The bring-your-own-device trend is expanding to applications and the cloud, thus opening holes in enterprise security, reports Alan Earls.
Mobility is empowering individuals and, arguably, boosting productivity. But this harmonious picture is balanced by another vision of mobility as an unchained malady – multiplying the threat environment and thus making securing the enterprise even harder to achieve.
More and more end-users expect and demand to use their own mobile devices for work-related tasks. For many IT security pros, this bring-your-own-device (BYOD) megatrend means the creation of gaping data security holes. It is a reality that won't go away, but also one that is spawning an array of creative responses as companies devise best practices and implement new, countervailing technologies.
“Organizations and IT can no longer deny corporate access to personal devices,” says Melissa Siems, director of marketing for Santa Clara, Calif.-based McAfee's software-as-a-service business. “So IT needs to determine how to not only secure these devices, but also the data and the applications on the device.” And, she adds, IT must be able to manage and report on those devices, and maintain compliance by understanding what data is on them.
Indeed, at MasterCard Worldwide, Edgar Aguilar, group executive of infrastructure and operations services, says information security has become the main driver for his organization's BYOD design considerations. “As such, we have in place very tight engineering parameters, system controls and internal processes to protect the corporate information and our users worldwide,” he says.
The advent of BYOD introduces additional threats to the corporate security landscape, says Tyler Shields, senior security researcher at Veracode, a Burlington, Mass.-based provider of cloud-based risk assessment. “Some of the security problems exacerbated by BYOD, he says, include application-level security – particularly flaws and malicious code within downloaded applications, the loss of a device, device compromise and the disclosure of sensitive data via a personally owned device.
“Depending on the risk tolerance of the organization, some firms have created policies that enforce a much higher level of security than other companies that might have a more open and risk-accepting culture,” says Shields. However, he says, the majority of organizations are responding to BYOD with a mix of mobile device management (MDM), enterprise application stores, anti-virus and application scanning services.
“How much of the corporate security budget is being applied to these solutions is dependent on the risk-to-reward equation of allowing BYOD in the first place,” he says.
The majority of enterprises in the United States have or are planning to implement some kind of BYOD strategy, says Puneesh Chaudhry, co-founder and CEO of Copiun, a Marlborough, Mass.-based provider of mobile collaboration solutions. In fact, by 2015, the “IDC Worldwide Business Use Smartphone 2011–2015 Forecast and Analysis” predicts that the majority of business-use smartphones worldwide will be employee liable (55 percent) versus corporate liable (45 percent).
“The reason this trend is something that many companies are willing to embrace is simple,” says Chaudhry. “Investing in mobility boosts worker productivity and, in turn, yields competitive advantage, shorter product and sales cycles, and real revenue gains.” And, the more mobile workers a company has, the more potential revenue can grow.
“What we are seeing with customers is that this consumerization of IT is now going beyond BYOD,” he says. “Not only are employees using their personal devices for business, many times they are using their personal apps (bring-your-own-apps, or BYOA) for business as well,” he says.
Employees are also storing and syncing corporate data to consumer-based public cloud services (bring-your-own-cloud, or BYOC) so they can share them with others. “If IT doesn't offer them a controlled way to do this, employees will continue to find insecure workarounds – not necessarily with malicious intent, but just to get their work done,” Chaudhry says. “The result is that the consumerization of IT is going beyond BYOD and now equates to BYOD+BYOA+BYOC or, simply put, bring-your-own-IT, or BYOIT.”
For enterprises attempting to capitalize on BYOD, Chaudhry says the future is in management solutions to protect the device, combined with secure collaboration solutions to protect the data. Companies are taking these steps, he says, with the overall goal of preventing data leakage and noncompliance risks that come with the free flow of corporate information to the public cloud through personal, consumer-based accounts. “Often these personal accounts remain with workers when they leave a company, causing additional data liability risks,” he says.
In fact, Chaudhry says Copiun is conducting its own research, and early indications show that around 40 percent of large enterprises are planning some sort of initiative to put in place a controlled solution to let employees securely access, sync and share documents via mobile devices, he says.
Chad Udell, managing director of Float Mobile Learning, a Morton, Ill.-based consulting firm, also sees companies moving toward broad solutions. “When considering a BYOD policy, organizations are increasingly looking toward mobile device management (MDM) and mobile application management (MAM) solutions,” he says. These technologies let one use an application and device configuration profiles to the user's advantage, requiring passwords in order to unlock devices when one employs this sort of policy, he says.
“One also can enforce data encryption on the device,” Udell says. “The bottom line is, if you are going to allow users to bring in their own devices, you'll at least need some say in how they are configured to access network resources and work data.”
However, the story may be somewhat different at smaller organizations. According to Vince Plaza, vice president of IT for TeamLogic IT, a national IT support company based in Mission Viejo, Calif., small and midsize businesses (SMBs) are really only starting to think about security when it comes to the BYOD phenomenon. “Some are taking the approach that these are personal devices over which they can't enforce too much security,” he says. But others are starting to think that even though these may be personal devices, if they are used to access company information, then companies should be able to dictate security requirements, he says.
