Dealing with BYOD Security Risks
IT is now challenged with implementing personal device security procedures that keeps networks safe from infection and protects data from being lost or stolen.
It wasn't long ago that few would dream of asking IT to connect their personal laptop to an enterprise network beyond typical Web-based access to systems, knowing full well that would violate security policies. Those sneaking them in were often called out by alarms. That changed rapidly following the release three years ago of the first iPad device, which opened the floodgates, primarily because of the millions of devices sold.
Now an astounding 78 percent of white-collar employees in the United States use their own PC, smartphone or tablet for work purposes, according to a report last year released by Cisco Systems Inc. outlining the Bring Your Own Device (BYOD) trend. According to a December report released by IT market researcher Gartner, 70 percent of organizations allow users' personal devices to access network systems and applications.
Economic, business and competitive imperatives have rapidly forced IT not only to allow employees to use their own devices, but to embrace the trend. This about-face has many in IT scrambling to actively monitor and manage devices that have already entered the network.
Only 33 percent of organizations have BYOD policies in place to ensure employee-owned devices aren't a security threat, according to the Gartner report -- a result echoed by an F5 Networks Inc. survey finding in March that 75 percent don't have such policies.
"Policies and tools initially put in place to deal with mobile devices offering consumer-grade security must be revised to deal with these devices being under the ultimate control of a private user, rather than the organization," wrote Gartner analyst Dionisio Zumerle in the report. "An analysis of the impact on mobile security when shifting from an enterprise-owned device scenario to a BYOD one is necessary to provide recommendations for maintaining security levels."
IT is now in the awkward position of needing to secure personal devices connected to the network, while not having physical governance of those devices. Yet with so many lacking a plan or policy, these devices are creating huge security holes in organizations, says Ken Baylor, research vice president of NSS Labs Inc., an information security research and advisory company.
Asked what the top policy concern is when crafting an enterprise BYOD security procedure, Baylor suggests that "the benefits and risks of BYOD must be evaluated by a cross-disciplinary committee of senior management personnel who together set the policy. The policy and its enforcement mechanism must be in place prior to allowing BYOD devices on the network."
So what can be done by the majority of IT shops that already have strike one on them for not having a policy in place on day one? According to an NSS Labs report, the technology is already there, Baylor says. While IT may not feel ready to handle the problems of securing user devices, the majority of available mobile device management (MDM) software is.
Take, for example, an enterprise running a Microsoft Exchange Server. The tools for securing corporate e-mail on mobile devices are already in Exchange ActiveSync (EAS). According to the NSS Labs report, EAS already provides the ability to disable specific device features such as Wi-Fi and Bluetooth, the ability to wipe lost or stolen devices remotely and support for digital rights management (DRM) technology.
As for the actual device management, the cloud-based Microsoft Windows Intune is one viable option, especially with the recent update that brought full device management support for Windows 8, Windows Phone 8, Android and iOS devices. Intune provides options for setting firewall connectivity and pushing through security updates and custom applications, along with remotely monitoring which personal device applications can have access to the network.
For more-sophisticated requirements, Microsoft System Center 2012 supports MDM, as do a bevy of third-party wares from the likes of AppSense, N-able Technologies Inc., Kaseya International Ltd., IBM Corp., the Sybase division of SAP AG, MobileIron, Citrix Systems Inc. (which last year acquired Zenprise), Symantec Corp. and others.
A major problem is the longtime issue of lost or stolen devices, exacerbated by the sheer number of devices that have grown out of BYOD. "The No. 1 security concern with employee-owned devices connecting to enterprise networks is loss of the devices," says Dave Amsler, president of Foreground Security, a consulting, services and training firm. He explains that "47 percent of non-IT workers have no passcode for their mobile phones. If a lost phone is found by a malicious individual, they'll likely have access to any enterprise data stored on the phone and possibly to data stored on enterprise servers."
These lost devices could cause a huge headache for IT because, even if the device is never accessed after being lost or stolen, it could trigger a mandatory data-breach notification in the corporate MDM system, according to Amsler.
So how can IT safeguard the loss of data, short of handcuffing the physical devices to employees? The top priority, Amsler says, is to have a strong password policy in place for every device.
Once you have the devices secured and under your watch, NSS Labs' Baylor says the next hurdle for IT is making sure malware via employee hardware isn't making its way into your network.
The first step should be to limit the potential damage that can be done by isolating the devices to have access to only what they need. IT can manage access though policy-management tools and authentication services enabled by Active Directory such as BeyondTrust PowerBroker Privilege Manager (and its recently acquired Blackbird Auditor), Full Armor GPAnywhere, NetIQ Group Policy Administrator, NetWrix Change Reporter and Quest (now a unit of Dell) ChangeAuditor, among others.
Once IT contains access to systems, applications and data based on the device and network-access type used, administrators should keep a close eye on the device activity. "Insert application-level filtering of traffic to inspect BYOD traffic to the corporate network to ensure no malware or exploits pass from the BYOD segment to corporate servers," Baylor advises.
Once comprehensive monitoring is in place, Baylor says the following steps should be taken to properly protect your network:
- Implement a custom device-enrollment program, which will limit the number of devices per employee and will give an accurate view of who's accessing the network at any given time.
- Make it mandatory that IT has admin access to all devices. This will provide a clearer picture of any malware-related events that occurred when not connected to the network.
- Require all employees to have anti-malware software installed on the device and automatically deny access to any that do not.
- Protect all highly sensitive servers with multifactor authentication.
The Gartner report advises addressing three key issues: the risk of data leakage; ensuring employee privacy isn't jeopardized when mandating the installation of security or tracking software; and the challenges of coming up with adequate policies for securing devices, tracking vulnerabilities and providing updates.
To address those issues, Gartner recommends enforcing a mobile policy on personal devices or requiring users to separate business from personal environments. But, if opting for the latter, be cautious not to compromise the UX. IT also should determine supported devices and configurations and create support levels using a "managed-diversity matrix" -- while keeping in mind that as more devices are supported, a greater amount of time and IT resources will be needed to support all of them. The final option, though more costly, is to offer an employer-owned device to a user's liking and requirements that doesn't store private data.
More on this topic: