BYOD security policy: Mitigate BYOD risk with device requirements

How can enterprises mitigate the BYOD risk? Expert Michael Cobb suggests some device requirements to include in a BYOD security policy.

My company is currently implementing a bring your own device (BYOD) security policy and is in the process of narrowing the list of security requirements that will be necessary for a user to access data on the network. What would you include on a list of security requirements for a mobile device carried in by an end user?

The security rules and requirements for a BYOD device are likely to vary depending on the user's role within the organization, the specific device and application requirements. The overriding consideration is that mobile devices don't put sensitive information at risk. If a device is allowed to access information that is deemed highly sensitive, that's going to elevate all the security requirements that need to be layered onto that particular device. Enterprises must compensate for the lack of traditional safeguards provided by an office location, such as managed enterprise network perimeters and physical protective measures.

For base requirements, every BYOD device should support remote wipe functionality and strong encryption to lock down data stored on it. These two controls go a long way toward mitigating the risk of lost or stolen data. If mobile devices will be accessing highly sensitive data, then look for those that can support encryption that complies with FIPS 140-2, the government computer security standard used to accredit cryptographic modules and that requires two-factor authentication.

Ask a question expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email: [email protected].

Users often struggle with switching to a VPN connection when accessing enterprise network resources from mobile devices, so choosing devices that can easily switch to a VPN helps ensure users access the corporate network via a secure communications channel. Another particularly useful control in BYOD environments is sandboxing, which effectively divides a mobile device in two. Enterprise data is stored in one of the sandboxes and system administrators can control access.

I would certainly consider using mobile device management (MDM) to help manage the risks of BYOD. MDM products enable policy, and changes to policy, to be pushed automatically to devices remotely to ensure VPN settings, passcodes and screen-lock duration rules are enforced. They can also block the installation of new apps and turn off Bluetooth support.

A good BYOD policy can help control usage and mitigate security BYOD risk. Breaches are less frequent when policies are thoroughly communicated, so users should be instructed on procedures and best practices covered in an enterprise's policy. They should also understand that they are individually responsible for the protection of their mobile device and the corporate information that it stores or accesses. Also, make sure any BYOD policy covers procedures for the secure deletion of information before a device is returned to the vendor or technical staff or is no longer required or appropriate for use.

Finally, don't be afraid to ban certain employee groups from using certain devices. With senior executives, for example, an enterprise might want to insist on using a BlackBerry device because data can be secured more effectively on that platform than on an Android device, which may be more appropriate for staff with restricted access to sensitive information.

This was last published in September 2012

Dig Deeper on BYOD and mobile device security best practices