lot of push-back,” Peters said. “[Users worried there would be] too much Big Brother and we’d be too involved in their personal lives. We talked to senior management, HR and legal from the start, spending significant time with individuals, showing them how BYOD security policies would would work.
Avoiding BYOD security management pitfalls
Limited BYOD management also enables more granular wipe. “Selective wipe has become the de facto standard,” Dale said. “Our customers are no longer using full-device wipe on either corporate or BYO devices.”
Wiping only corporate settings, data and apps can protect business assets while leaving personal data and settings intact. Here again, policy matters: A scorched earth approach may mitigate business risk, but it removes MDM control and visibility, inhibiting assisted remediation. Instead, a more measured approach begins with user/IT notification, followed by as-needed escalation.
For example, Burr Pilger Mayer uses blacklists to detect when data-sharing apps are installed. “We go talk to employees about what they’re using apps for and not to share our data,” Peters said. “If we see that same app on 100 devices, we can assess the trend and decide how to respond.”
At Zenprise, customer use of blacklists and whitelists is growing for different reasons. “If you look at blacklisted apps, they’re either games or sharing apps like Dropbox,” Datoo said. “Step back and consider why users download these. They aren’t looking to bypass security; they’re just trying to be productive. IT should think about how to meet those needs more securely, such as letting devices link to SharePoint docs, surrounded by data leak prevention.”
Focusing on enablement to increase productivity
Enablement is a common thread among many organizations with large, successful BYOD populations. Rather than thinking of BYOD as the replacement of corporate devices, Marshall said it’s better to conceptualise it as a strategy to reach colleagues who have never carried corporate devices—a formal BYOD Programme with automated, over-the-air onboarding and configuration can do wonders for productivity.
Integration between MDM and network infrastructure to automate on-boarding is growing, while precisely what those BYODs can access is shrinking. “We want to make our network easy to access and provide value, but if we gave BYODs access to legacy systems, that would be a miserable experience,” EMC’s Martin said. Instead of allowing BYODs to access core network resources, the company selectively publishes enterprise data to new mobile apps; users get the data they need, and the company ensures it can be accessed securely and wiped quickly and easily if necessary.
Dale sees growth geo-fencing—combining current location with policy, such as disabling cameras on mobile devices when they are inside high-security areas. “We see geo-fencing used in education and retail to enforce policies that prohibit taking pictures of students or require secure Web browsing on campus,” he said. “Geo-fencing can be great for use cases where it’s helpful to re-provision the device based on location.”
To ensure safe, effective use of BYOD’s in the enterprise, Martin said IT and security teams should work in partnership to assess emerging tools such as data containers and sandboxed apps apps while getting started with basic controls. Those controls can allow for less arbitrary permit/deny decisions each time a user carries in a new type of device.
“If you’re doing nothing about BYODs, don’t sit on the fence and wait,” Martin said. There’s significant risk that can be addressed at relatively little cost.”
Some elements of this blog were first published on the website techtarget.com