Bring Your Own Risk with BYOD

In the age of the anywhere, anytime workplace, establishing boundaries for BYOD programs gets complicated.

As workforces become increasingly mobile and available through the use of smartphones, tablets and laptops, the enterprise becomes increasingly at risk of data loss, whether by employees losing devices or compromising cybersecurity.

The more successful BYOD implementations are often those driven by business goals (increasing workforce size or productivity) instead of mere convenience, and as such, BYOD policies should be built through multiple departments, such as IT, HR, security and legal, to ensure that the policy remains aligned on the enterprise’s success.

The program also needs to meet the needs of employees, not just IT personnel’s preferences. Otherwise, they may evade the cumbersome safeguards put in place to protect the company’s data in order to be more productive and streamline their own user experience.

“BYOD: an emerging market trend in more ways than one,” a study from Ovum, sponsored by Logicalis, shows that 79 percent of employees in high-growth markets believe the constant connectivity associated with BYOD enables them to do their jobs better. However, these benefits to the enterprise may come with higher risk, as 17.7 percent of survey respondents who bring their own devices to work claim that their employer’s IT department has no idea about this behavior, and 28.4 percent of IT departments actively ignore BYOD behavior.

There are a variety of enterprise mobility management (EMM) solutions to help enable safer BYOD programs, including virtual environments, data classification, virtual container approaches, device integrity scanning solutions, stronger encryption or authentication programs, but enterprises need to bring multiple stakeholders to the table to confront the risks associated with user-owned device use.

Putting policies in place to manage BYOD risks is a global problem also, as shown in the Ovum study. Only 20.1 percent of companies surveyed had signed a policy governing BYOD behavior. U.S. companies are doing better than many in this field, but companies without BYOD strategies still outnumber those with signed policies.

According to the NIST report “Guidelines for Managing the Security of Mobile Devices in the Enterprise,” there are three common security objectives for mobile devices: confidentiality (ensuring that transmitted and stored data cannot be read by unauthorized parties), integrity (detecting intentional or unintentional changes to transmitted and stored data) and availability (ensuring that users can access resources using mobile devices whenever needed). BYOD programs support the latter, but the former two create hurdles to a successful BYOD program.

Securityconnected with Murigiah Souppaya, a computer scientist with NIST, and Karen Scarfone of Scarfone Cybersecurity – the joint writers of NIST Special Publication 800-124 on managing mobile device security for the enterprise, to discuss what to look for in a successful BYOD program, and what risks face organizations that do not do their due diligence in mobile device management.

Security: How could centralized mobile device management be applied to a bring your own device (BYOD) program in an enterprise?

Souppaya and Scarfone:The enterprise can use enterprise mobility management (EMM) solutions to manage the risk of allowing employees to use their personal devices to access enterprise services and data. These solutions, such as mobile device management (MDM) and mobile application management (MAM), provide an environment that isolates the enterprise applications and data from the rest of the device. Strong authentication can be required to access the enterprise environment, which is also encrypted to protect the organization’s sensitive data and applications, and to minimize data leakage from those applications to other applications and services running on the device. In the event the device is lost or the employee leaves the organization, the protected environment can be remotely wiped to remove the enterprise data.

What are pitfalls that enterprise information security personnel should be mindful of?

Although EMM solutions can be very helpful in safeguarding BYOD devices and the data they contain, no security control can provide complete protection. Some of the potential issues with allowing BYOD usage include:

• Loss of control and visibility of the enterprise data which is being transmitted, stored, and processed on a personal device;
• Potential data leakage or disclosure of enterprise data on a device;
• Physical loss or theft of the device; and
• Devices with compromised integrity, such as smartphones that have been rooted or jailbroken by their owners.

How has the risk landscape changed for mobile devices in the past five years? How does this impact enterprises?

As mobile devices have gained functional capabilities that allow enterprise users to do their work without resorting to their traditional desktops and laptops, which are often tethered to a dedicated network, the attack surface of the mobile devices has increased greatly. The additional features give attackers many more paths for attack, such as introducing untrusted mobile applications that may be vulnerable or malicious. Also, attackers are targeting more mobile devices because they are “personal” and often contain personally identifiable information about the user.

