Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
BYOD Security Challenges and Solutions
1. Copyright 2013 The Word & Brown Companies
BYOD
(and other acronyms of interest)
Orange County CIO Roundtable
September 12, 2013
Jeff Hecht, Chief Compliance & Security Officer
The Word & Brown Companies
2. Two competing desires are increasingly at odds with each other:
expanding mobility to leverage productivity gains—and controlling
mobility to combat significant risks….
Agenda
BYOD basic issues
How widespread is it?
What are the risks?
How are enterprises dealing with it?
What categories of tools are or soon will be available to manage
BYOD?
How can we develop an acceptable approach for BYOD that balances
access and security?
Copyright 2013 The Word & Brown Companies
3. BYOD Challenges and Opportunities
There is a growing demand from employees to use their own
electronic devices at work to access corporate assets.
Employees argue they are more productive on devices they’ve
chosen and mastered.
High level business executives often are part of this demand.
Younger employees in particular find the idea of a small list of corporate devices
unacceptable.
Some studies suggest employees are more likely to work more
hours and in more places when they can do it on their device of
choice.
Many of these devices may be unsupported by IT departments. The
versions change quickly as employees bring in the latest and
greatest devices and upgrade on their schedule not their
employer’s.
Copyright 2013 The Word & Brown Companies
4. BYOD Challenges and Opportunities
The expense of always providing the latest and greatest devices is
too much for most enterprises, so having the employee provide their
own device appears attractive financially.
The devices offer instant connectivity to the Internet and cloud
services that can easily evade traditional control measures an IT
department uses with corporate assets.
Concerns about data security, device control, data ownership,
patching, backups and other issues generally handled for corporate
devices are not fully resolved for most IT Departments on personally
owned devices. Keeping corporate data secure is largely at odds
with the idea of “my device” and ubiquitous access.
Employee don’t always trust their employer with their own
information, particularly geo-location data and may be reluctant to
follow some policies.
Copyright 2013 The Word & Brown Companies
5. Copyright 2013 The Word & Brown Companies
Major Security Concerns and
Controls
6. Copyright 2013 The Word & Brown Companies
Moving Ahead Regardless
SC Magazine
7. Copyright 2013 The Word & Brown Companies
Moving Ahead Regardless
SC Magazine
8. There’s plenty of hype
Many vendors have products positioned to “solve” the “BYOD
problem”.
It’s unclear how big the issues are and equally unclear how
effectively the current product sets address the issues.
Each organization needs to assess what their exposure is and how
best to control it. Factors such as regulations, the specific type of
data held and exactly what is exposed to mobile connections are
key.
Many of these issues have similar concerns regardless of whether
the device is owned by the organization or the employee, but they
are magnified with BYOD.
Copyright 2013 The Word & Brown Companies
15. The Goals
Enable employee choice and flexibility
Prohibit unauthorized access, control where corporate data goes
Manage threats and vulnerabilities
Ensure network availability and performance. Deliver predictable
user experience
Understand and control the true costs (and benefits)
Copyright 2013 The Word & Brown Companies
16. Copyright 2013 The Word & Brown Companies
Alphabet Soup
BYOD – Bring Your Own Device also sometimes called BYOT (Technology)
This is the blanket term for the trend and the industry that’s springing up around controlling the
access. Generally BYOD means an employee owns the device and the service contract for it’s
connectivity. Sometimes the employer may provide a stipend to offset some of the costs but
often the employee bears the whole cost.
MBYOD – Managed Bring Your Own Device
More of a marketing term than an actual category, there are various levels and ways the device
can be controlled in a corporate environment. (More on this in the balance of the presentation).
CYOD – Choose Your Own Device
The employee can choose a device from a list of either specific models or levels of operating
system. Depending on the program the employer may purchase and own the device
(sometimes referred to as COPE Company Owned Personally Enabled) or the employee buys
the device and service but must choose a device from the approved list to get connectivity to
corporate resources.
17. Copyright 2013 The Word & Brown Companies
Alphabet Soup
BYOA – Bring Your Own Application
BYOA intersects two of the most visible trends in technology today – mobility and cloud
computing – where employees use a public application for work. The app itself could be a
mobile app, a Web-based cloud app, or a combination both access methods. The app might
be free or paid-for and can be “brought” into the workplace on a mobile device or through a
company PC’s Web browser. Enterprises will invariably be faced with managing data in public
apps. A similar idea is BYOS or Bring Your Own Service
MDM – Mobile Device Management
The general category of tools to control access from mobile devices regardless of their
ownership. They have some method of device registration, monitoring and remote wipe in case
of loss or theft. Usually they can enforce password rules and require device encryption. More
advanced versions of these management suites include the ability to create separate,
encrypted data partitions to store and access corporate data. Some include basic data leakage
prevention systems (DLP). These tools are primarily device centric – that is you are registering
a physical device and the specific controls are applied to that device.
