We’ve all heard of, and many of us experienced, the Bring Your Own Device (BYOD) wave. As users become aware that their personal devices are capable of interacting with corporate resources we are getting more and more requests to allow such interaction.
The potential increase in productivity as users employ devices that they are very familiar with, however, must be balanced with caution and careful planning if we are to maintain data security and prevent IT costs from rising uncontrollably.
Here is a list of five critical issues that must be kept in mind when considering BYOD.
It happens every day… A sales rep forgets his or her tablet or smartphone in an airport bar. What happens next? Ideally, it would be turned in to airport security and remain there until the original owner called to claim it. This outcome is not guaranteed, however, or even expected for that matter.
Sadly, it is much more likely that the unattended device will catch the eye of some disreputable individual, never to be seen by the original owner again.
Does this device contain cached passwords to company web portals or email? Are corporate documents stored locally on the device? If so, the easily-bypassed device lock password is the only defense against unwanted disclosure or access to corporate resources.
The solution? There are several things that can be done to mitigate this threat.
- Any device that has access to corporate resources must support remote lock and wipe. (Let’s coin an acronym… ‘RLAW’, Remote Lock And Wipe, to be pronounced ‘ARE-LAW’)
- All employees using such devices must be made aware that loss of a device must be reported IMMEDIATELY, even if they believe they will find the device in the near future.
- To the extent possible, corporate information must be kept OFF the device. Web mail is a good example of this. Locally running mail clients store mail on the device and it is accessible to the enterprising information thief even after the mail account has been terminated. Web mail functions inside a web browser and leaves no mail locally on the device. Microsoft’s OWA (Outlook Web Access) is a particularly good example of such a method.
Many of the new breed of mobile devices have, integrated with the operating system, some sort of app store or other utility for downloading and installing applications to give the user new functionality. It has been seen in the past, however, that some programmers, when designing their apps, integrate some sort of information gathering function within. If this ‘back channel’ functionality is not detected by the security folks from the application store and is made available for download we find ourselves again at risk for unwanted disclosure.
Another avenue for information leakage is found in public Wi-Fi hotspots. Any information passing over such a network can, and often is, captured by a third party.
Oh, and here are three words that should scare the heck out of you… “Personal Cloud Storage”.
What can be done?
Only devices that allow for centralized restriction of software installations to only approved apps should be allowed to connect to the company network or resources. A list of approved apps will need to be created by your security staff.
The public Wi-Fi issue is also easily mitigated. All access to company resources must be conducted via encrypted session. For web-enabled applications, this is easy. Just make sure to only allow SSL (HTTPS) access.
What happens to the information on an old smartphone when a user wished to avail themselves to their ‘New Every Two’ privilege? In many cases it stays on the phone and is either turned in to the service provider or dropped into one of those cell phone reclamation boxes. Hardly a secure location. Additionally, some providers will transfer your contacts and other files for you from your old device to your new one. Sometimes this is done via a computer that copies all the information to its local hard drive and then copies it back up to the new device. This means that for some period of time, your information exists in a place that is beyond corporate security measures.
How do we handle this one? Simple. A secure wipe of the device must be done prior to the upgrade. Deleted files are not really deleted in most cases, so a secure wipe is the only way to permanently clear the information. Most devices have integrated functionality to perform such a wipe. Hopefully the user’s device came with software that will allow them to export contacts and other files so that they can be moved to the new device. If so, company IT staff should perform this migration for the user. If the user does it at home, on their personal computer, we have the same problem… Eventually the computer will be disposed of, and almost no home users securely destroy data on their local hard disks before getting rid of the machine.
An employee that leaves the company for whatever reason will certainly be taking all their devices with them. These devices must be ‘decommissioned’ as corporate authorized devices. Decommissioning involves removing data, documents and client software from the device. This should be performed by internal IT staff with sufficient knowledge of company security policy. If solutions mentioned earlier are already implemented and enforced, this may not be necessary. (I’m still waiting to see such an environment)
Here’s the bad part. This can be kind of hard to enforce. Remember earlier in this article when I said ‘deleted files are not really deleted’? Same goes here. Deleted documents can usually be recovered… The only sure way is, once again, the secure wipe of the device.
Unless BYOD users are educated to the need for this, and sign a document giving permission for this to occur, you will be hard pressed to enforce this. So make sure your company security policy contains a section on decommissioning and that employees are required to sign as an indication that they have read and understand this.
If there are no restrictions as to what kind of device can be used to connect to company resources, expect support costs to rise. Most IT professionals will be able to get through just about any issue a user may have, but the time needed to do so increases greatly when the tech is assisting with a completely unfamiliar OS or device.
To the extent possible, devices should be allowed only after your technical staff, whether internal or outsourced, has a degree of familiarity with the device type and its associated quirks.
BYOD can be seamlessly integrated into your company if these basic guidelines are properly addressed. I would advise that anyone going down this road consider each, as well as following industry standard IT and security practices. Keep your security policy updated! If you don’t presently have one, get one, and keep it updated!