Home Blog Bring Your Own Device (BYOD) Security
11
 Dec 11
  • Print

Raxis - Information Security Blog

Bring Your Own Device (BYOD) Security

Mark Puckett Hits: 657 Category: IT Security

One of the biggest shifts in IT trends is the concept of bringing your own device to the work environment. With the popularity of the iPhone and iPad devices, they are showing up on employer networks in increasing numbers, and often creating a situation where company data becomes stored on the device. Concerns are growing with companies as their information may be spread across devices that are within little or no control, and these security concerns can cause issues with regulatory standards as well.

In IT geek speak, this concept is called BYOD or BYOPC, referring to Bring Your Own Device (or Personal Computer). Why would a company even consider allowing this? First, it's happening regardless of what companies want. If they aren't allowed on the network, in most businesses there are still ways to get company data, including email, on personal devices. Unless you want to setup your company like Fort Knox, you now have a case where mobile devices may be used with your company data - except without your control.

Some of the questions that arise with this idea are:

  • Ownership - company or employee owned?
  • Permissions to manage the device
  • Access to company resources
  • Acceptable use of the device

How can you keep this risk under control and still let your employees use their devices?  By creating a seperate network for untrusted devices, you can control what internal access is allowed, as well as monitor the data. In other words, make it easier for the employee to access their data, and they will likely avoid the more difficult methods (and unmontitored methods) of transferring data. Note that this method is only to keep the honest employee honest - if someone wants to steal your data without detection, it's likely possible due to the employee's increased access to your resources.  You'll have to take other measures to protect the data to ensure you have the right people with the appropriate access.

Most mobile devices support Mobile Device Management (MDM) in some form.  Using a managed policy, iOS, Android, Windows Mobile 6, Symbian, and BlackBerry all support device encryption - although keep in mind a lot of these devices can be easily hacked as they require simple passwords (or passcodes).  Still, better to have encryption than to not, and consider requiring a more complex password to reduce the risk of bruteforce attacks in the event the device is stolen.  Note also that Windows Mobile 7 and HP WebOS do NOT support device encryption at the time of this article.

If anything, setup the ability to remote lockout and remote wipe the devices.  All of the above devices support at least the remote wipe capability.  In the event the device falls in the wrong hands, there's at least a reactive countermeasure you can take.  Make sure you have the proper legal documents in place with your employees as well, since the device will likely not be company owned.  Personal data in most cases will be deleted when the remote wipe occurs.

On Apple iOS devices, make sure you're using the latest version of iOS, and enforce it with your policies.  Starting with iOS 4, you have assured application of EAS policies as well as iOS native policies all over the air.  You also have selective wiping of business data and applications, as well as complex passwords, on device encryption, and full remote wipe abilities.  The nice part of this is that you can manage iOS devices with Microsoft Exchange, and configuration can be done via email, a web link, or even over the air if you have a Mac OS X Lion Server or a Mobile Device Management tool such as MobileIron.  iOS 5 takes it one step further, adding features to restrict message forwarding and delete, as well as additional voice controls, WiFi policies, and certificate management.

Windows Phone 7 dropped the ball on security in my opinion, particularly for an entirely new mobile operating system.  There's no on device encryption, and no forced requirement for complex passwords.  Basic functions such as remote wipe and remote lockout do exist.  Microsoft will likely add more advanced security support, and I suspect they launched before they had their new operating system fully baked.  I suggest you avoid supporting this device until better security is available.

BlackBerry has had their own device management for quite some time, and a lot of companies are still standardized on the BlackBerry due to their security features.  With the newest BES software, you can selectively wipe data and apps from your employee's devices, and secure just about any feature you want.  Device encryption, strong passwords, and remote wipe abilities are all included.

Android is one of the least secure out of the box, but using third party software there are options to allow access to corporate data.  With the very recent release of Android 4, you'll finally pick up on device encryption, plus address space layout randomization - which shuffles memory locations for applications to make it difficult to exploit.  Consider requiring Android 4, but unfortunately it's a very new OS and not all of the Android devices support it.  Otherwise, use a third party application to ensure that your data is controlled.

 

 

 

Contact Raxis

For cost and scheduling, please fill out our contact form and we'll respond quickly.  We're ready to be your trusted partner in improving your security posture, while helping meet applicable regulatory requirements.

Information Security Blog

Login