Best practices evolve
What should enterprises enlist to deal with BYOD? Plaza says the first best practice to implement is a clear and direct security policy with definitions for proper use and access to company data. “Without this, [companies] are unable to effectively deploy other security best practices,” he says. This policy must be agreed to by the employees and it must be enforced, he adds.
Then, interestingly enough, Plaza says the next area of focus should be much the same as with a company laptop or desktop – namely requiring a security passcode to unlock a device, security software (anti-virus/anti-malware) on the device, use of VPNs to connect to company servers if remote control is desired, and the ability to lock and/or remote wipe a device in case it is stolen.
Depending on their position on privacy, companies could consider a number of things not usually associated with laptops – for example, the ability to track or locate a device.
A good piece to implement is an acceptable use policy when engaging company network resources for personal devices, says Float Mobile Learning's Udell. Terms of agreement that must be signed by the users are also crucial. “Depending on where your business resides, these agreements may need verbiage in them that protects you from liability in other areas,” he says. Thus, it is best to check with a legal adviser before moving ahead, he says.
“This is still a learning process for the SMB...”
– Vince Plaza, vice president of IT for TeamLogic IT
Another easy way to begin implementation is the creation or adoption of a mandatory custom application, deployed for all devices, that checks for configurations prior to allowing access to network resources or applications, says Udell.
Not so fast
However, Veracode's Shields says there is no easy, one-size-fits-all approach. The recommended level of security to put in place is a measurement of risk versus perceived benefit in user efficiency and convenience. “Depending on the culture and required security of the organization, there is a differing level of need,” he says.
No one product can deliver all of those capabilities, he says. “A successful BYOD strategy generally uses some combination of MDM, enterprise application stores, mobile anti-virus and mobile application security services,” he says.
Speaking about his own experience at MasterCard, Aguilar references several of the specific terms and conditions each user signs off on before being allowed to participate in the BYOD program. For example, in the event a device is lost or stolen, or an employee is terminated, corporate data will be removed from the handheld. Each user of the BYOD program is responsible for the costs and expenses related to use. Then, in the event that the software has not been used in 90 days, corporate data will be removed from the device. Finally, in connection with their participation, users must take “reasonable steps” to protect the data on their personal device.
John Dasher, vice president of products and marketing at AppCentral, a San Francisco-based mobile applications management company, applauds the idea of having a written policy that employees acknowledge and sign. “There should be total clarity around the organization's expectations of how a device, the apps and data shall be used and protected,” he says.
But, what happens in the event that a device is lost or stolen? “This should be clear to all involved,” he says. “Focus on what's important – the data, how it's used, why and when it's of value, how it might need to be protected,” he says.
McAfee's Siems adds one more note of caution. She says protection shouldn't focus just on managing devices should they be lost or stolen. While that's important, she says the sudden rise over the past two quarters of malware on Android devices makes it imperative to scan for bad code and to understand what data is being exposed through apps on the device, she says.
Turning to technology
What types of technologies can support BYOD risk management and security planning? For device protection, enterprises can opt for a MDM solution, says Copiun's Chaudhry. However, for collaboration, he says most industry analysts recommend providing a secure, controlled, enterprise-grade to avoid the risks of data leakage, non-compliance and version conflicts.
Chaudhry says that to be productive, employees must be able to securely and natively access, sync and share their documents from any mobile device – across any platform – from laptops to SharePoint or other file servers. Likewise, mobile workers need the most up-to-date information at their fingertips across their multiple devices. “The collaboration solution also needs to be easy for them to use,” Chaudhry says. “They shouldn't have to remember if they stored a document in an extra mobile-specific workspace.”
That's a starting point. But Chaudhry says there are more things to consider. For example, he argues that employees should also be able to work on their documents with productivity apps with which they are familiar – the apps that are native and appropriate to the device they are using. For example, on their tablets, they might use Quickoffice, whereas for their laptops they might prefer Microsoft Office. So, supporting those options is crucial.
BYOD: Before implementing
Tyler Shields, senior security researcher at Veracode, says some of the areas that must be addressed by an organization considering the deployment of BYOD strategy are:
Logically, then, end-to-end data governance is a must, along with robust document lifecycle policies and reporting that include a full auditing capability. “This is a must-have and will help put control back in IT's hands and avoid liabilities,” Chaudhry says.
Further, he says IT administrators should look for a solution that allows documents to be shared by trusted applications that are authorized by an IT administrator, and avoid solutions with VPN access, which can result in too many security challenges (such as exposing corporate data to hackers, malware and more). “For enterprise-wide mobility that may span the globe, enterprises should consider solutions that can scale to tens of thousands of mobile workers, hundreds of remote sites and millions of documents,” Chaudhry says.
