Security Challenges BYOD PresentsSecuring Smartphones in the Bring-Your-Own-Device Era
Most organizations remain uncomfortable in letting their employees use their own mobile devices to access their IT systems. Yet, in many instances, those charged with securing their enterprises' IT understand that it's just a matter of time before they must grant workers permission to employ those devices.
"We are not doing it because we are not ready yet," says Sharon Hagi, an IT architect at IBM, noting that Big Blue recognizes the demand for such a policy and is evaluating options to see if and when such a practice could be implemented. "BYOD is the future and eventually this is the way most of us will start working."
BYOD stands for bring your own device, and it's one of the hottest challenges IT security organizations face as a growing number of employees use their own BlackBerrys, iPhones, iPads and Droids to access their employers' IT systems. In instances where such practices are banned, employees are demanding that the prohibition be lifted.
That's causing much reflection among IT security professionals. Executives and managers charged with IT security have identified five challenges that must be surmounted before their organizations can allow secure access to their systems by smartphones and tablet computers owned by their employees. These challenges include policy enforcement, physical theft, malware prevention, IT support and employee education.
Many IT security leaders aren't sure if their teams are ready to take on additional responsibilities of continuously monitoring these devices and people's behavior.
The state of Delaware and the Indian bank company HDFC automate the enforcement of their BYOD policies. In Delaware, if employees try to turn off their passwords or attempt to transfer corporate data to another network, security controls in place prevent them from doing these activities and send out an automated alert to data monitoring systems. "Once we pass the controls phase, we're almost done with very little maintenance needed going forward," Delaware Chief Security Office Elayne Starkey says.
Both organizations automate remote wipe, which erases data from mobile devices when specific policies aren't followed. That happens in Delaware when a user tries to log on to a system unsuccessfully seven straight times. At HDFC, the remote wipe feature only erases business data if the device is lost or stolen. "Ownership and trust has become a key dimension along which to set and enforce policy," HDFC CISO Vishal Salvi says. "It is no longer about which users do I trust but which data under what circumstances (can be trusted)."
For some, execution of BYOD devices could seem draconian. Starkey says violation of these policies could have grave consequences for the employee that, if repeated, could result in their firing.
Think about it: Chances of losing a mobile device owned by an individual - or having it stolen - is a lot greater than one owned by the employer. A personally owned device goes everywhere with its owner; that's not necessarily true with a company-owned device. That provides little comfort for IT security managers responsible for safeguarding sensitive corporate data.
Except for BlackBerrys, most other mobile devices don't readily support encryption. Someone steals an iPhone or an Android smartphone, the unencrypted data on those devices could be exposed to the thief.
But by placing proper controls on user-owned devices, gaining access by unauthorized individuals to sensitive data can be prevented. If state employees in Delaware want to use their own smartphones or tablet PCs for work, they must agree to seven security controls (see 7 Steps to Secure Mobile Devices), including strong passwords and remote wipe. Such an approach places part of the security burden on the employee. And, half of the employees who had been using their own devices to access the state network decided not to so when the Delaware implemented its BYOD policy a year ago. "We want employees to think twice before they jump into this," Starkey says.
Devices used for personal activities are more prone to malware; after all, they're accessing a number of consumer sites that don't necessarily provide the security as do many sites designed for business-to-business transactions.
Ajoy Kumar heads application security at a large American investment bank and worries not only about insecure applications downloaded on these devices, but so-called jail-broken smartphones and tablets that are opened and altered to permit use of software the manufacturer didn't architect the device for. Kumar also an (ISC)2 application security board member says, that could allow the downloading of apps that the device wasn't configured to run and which, in turn, could contain malware. Instead of just safeguarding the device, Kumar and his team are working on ways to secure the individual applications on the device so if one program gets infected, the malware can't spread to the other apps. "We are enabling a fullproof control measure so that managing BYOD does not become a nightmare," he says.
HDFC scrutinizes all employee-owned devices before it allows them to access its networks to ensure they're safe and not jail broken. The bank also makes sure all personally owned devices contain anti-malware software that includes features to alert bank security personnel should a virus surface. In the past two years, Salvi says this approach has helped minimize and control malware outbreaks.
Letting employees use their own devices presents a nightmarish scenario for many organizations, supporting a wide range gadgets, operating systems and software. Organizations must define which devices to support based on how they'll be used. It may be OK to limit certain devices to access specific applications, such as e-mail, and restrict their access to other programs behind the firewall.
When HDFC began allowing employees to use their own devices two years ago, the bank only permitted the use of BlackBerrys because that brand of smartphone allows encryption. The bank also limited employees to use their BlackBerrys to access their corporate e-mail accounts. Recognizing the popularity of the iPhone and iPad, HDFC is looking into integrating Apple devices in its BYOD policy.
Getting employee to know about the policy and why it's important for them to implement security controls requires education.In Delaware, Starkey spent a lot of time personally reaching out to employees, emphasizing their role in protecting the state data and why that's important. "We let them know the reason behind the new policy, which is kind of an important part of the whole communication plan," she says. "It's not that we're just trying to be difficult by imposing rules, but we're working to prevent data leakage and data loss out of the state network."
Indeed, security awareness and training is a crucial element in allowing employees to use their own mobile devices, and it's important that IT security leaders prepare their staffs - and themselves - for the advent of widespread adoption of BYOD. "The BYOD trend is here to stay," Salvi says. "But success of BYOD programs will depend on how security leaders handle complex issues of trust and liability resulting from the shifting ownership of mobile devices."