Mobile devices improve quality of life by allowing users to be more productive and efficient since they can work anytime and anywhere. To support these usage scenarios, the enterprise enables the users to have access to the enterprise services and data from devices that are outside the boundary of the trusted enterprise network. In addition, some of these services are being migrated to public clouds to provide greater availability and facilitate integration with other shared services. As a result, the use of mobile devices is challenging the traditional enterprise computing model.

Which enterprise stakeholders should be involved in crafting a mobile device security policy?

Business owners, the enterprise IT team, and enterprise security professionals should all work together to develop a mobile device security policy that will enable the organization to meet its business requirements. Ideally the policy will balance the need to be innovative, competitive, and efficient with the need to manage risks and implement security countermeasures in order to enable the business units to meet their goals and objectives.

How should a mobile device security policy be changed or expanded when a BYOD program is in place?

With the introduction of BYOD, the policy should take into account that the enterprise does not own the mobile devices that are being used to access the enterprise services and data. Traditional processes and procedures applied to enterprise-owned devices have to be customized or even replaced altogether to help the organization minimize its risk in allowing use of “personal” devices. Organizations usually have to implement additional security countermeasures to support the BYOD usage scenario.

Ideally, what security measures can and should the enterprise require for employee-owned devices used for business purposes?

Devices should have a hardware root of trust to protect the organization’s sensitive device, application and user private keys. Enterprises should have:

• A sound registration and provisioning process for employee-owned devices before access to enterprise resources is allowed;
• A mechanism for assessing the integrity of a device, especially detecting if the device has been compromised at the platform level, (e.g., rooted, jailbroken) which would defeat the built-in security protections that are provided by the platform manufacturers;
• A capability to isolate and protect the enterprise applications and data from the rest of the device environment;
• Enforcement of strong authentication mechanisms leveraging the hardware root of trust before the user can access enterprise applications and data from a personal device;
• Protection of the confidentiality and integrity of communications between the mobile device and enterprise services;
• The ability to know who, when, what, where and how the enterprise data and services are accessed; and
• The ability to remotely wipe the protected environment for a lost device or potentially locate the lost device.

How can enterprises maintain oversight into what devices employees are using for data, and whether or not these devices are up to date on patches and operating systems?

As part of the registration/provisioning process for the BYOD devices, an organization may be able to track the mobile devices as part of its device inventory. This gives the organization visibility into the devices and can allow the organization to determine the current state of the devices in terms of patch and firmware levels when the user connects to the enterprise data and services. Since the enterprise does not own these devices, it may not be able to force them to be updated, but it can prevent devices that do not meet its security requirements from accessing the enterprise’s resources until the user takes some corrective action, such as updating the firmware to a version that is not
vulnerable.

If an enterprise neglects to put proper mobile security policies in place, what sort of risks do they run? Can you give me an example of a likely scenario?

• Sensitive enterprise data, such as personally identifiable information and proprietary intellectual property, could be stored or transmitted without adequate protection, allowing the data to be leaked to third parties.
• Compromised devices and user credentials could be used as an entry point into an enterprise network or a pivot point within an enterprise as part of a larger attack seeking access to high-value enterprise assets.
• A device that is compromised and taken over by the attacker could be used to impersonate the user, get the user’s personal information, take over the user’s accounts via password reset mechanisms, monitor user activities on the device including location/voice/video, change critical data such as a bank account number during a financial transaction, attack other devices, destroy the personal data on the device such as photos/videos/address books, exhaust resources such as battery, or render the device and associated data unusable.

Which types of enterprise or industries would require stronger device security and added security services?

Industries that allow their sensitive and critical data either to be stored or processed on the devices, or to be accessed on the enterprise network from the device to perform high-impact transactions, require additional security protections and services. These security capabilities are driven by the threat landscape and compliance requirements (e.g., HIPAA, FISMA, PCI, NERC/CIP) if the industries are regulated. For example, the business process disruptions, fines and loss of reputation impact the way the enterprise achieves its business objectives. Understanding the criticality of the data and associated impact and applying a business risk management process help the organization determine the type of security capabilities that are adequate to protect the enterprise’s applications and data on BYOD devices.