Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

BYOD security strategies: Balancing BYOD risks and rewards

Allowing employee-owned mobile devices doesn’t have to mean accepting all BYOD risks. Infosec pros share their BYOD security strategies.

Mobile devices come in all shapes and sizes, from smartphones, notebooks and tablets, to the new-breed hybrid convertibles and detatchables that made headlines at the Consumer Electronics Show 2013. While mobility boosts enterprise employee efficiency by delivering "anywhere access" to business data and systems, it obliterates what's left of the increasingly ineffective corporate network perimeter.

Many security managers have already discovered the disconcerting implications: less control than ever over enterprise data access from a myriad of consumer devices—including a groundswell of bring your own devices (BYODs)—and more difficulty determining which devices are accessing which systems and data.

So it's no surprise that as use of personal mobile devices grows and becomes pervasive inside and outside the office, employers are struggling to enable secure use of BYODs. Anthony Peters, director of information technology at Burr Pilger Mayer Inc., a 400-strong financial services firm headquartered in San Francisco, said his tidy, policy-driven corporate BlackBerry world was shattered several years ago by the Apple iPhone craze.

Ask anyone who says they don't have BYODs to review their logs—I guarantee they'll find Mobile Safari.

Dave Martin, CSO, EMC Corp.

"Today, we're almost entirely BYOD," Peters said. "We allow iPhone 3GS and above, Windows Mobile and Android. We have just 7 BlackBerrys left that I'm hoping to retire soon."

Burr Pilger Mayer is not alone. Enterprise BYOD adoption rates vary by region and industry, but by analyst estimates, have reached 40% to 75%—driven largely by consumer smartphones and tablets. According to Black Diamond, Wash.-based market research firm Osterman Research, there are now nearly twice as many personally owned iPhones, iPads and Android devices today than their corporate-issued counterparts. Simply banning BYODs from the workplace rarely works.

"Ask anyone who says they don't have BYODs to review their logs—I guarantee they'll find Mobile Safari," said Dave Martin, vice president and CSO at Hopkinton, Mass.-based EMC Corp. "Disallowing BYODs just pushes them underground where you lose visibility. I'd rather see BYODs and deal forensically with risks than try to convince myself that I can block them outright. Experience has shown that's a failed strategy; users find a way in. But if you're too permissive, you're open to data loss. We are unable to lock down BYODs in the same way, so we need to be smarter about how we use them."

Getting a handle on BYOD risks

BYODs pose many business risks; some widely recognized and others less-understood. The Security for Business Innovation Council—a team composed of Global 1000 information security leaders—cited lost or stolen BYODs as its top concern. The danger here is clear: Although BYODs that go missing may well contain sensitive data, according to Osterman Research, less than 1 in 4 can be remotely wiped.

What's more, employers often cannot assess data breach exposure on unmanaged BYODs. "It comes down to losing control of your data," Martin said. "When email is retrieved [over cellular] and opened on a BYOD, I lose visibility into data access. In a phishing attack, I'd have no idea it even happened, and I [would] lose any chance of [forensic investigation]."

When BYODs bypass inbound filters normally applied to corporate devices, they're vulnerable to malware—a fast-growing risk, particularly in regard to Android devices. BYODs that bypass outbound filters elevate risk of non-compliance with data privacy laws and regulatory requirements. As BYOD use grows, so will the frequency of these risky behaviors.

It's tempting to tackle these risks by locking BYODs down just like corporate devices, but organizations that have tried run head-long into personal privacy barriers. "In the beginning, we had a lot of push-back," Peters said. "[Users worried there would be] too much Big Brother and we'd be too involved in their personal lives. We talked to senior management, HR and legal from the start, spending significant time with individuals, showing them how [BYOD security policies] would work. That was really helpful in policy design."

Balancing BYOD risk versus privacy

BYOD agreement checklist

A BYOD agreement checklist recommended by the Security for Business Innovation Council includes:

  • Ensure that end users are responsible for backing up personal data;
  • Clarify lines of responsibility for device maintenance, support and costs;
  • Require employees to remove apps at the request of the organization;
  • Disable access to the network if a blacklisted app is installed or if the device has been jail-broken; and
  • Specify the consequences for any violations to the policy.

Source: "Realizing The Mobile Enterprise," Security for Business Innovation Council, published by RSA Security.

This push-back is precisely why many mobile device management (MDM) vendors are adding more granular policies and tools. For example, some MDM products can now be configured to collect and display location and call histories from corporate devices, but not BYODs. Such options emerged because employers with international presence face additional risk when it comes to privacy regulations.

"Lack of clarity—especially for multi-nationals with EMEA presence—is giving employers pause," said John Marshall, CEO of AirWatch, an MDM vendor based in Atlanta. "They don't want to allow BYOD as a convenience and then find they're not in compliance with some country's regulations. We're seeing customers being more careful about personal privacy expectations—not inventorying personal apps installed on BYODs, [and] not wiping personal data on BYODs, and the like."

Although regulations vary from country to county, many require informed consent to access personal information. This has given rise to enrollment processes that notify users about all possible MDM capabilities, whether employed or not, followed by customized "terms of service" that describe how the employer intends to manage the BYOD—what information will be collected, what actions can be taken, and what workers must agree to in order to complete enrollment and gain access to business data and systems.

An organization can address many BYOD privacy and compliance concerns by focusing on business assets. "We'll always have to manage devices; we'll always have to manage users, but what we manage about them can be narrower," said Jonathan Dale, marketing manager with Blue Bell, Pa.-based mobile service provider Fiberlink Communications Corp. He said it is now possible and preferred for IT to secure mail, apps, content and users' browser experience by applying different policies to certain user groups.

The MDM market is flooded with vendors offering integrated and standalone tools to manage sandboxed enterprise applications, corporate data containers and secure Web browser environments. "If you're just managing apps or content, there's no way you can make a mistake and see or wipe personal data," Marshall said. "This approach generally allows a company to extend BYOD to a much larger audience."

Policies that work for BYODs

At Burr Pilger Mayer, which uses Fiberlink's Maas360 Software as a Service (SaaS)-based MDM product, BYODs are redirected to an enrollment portal, where user and device eligibility is determined. "Next, users must agree to give IT some control—for example, if your device goes missing, call us first so that we can wipe your phone before you call your provider," Peters said. "Then we apply PIN length/change, encryption and wipe requirements."

These controls are widely embraced by the industry as table stakes for all devices. But BYOD success or failure lies in policy specifics. "Many people want to treat smartphones like desktop extensions. This is a disaster in practice," said Ahmed Datoo, chief marketing officer of Citrix Inc.'s Zenprise MDM unit. "Smartphone users don't have the patience to tap in eight-character passcodes, including caps and numbers—especially given frequent re-entry. All it takes is one device wipe accident and users will start removing [IT-managed controls]."

If you're just managing apps or content, there's no way you can make a mistake and see or wipe personal data.

John Marshall, CEO of AirWatch

In fact, 26% of the 500,000 corporate and BYODs under Fiberlink MaaS360 control have policies that don't require passcodes. Of the rest, 53% require a 4-5 digit PIN, 16% 6-7 digits, and a mere 2% require alphanumeric passcodes, Dale said. While a malicious hacker could more easily crack a short PIN once he or she has possession of a device, it appears that employers are willing to accept that risk in trade for basic device restrictions, visibility and as-needed control.

For restrictions, full-device encryption is standard-issue on iPhones, iPads, BlackBerrys and brand-new Windows 8 phones, but only a subset of Androids. Dale reported that 44% of MaaS360 policies enforce encryption on Android devices. A growing number of employers may be adopting strategies similar to Burr Pilger Mayer, namely allowing unencrypted Androids, but compensating by storing corporate documents in a secure data container or using self-encrypted/authenticated sandboxed applications.

"We make sure that our documents are encrypted and prevented from getting into the wrong hands," Peters explained. "We also track which documents people download and when they are synchronized with the cloud or forwarded." By focusing [on] only these business assets, Peters said the company has been able to fully embrace BYOD without risking non-compliance or losing its ability to control and report on access.

Avoiding BYOD security management pitfalls

Limited BYOD management also enables more granular wipe. "Selective wipe has become the de facto standard," Dale said. "Our customers are no longer using full-device wipe on either corporate or BYO devices."

Wiping only corporate settings, data and apps can protect business assets while leaving personal data and settings intact. Here again, policy matters: A scorched earth approach may mitigate business risk, but it removes MDM control and visibility, inhibiting assisted remediation. Instead, a more measured approach begins with user/IT notification, followed by as-needed escalation.

For example, Burr Pilger Mayer uses blacklists to detect when data-sharing apps are installed. "We go talk to employees about what they're using apps for and not to share our data," Peters said. "If we see that same app on 100 devices, we can assess the trend and decide how to respond."

At Zenprise, customer use of blacklists and whitelists is growing for different reasons. "If you look at blacklisted apps, they're either games or sharing apps like Dropbox," Datoo said. "Step back and consider why users download these. They aren't looking to bypass security; they're just trying to be productive. IT should think about how to meet those needs more securely, such as letting devices link to SharePoint docs, surrounded by data leak prevention."

Focusing on enablement

Enablement is a common thread among many organizations with large, successful BYOD populations. Rather than thinking of BYOD as the replacement of corporate devices, Marshall said it's better to conceptualize it as a strategy to enable mobility for those who never carried corporate devices—a formal BYOD program with automated, over-the-air onboarding and configuration can do wonders for productivity.

Integration between MDM and network infrastructure to automate on-boarding is growing, while precisely what those BYODs can access is shrinking. "We want to make our network easy to access and provide value, but if we gave BYODs access to legacy systems, that would be a miserable experience," EMC's Martin said. Instead of allowing BYODs to access core network resources, the company selectively publishes enterprise data to new mobile apps; users get the data they need, and the company ensures it can be accessed securely and wiped quickly and easily if necessary.

Dale sees growth geo-fencing—combining current location with policy, such as disabling cameras on mobile devices when they are inside high-security areas. "We see geo-fencing used in education and retail to enforce policies that prohibit taking pictures of students or require secure Web browsing on campus," he said. "Geo-fencing can be great for use cases where it's helpful to re-provision the device based on location."

To ensure safe, effective use of BYOD in the enterprise, Martin said IT and security teams should work in partnership to assess emerging tools such as data containers and sandboxed apps while getting started with basic controls. Those controls can allow for less arbitrary permit/deny decisions each time a user carries in a new type of device.

"If you're doing nothing about BYODs, don't sit on the fence and wait," Martin said. There's significant risk that can be addressed at relatively little cost."

About the author:
Lisa Phifer owns Core Competence Inc., a consulting firm specializing in network security and management technology.

This was last published in January 2013

Dig Deeper on BYOD and mobile device security best practices