BYOD - The Horse Is Out of the Barn

In the early 2000’s businesses were debating whether or not to allow laptops onto their corporate networks. Moving from a desktop to a laptop environment was a major change of operations for IT and (likely nascent) security groups. But once in motion, the trend continued and today, mid 2011, it’s practically unheard of for a company of any repute to not allow laptops network access.

So now as personal mobile devices are becoming as ubiquitous as cordless phones were back in 2000, companies are again struggling with how to keep the corporate information flowing to and from these devices safe. With well over 60% of all Ask an Expert queries on the topic coming into IANS, we can say with 100% certainty that BYOD is a headache for many of our clients. One large manufacturing client recently said that they “have not been allocated any money for the project” and told by senior leadership that they “can’t buy any new solutions,” yet the major push to allow iPhones, Android devices, tablets, iPads, etc. onto the network is coming from these same senior leaders, many of whom travel overseas and carry multiple devices with them at all times.

So what’s a security team to do?

Here’s the bad news: Whether or not your company “allows” personally owned devices to touch the network, it’s happening. “Using a iPhone is just like having your own mini laptop,” says one IANS client, “and laptops can connect through OWA so there’s really not much we can do about it.” Partially true, says Aaron Turner, IANS’ lead mobile device security Faculty. Turner advises companies to keep a tight connection between laptop and mobile policies. Because laptop policies have been in place for years – and the challenges were similar when laptops were first introduced – many of the lessons learned can be applied to mobile. “Make sure policies are consistent when moving into tablets and mobile phones,” he says. He also warns, however, that it will take time for vendors to create the technologies that are capable of protecting mobile devices in the same way that laptops are now protected, so the first, extremely important step is to create a strong policy. “It’s not good enough,” advises Turner, “to write an acceptable use policy, have your employees sign off, and forget it.” Over and over, Turner tells IANS clients to update their AUPs every quarter and require any employee bringing a mobile device onto the network to sign off on it. He has also suggested on a  few occasions that it might not be a bad idea to have users subsidize, and therefore have personal stake in, the purchase of mobile device management tools; “it frees the company up from a lot of liability issues,” he counsels.

Which leads us to Aaron’s step #2: implement endpoint integrity and/or auditing tools like Fixmo, BoxTone, or Zenprise. All MDM technologies, Turner warns, are obfuscation tools but not a complete security solution yet. Until the market matures, companies should take additional steps like encrypting and remote wiping of data stored on devices to ensure it's secure and accounted for in the event the device is lost or stolen. Keep in mind, however, that a remote wipe isn’t a complete or foolproof solution. The action keeps wiped data from the average user, but will not stop a sophisticated hacker using a forensic tool from recovering the data – there is no such thing as a true forensic wipe when it comes to the accomplished hacker who has time and patience on his side, two luxuries not always enjoyed by corporate security teams. It is also reliant upon a data connection with the server, easily severed by an ill intentioned device user who interrupts that signal using software (turning it off) or hardware (a simple battery pull for a complex Faraday cage to isolate the device.)

Another good piece to extend to your mobile device policy: data classification. Yes, data classification is difficult and subjective and rarely 100% complete, but there are certain pieces of information that should be classified too sensitive to reach a mobile device, says Turner. Only your organization can define these particular classes of data, but information that could be construed as insider trading, social security numbers, personal healthcare records numbers, etc. are some examples of information that's almost always too sensitive to put at risk.

Is the BYOD just too grim a reality? Are the challenges too overwhelming? Surely not. Mobile device management solutions are improving constantly and, taking some of the precautions outlined above, your company can protect itself from major risks. Security professionals are often trained to say “no!” too quickly and, at least among IANS clients, it’s the first thing that pops into their heads when BYOD is mentioned. Most of our clients, though, are mature enough to not let that thought turn into words. They are actively seeking advice and tools – from IANS Faculty but also from one another - that can help users connect to corporate networks in the most secure ways possible (at least as it exists today). After all, we know all too well the advantages of having work (literally) at your fingertips at any time in any place: potential increases in productivity and attracting better talent. IANS advise on the subject: Any time you, security practitioner, want to nix mobile devices because of the security infringement, put down your phone, unplug your laptop, power down your tablet and enjoy your entire weekend without it. You may be more security aware than the average user at your company, but, boy, It sure is nice to be able to answer the boss’s email once the kids are asleep…