Fortunately, says TeamLogic IT's Plaza, at least some of those capabilities may be available directly from the mobile carriers. For example, MDM can be a service that is added on to a device when it is purchased from the major carriers in some cases. “However, these services are not necessarily easy for the IT provider to manage across a wide range of customers,” he says. Also, he says, customers may not be comfortable allowing their IT provider direct access to their mobile accounts with their carriers. In that case, many of the remote monitoring and management (RMM) tool providers have deployed MDM capabilities in their products to extend managed services to mobile devices, he says.
Furthermore, says Aguilar, citing his experience at MasterCard, iOS and Android devices were devices approved by his team and supported by the BYOD software vendor.
“The BYOD application on each device has a security policy that does not allow jail-broken devices and prohibits the transfer of data between the secure corporate container and personal data,” he says. Additionally, the software requires a password to access the data and automatically logs out after 30 minutes of non-use. “These security features minimize risk and keep corporate data secure,” he says.
Exactly what is the best combination of the numerous mobile technologies available to help in this regard will vary depending on the security posture of the organization, which industry they are in, which pertinent regulatory requirements exist, whether the firm intends to work with business partners, and so on, says AppCentral's Dasher.
The challenge of working with business partners is especially important and often overlooked, he says. “Some technologies simply won't work for devices owned by people that don't work for you directly,” he says. “Your business partner isn't about to let you invade his/her device and put MDM on it, so you need to think about how you intend to provide access, distribute, update and control the apps and data you share.”
Last of all, Udell recommends thinking about mobile device forensics – an emerging field in which security experts are tasked with cracking into devices and attempting to access what is thought to be secure information. Additionally, he says, companies significantly reduce their risk profiles by monitoring their mobile platforms' recommended best practices policies and continuing to require that their internal developers and vendors adhere to them in their development efforts.
To address compliance requirements, Chaudhry says enterprises must continuously monitor the state of each device accessing the network, whether it is approved or not. “They are checking whether devices are in compliance with corporate policies, if there are new apps, and they are refining their policies based on what they see,” he says.
Whether the concern is Sarbanes-Oxley, the Patriot Act, the EU Data Protection Directive, or industry-specific mandates, such as the Payment Card Industry (PCI standard) or the Health Insurance Portability and Accountability Act (HIPAA), Chaudhry says organizations need enterprise-grade solutions that give IT the controls to ensure compliance.
BYOD: A legal eye
Andrew Serwin, chairman of the privacy, security & information management practice at law firm Foley & Lardner LLP, says companies are focusing on the issue of BYOD more because it is seen as a way to reduce costs and give workers some flexibility. However, he warns, it does require more consistency and coverage in IT security policies and procedures, and some flexibility with planning, particularly around data retention. Organizations “must have clear monitoring and records retention policies,” he says. “They must also make sure that there are adequate security policies and settings on the devices.”
BYOD presents challenges, too, when it comes to compliance. Serwin says many organizations are trying to be flexible in the application of records retention and monitoring, while also balancing the legal requirements under which they operate. For certain, it is a fine line to walk.
Key elements for an architecture that meets IT compliance include secure access that does not require IT to open ports in the firewall or duplicate repository data to a mobile-specific workspace in the DMZ or cloud, says Chaudhry. This framework also makes it necessary to eliminate the risk of rogue apps and hacker infiltration or malware exposure. This architecture should also provide a secure “container” that isolates and protects company documents on the device and trusted app sharing with corporate or authorized third-party applications. In Chaudhry's view, robust policy management should include existing file-server-environment permissions and Active Directory policies, as well as comprehensive mobile-specific policies that provide for end-to-end governance; reporting on mobile worker actions, including auditing capabilities; multifactored authentication verifying the user and device; 256-bit encryption for data travelling over the air and at rest; and passcode protection, corporate data wipe and access-revoking for lost or stolen devices.
“Being able to understand what corporate data is on the personal device and what the device profile is – to allow or prevent corporate access – helps IT maintain and enforce compliance,” says McAfee's Siems. “It also enables IT to take the appropriate next steps when a device is lost or stolen to prevent security breaches and data loss.”
Here again, though, Plaza says SMBs may be behind the curve. “This is still a learning process for the SMB since the BYOD phenomenon has grown exponentially compared to other technologies,” he says. “It has been a disruptive technology in that the IT leader/provider for the SMB has to play catch up to try and ensure that security is not compromised by the desire for ease of access.”
In the final analysis, though, BYOD may be simply too challenging for some kinds of organizations. “There are some industries that might have to say ‘no' to BYOD,” says Dasher. For instance, defense organizations may not be able to achieve their security requirements with BYOD. Likewise, he says, finance has long relied on BlackBerry and the venerable BlackBerry Enterprise Server. “The strict governance that guides the financial community may force them to only support certain platforms or devices,” he says. “It's really case by case. The employees who work in these heavily regulated industries generally understand that there is inherently less latitude for unchecked BYOD.
But, rest assured that organizations will test the BYOD waters and figure out what works and what doesn't. As such, industry observers are confidant that BYOD is not going away.
This article originally ran in a Spotlight edition of SC Magazine.