Information Security

Defending the digital infrastructure

Nmedia - Fotolia

Manage Learn to apply best practices and optimize your operations.

Is BYOD policy the foundation for mastering enterprise mobility?

Today, many companies have adopted a mobile-first strategy. But when employees are left to their own devices, InfoSec pros face uncharted territory.

Joan Pepin, vice president of security and CISO at Sumo Logic in Redwood City, Calif., says her company is "different," having grown up entirely in the bring-your-own-device era. The cloud-based log management and analytics service provider, which has raised $160.5 million in venture capital funding, was founded in 2010. "There was never a time when we didn't depend on BYOD," she declares. "But that is not to say BYOD hasn't presented some challenges." 

Today, many companies have adopted a mobile-first strategy. And most security programs offer some level of support for personally owned devices and apps, a phenomenon that many IT departments found heretical five years ago.

"The trend toward mobilizing enterprise-critical systems and data adds to concerns over BYOD security," says Renee Guttmann, vice president, information risk in the Accuvant Office of the CISO in Denver, Colo. (Accuvant merged with FishNet Security in February and the combined entity is expected to be renamed Optiv Security.) Even though these systems are key to business operations, they are not always maintained or regularly tested from a vulnerability perspective, due to complexity and availability concerns.

Enterprise mobility is the ultimate double-edged sword: providing broad data access and communication capabilities for much of the workforce—sometimes at little or no direct cost—while opening up challenging security issues ranging from lost devices and vulnerable apps to employees who access sensitive corporate data on unsecured networks. Most CIOs and CISOs recognize that, while mobile device management (MDM) and security technologies play a role, coherent policies are the key to harnessing the benefits of the BYOD phenomenon. The goal of these policy initiatives is to increase user satisfaction and productivity while ensuring security and compliance.

Risks worth taking

The starting point for building a mobile security policy should be "what makes you uncomfortable," says Steve Martino, vice president and CISO at Cisco Systems Inc., the networking company  which relies on BYOD for the majority of employees' mobile phones and tablets. The devices must meet "trusted device standards" for compliance, and employees are required to use VPN clients to access the company's network. Employee-owned devices also need to support security policies, which require Microsoft's ActiveSync technology to sync corporate email, calendars and contacts.

The trend towards mobilizing enterprise-critical systems and data adds to concerns over BYOD security.
Renee GuttmannVP of information risk, Accuvant Office of the CISO

While some security policies are standard procedure, you should identify which applications, functions and data are most in need of protection and try to understand how enterprise mobility might expose them. Cisco uses MDM to enforce a remote wipe policy primarily for email, but employees are required to give permission to wipe the entire device. The company also uses software to police spam and phishing attempts.

"In most cases, BYOD brings benefits in terms of empowering people, allowing user self-service and providing greater flexibility that outweigh the risks," Martino says. However, every organization will have exceptions, and that's where BYOD policies and security technologies need to be focused.

"BYOD requires partnership with business leader involvement and an understanding that not all risks are bad or equal," says Guttmann, the CISO of The Coca Cola Company before she joined Accuvant. The first step is establishing a committee of IT and business leaders to identify the "crown jewels" or critical systems and data that need to be considered in formulating BYOD policy. This should be followed by a review of the technical and policy controls based on threats and potential risk to current operations or to achieving objectives in line with the business strategy.

Steve MartinoSteve Martino

Risk frameworks such as NIST Special Publications 800-37, 800-39 and the Mobile Computing Decision Framework, developed by the Federal CIO Council, offer guidelines to help with this process. The MCDF, introduced in December 2012, encourages users to weigh the security, capabilities and economics of a mobile program and advises tailored assessments of seven risk categories: financial, policy, legal, technology, operations, privacy and security.

Based upon this type of analysis, CIOs and security officers can determine how to enable or enhance their BYOD programs to mitigate significant business risk. The central feature of mobile computing programs that work is their care and feeding at all levels of the organization, combined with deft application of technologies.

Management tools multiply

IT security teams have adopted MDM systems to enforce device registration and security policies such as remote wipe of lost or stolen devices. They have continued to build on those tools with container approaches or mobile application management for better control of enterprise software and data. All of these technologies, processes and resources are rolled up into a strategy known as enterprise mobility management (See: Hosted Off the Endpoint.)

Hosted off the endpoint

Even if you've installed a mobile device management system, that doesn't mean you're done with BYOD security. The types of threats and the ways in which employees use their mobile devices continues to evolve rapidly.

"Focus on protecting data and ensuring that mission-critical systems and processes are being appropriately protected; stay abreast of new strategies including people, process and technology—and make sure employees are engaged in the solution," advises Renee Guttmann, vice president of information risk for the Accuvant Office of the CISO, who says new tools on the horizon promise to revolutionize BYOD.

One technology that holds particular promise is virtual mobile infrastructure (VMI), also known as mobile desktop virtual infrastructure. Like DVI, it uses a hypervisor to host operating systems and applications on a back-end server—not on the local device. Companies such as Hypori, Nubo, Raytheon, Remotium and Trend Micro offer VMI platforms.

Using VMI, important documents and tools aren't stored on an employee's phone, mitigating the risk of data loss through a compromised device. And from an employee perspective, the risk of IT wiping out their personal information is reduced, according to Guttmann.

With VMI, two-factor authentication can also be supported in a way that won't compromise the user experience. "When two-factor authentication requires additional steps, it is not acceptable to employees especially when their perception is that they can access their own sensitive data without it," she says. —A.E.

Figuring out your risk policies and sifting through all of the deployment options can prove challenging for security professionals. How are you going to give authorized users secure access to enterprise applications and, in some cases, restricted data? What information, if any, can be stored on employee-owned devices? And how will that policy be enforced? Which devices should your mobile policy support? What if some users (read: executives) want to displace their PCs with Apple iPad or Android tablets? How will user-support models for hardware and software change?

Renee GuttmannRenee Guttmann

Most companies are still only considering smartphones for opt-in BYOD programs, according to Gartner Inc. Moreover, the tools that organizations choose to manage and secure mobile-computing programs may influence the devices supported. Enterprises need to consider vendor lock-in and the potential cost of switching management or device platforms as technologies and use cases—cloud storage, for example—advance.

"I think that most companies also are struggling with the applications that are either already installed on the phone or that will be accessed from the phone, including those based in the cloud," says Guttmann.

Know your limits

How can companies support the wide range of mobile computing platforms, yet still secure sensitive data? While Sumo Logic has embraced BYOD for phones and tablets, Pepin says the company no longer allows employees to supply their own laptops because it is too difficult to enforce patching or hard-drive encryption.

"That is the sort of line we have to walk; people say 'this is my personal device and I want to be able to use it.' My response is if it is that personal then you can keep it as just a personal device," she says. "I also tell employees it is ultimately about taking care of our customers; if our customers can't trust us with data, then we don't have a business."

According to Gartner research, less than 10% of companies support bring-your-own PCs. Applications play a part in those decisions. Today about 45% of corporate applications are platform-agnostic, but the rest require Windows. (Microsoft, which has adopted a cloud-first, mobile-first strategy, released Microsoft Office for Android in June.)

Joan PepinJoan Pepin

User education is a key part of Pepin's security program. If employees want to use a device to access Sumo Logic resources, including email, it must support remote wipe and be compatible with the company's Google application domain, she says. Sumo Logic also enforces a one-minute lockout—something that's never been popular with employees.

"If you don't like the policy, then don't read your email," asserts Pepin, who says that standing firm is a "policy" she has implemented, in conjunction with a long-term effort to get everyone on board. "I don't believe in spreading FUD [fear, uncertainty, doubt]; I deal in the real risks, and I explain them to people over and over so they know I am right," she adds. That pattern of repetition and consistency on key security risks and a more relaxed attitude toward other things has won converts.

Martino took a similar approach at Cisco. "Our employees, many of whom are also technical people, wanted flexibility, and their first reaction to our BYOD policy was concern that we were going to tell them exactly what had to be on their device," he says. "We had to build trust and make sure we took a fair and balanced approach; we also implemented lots of training and tried to engage 'spokespeople' around the company to try it first." Martino says he still gets an occasional gripe from people who don't want to have to use a PIN on their phone, but on the whole adoption and compliance has been very good. He has learned it is vital to communicate and to convince people of the concept of joint responsibility.

Don't overreach

Peter Chronis is the CSO at EarthLink Holdings Corp., an Internet and managed service provider in Atlanta that operates a nationwide fiber network. He says he has felt justified in taking a somewhat benign attitude toward formulating BYOD policies, and cites the "Verizon 2015 Data Breach Investigations Report," which found "mobile devices are not a preferred vector in data breaches."

Look over your shoulder

While Sumo Logic's Joan Pepin, Cisco's Steve Martino and other CSOs have served as trailblazers in developing effective policies for dealing with bring-your-own-device programs, the legal environment continues to evolve, raising new questions about liability and data security.

First, there's the general issue of compliance: How can an organization monitor what information is stored on an employee's device? How does an employer control an employee's use of free Wi-Fi, at an airport or Starbucks, for sharing confidential information? How can a company know who is really on its network, and what they're doing?

"These types of risks were raised in a Resolution Agreement between the federal Health and Human Services Office of Civil Rights—the primary federal regulator of HIPAA [Health Insurance Portability and Accountability Act]—and Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc.," says Tatiana Melnik, an attorney in Tampa, Fla., who specializes in healthcare regulation, IT and intellectual property law for both U.S. and foreign companies. MEEI reported a breach of unsecured electronic health information in April 2010, resulting from the theft of an unencrypted laptop. The hospital agreed to settle the HIPAA case for $1.5 million in 2012, with installments paid through October 2014.

The use of BYOD raises a number of legal concerns, which must be monitored going forward, according to Melnik. In the event of litigation, a company has an affirmative duty to preserve relevant electronically stored information. A growing concern is how the "litigation hold" gets enforced on a device that is not owned by the company. "There have been a number of cases where companies were sanctioned for the spoliation of evidence when employees very 'helpfully' deleted information," Melnik says. More industries may require e-discovery and data retention capabilities.

BYOD is also tied to compliance issues with wage and hour labor laws. The time workers who are paid on an hourly basis spend checking and responding to work e-mail, for example, outside of their normal work hours, may need to be counted toward their hours and compensation, according to Melnik. "Companies need to be careful navigating this issue because wage and hour enforcement is up, both through class actions and through state and federal enforcement." —A.E.

"BYOD is cheaper for us, and we want to give employees choice," says Chronis. "So all we have asked is that they use a password to access their device, and we also require that they agree to our remote-wipe policy."

However, even those two steps are controversial in many organizations. Companies need to define use agreements to inform employees of remote-wipe policies (including what data will be wiped) and decide on consequences (legal or otherwise) for violators of mobile security policies (See: Look Over Your Shoulder).

Try not to overreach with BYOD security and policy controls, Federica Troni, research director in Gartner's IT systems, security and risk group, advised during a presentation in February on "The Real Economic Keys to BYOD." Some employees may try to circumvent mobile-security policies if the thresholds are set too high or if the policies are too liberal and then modified later with more restrictions. It's important to remember that a key goal of BYOD programs is user satisfaction, she noted.

About the author
Alan R. Earls is a freelance journalist based near Boston. He focuses on business and technology, particularly storage, security and the Internet of Things.

Article 2 of 7
This was last published in August 2015

Dig Deeper on BYOD and mobile device security best practices

Get More Information Security

Access to all of our back issues View All