18. Copyright 2013 The Word & Brown Companies
Alphabet Soup
MAM – Mobile Application Management/MIM Mobile Information Management
Where MDM is device centric MAM/MIM are application and data centric. There are several
approaches to controlling what corporate applications and data can be accessed. These can
be white/black listed applications and what can or cannot be connected to remotely.
Containerization may be used to segregate and control data, although this sometimes impacts
the user experience. Perhaps the most promising is the use of virtualization to provide access
to data without actually allowing it to be transferred to mobile devices.
MDSM – Mobile Device Security Management
Similar to a security suite for PCs (but not yet so comprehensive) including malware scanning
and protection, enforcement of iPSec VPNs for connection to company resources, IPS, content
filtering and firewalls. These tools are in their infancy and many MDM vendors claim their
products provide device security, but most are very limited in what they can really do.
MDDCA – Mobile Device Detection/contextual awareness
MDDCA is an attempt to enforce context based policy management. This might be geographic
(you can’t access Facebook from within the company facility but can from home), method of
access related (your iPad will connect to full company resources on the company WiFi but only
to the email server from another connection point) or day of the week or time related. Some
tools can segregate down to the individual access point (ok on the IT floor, not ok in a public
area).
20. Things To Consider With A BYOD Program
Recognize these devices are going to be in your environment (no
doubt already are) so figure out your position.
Are you trying to prohibit them? Embrace them? Control them? Do you have money to spend on
tools to do this or do you have to rely on what you already have and policy enforcement. Engage
business management to understand and shape their positions. Identify the company data you
want to provide access to – email access may be quite a different risk than the corporate
accounting system.
Specify What Devices Are Permitted.
Decide exactly what you mean when you say "bring your own device." Should you really be
saying, bring your own iPhone but not your own Android phone or only your Android with an OS
4.0 or later?
Decide What Apps Will Be Allowed or Banned.
Can users download, install and use an application that presents security or legal risk on devices
that have access to sensitive corporate resources? Can you control it? The technology for
preventing downloads of questionable apps or copyright-infringing music and media on personal
phones is immature at best, but that doesn’t mean you shouldn’t have policy against it.
Copyright 2013 The Word & Brown Companies
21. Things To Consider With A BYOD Program
Identify which employees will be allowed to use their own devices.
Is this everyone? Mangers? Sales people? Only those you would have otherwise given corporate
equipment? Figure out who and why, you’ll be expected to defend the decisions.
Establish a clear security requirements for all Devices.
For example, If your users want to use their devices with your systems, then they'll have to accept
a complex password attached to their devices at all times just as they do on the company owned
equipment. They also may have to agree to a device wipe policy, timeout limit and device
encryption. You almost surely want to restrict jail broken or rooted devices.
Make It Clear Who Owns What Apps and Data
At a some point devices will be lost or stolen and data will have to be wiped. While some devices
support selective data wipes it is always possible that all content on the phone may be erased,
including personal pictures, music and applications that the individual, not the company, may
have paid for. It may be impossible to replace these items. Be sure you make it clear that you
assert the right to wipe these devices. Provide guidance on how employees can secure their own
content and back it up so they can restore personal information if phone device has to be wiped
or replaced. Can you control where they might back up the company data on the device?
Copyright 2013 The Word & Brown Companies
22. Figure out what level of support you can provide.
Will you provide support for broken devices?
Is your support basically a "wipe and reconfigure" operation?
How quickly and efficiently can you respond to lost device situations?
Are users on their own after initial set up?
Define ahead of time an Employee Exit Strategy.
What will happen when employees with devices on your BYOD platform leave the company? How
do you enforce the removal of access tokens, e-mail access, data and other proprietary
applications and information?
It's not as simple as having the employee return the corporate-issued phone. You may need to
perform a wipe of the BYOD-enabled device as a mandatory exit strategy and make it clear that
you reserve the right to issue a wipe command if the employee hasn't made alternate
arrangement with your IT department prior to exit time.
Copyright 2013 The Word & Brown Companies
Things To Consider With A BYOD Program
23. Write it all down and communicate it.
There was never a more important time to have a clear detailed written policy and be prepared to
revise and update it regularly as unforeseen situations change the landscape.
Have your users sign an acknowledgement that they’ve read and agreed to the conditions you
decide to impose.
Invest in training BYOD users on the policy and the specific security threats associated with
mobile access.
Integrate Your BYOD Plan With Your Acceptable Use Policy.
Allowing personal devices to connect to your VPN introduces some doubt about what activities
may and may not be permitted.
If you set up a VPN tunnel on a personally owned device and then post to Facebook, is this a
violation?
What if your employees browse objectionable websites while on their device's VPN?
What if they transmit inappropriate material over your network, even though they're using a
device they own personally? Are there sanctions for such activity?
What monitoring strategies and tools are available to enforce such policies?
What rights do you have to set up rules in this arena?
Copyright 2013 The Word & Brown Companies
Things To Consider With A BYOD Program