As an increasing number of employees are bringing mobile devices into the workplace, many organisations are motivated to encourage their use for business purposes because they tend to:
- Increase employee productivity
- Potentially shift costs to the user
- Increase worker satisfaction
- Reduce support costs
The benefits of Bring Your Own Device (BYOD) are well written and known about. What is less well discussed is the thought and diligence that needs to be undertaken to help provide a successful, secure and adopted programme.
By formally adopting BYOD, organisations may lose much of the control over the IT hardware and how it is used. In the following sections we focus on each of these issues, their countermeasures and assess the balance between user productivity and security.
Preserving the User Experience
The key to successful mobility deployments is preservation of user experience. These programmes are rarely sustainable if user experience is compromised when employees use mobile devices for corporate email and applications, particularly so in a BYOD environment.
User experience and therefore the success of a BYOD programme can be affected by many factors:
- Concerns of privacy
- 3rd party apps (non device standard)
- Complex authentication methods
- Lockdown of device features
Clarifying the Acceptable Use Policy
Company-issued IT typically comes with an acceptable use policy, and it is protected by company-issued security that is managed and updated by the IT department. It is a little bit trickier telling an employee what is or is not, an “acceptable use” of their own laptop, smartphone or other device.
It is essential to make sure you have a clearly defined policy that outlines the rules of engagement and states up front what the expectations are. You should also lay out minimum security requirements, or even mandate company sanctioned security tools, as a condition for allowing devices to connect to company data and network resources.
Your agreement should:
- Communicate compliance issues
- Identify the activities and data that may be monitored
- Clarify the actions IT will take and under which circumstances
Employees will demand freedom to use a broad range of personal apps on their BYOD device. In their minds, the fact that the device is also being used for corporate apps doesn’t justify restrictions on their personal apps. Therefore, any such restrictions that are necessary for corporate security purposes need to be clearly described to the employee through the Acceptable Use Policy.
Each organisation should seek their own legal advice on how to frame and assess liability variances between BYOD and traditional mobile programmes, however some things to consider are:
- Defining the elements of baseline protection for enterprise data on BYOD devices
- Assessing liability for personal web and app usage
- Assessing liability for usage onsite vs. offsite, and inside work hours vs. outside
- Evaluating whether the nature of BYOD reimbursement affects liability
- Assessing the risk and resulting liability of accessing, damaging and losing personal data
- Support for employees devices, replacement of damaged or stolen devices whilst in work premises
The security of mobile devices has become a top concern for many of us. Hackers are discovering the benefits of compromising both business and personal data contained within mobile devices because many mobile platforms are not natively designed to provide comprehensive security.
It is a misconception that non-jailbroken devices such as iPhones are immune to malware because all the software comes from a trusted source (Apple’s App Store).
First, malware in the App Store is unlikely but not impossible, while Google Play or third party stores are potentially more likely to be compromised by malware. Second, and more importantly, there are vulnerabilities in devices that allow the escalation of privileges and running of unsigned code in the kernel. If there were no such exploits, then jailbreaking would be impossible. The mere fact that iOS devices have been jail broken and Androids rooted, proves that such deep vulnerabilities do exist.
Although more established mobile platforms such as Symbian and Windows Mobile have been a proven ground for malware developers in the past few years, the Google Android platform is leading in new malware development, primarily due to its popularity and open software distribution model.
Today nearly all infections come from application markets / stores, with Android accounting for over 32% of the malware market.
Adopting Mobile Device Management
Regardless of whether devices are corporately or employee owned, it is broadly accepted that the data that resides on these devices needs to be adequately protected, and devices secured to an appropriate level, in order to safeguard the company. Part of this ‘protect and secure’ strategy is the adoption of Mobile Device Management or ‘MDM’. The MDM market is growing at a very rapid rate, however, the majority of these technologies offer very similar functionality, which is mainly due to the limitations of the controlled devices.
Ideally, your mobility strategy should consider an MDM solution as part of its security considerations in order to:
- Create and maintain an up to date inventory of devices
- Define and enforce a security baseline
- Enforce Passcode (simple or complex)
- Securely distribute email
- Disable device features
- Data Encryption
- Identify Jailbroken devices
- Provision & Remove Applications (OS Dependent)
- Remote Lock & Wipe Functionality
- Geo-Location (Note concerns on user Privacy)
The pace at which the MDM market is said to be growing has yet to be proven, as the truth is that evaluating MDM technologies is difficult. This is largely because there is little differentiation between one product and another. So, in order to evaluate technologies, we must first have some selection criteria.
To help with this you should always define a policy first. Without a defined policy, you don’t know what you need to enforce or how to ensure your selected MDM partner can fulfil your requirements.
Equally, we should consider future market consolidation when selecting an MDM provider, asking questions such as “Who has acquired?”, “ Who is likely to be acquired?” and “Who is likely to remain independent?”.
This market is very reminiscent of the encryption market of late 2008, where there was a large number of independent providers and a handful of leading security companies. It is a market that is open to obvious consolidation and we need to be careful when selecting a provider on a long term basis that may not align with our long term security strategy, or even exist as an independent technology in a couple of years’ time.
Infiltration Risk and Capacity Implications
Another area to address is the fact that mobile computing presents infiltration risk and capacity implications for the network.
Firstly, we will look at the infiltration risk. Mobile devices are increasingly being used as an attack vector, with smartphones and tablets maintaining connectivity to their mobile carrier, as well as the wireless network, leaving the potential for one to act as a cleansing point for the other. As these devices are being connected to faster networks, their use as a data breach point becomes more viable, and therefore detection against jailbreaking or rooting should be considered a must. As should real-time quarantine of unapproved smartphones and tablets, plus all types of Rogues and unauthorised Mobile Wi-Fi Hotspots, which allow un-controlled access and put your mobility programme and network security at risk.
The second network implication we need to consider is one of capacity. BYOD is likely to consume greater capacity than a traditional computing methodology, so plan for density. Quality of service is essential for maintaining the productivity of workers, so ensure there is sufficient bandwidth at the core and edge for applications to run smoothly and protect access. With the rapid influx of mobile devices, wireless management will become a key focus and you need to know that your existing WiFi environment can support a fully adopted BYOD / Mobility concept.
Review, Record and Succeed
BYOD has clear benefits, and a well thought out and developed program is most likely to succeed, but whether or not you choose to adopt a BYOD programme, a review of mobile devices is vital. Often organisations have a BYOD program in existence already, they just don’t know about it and therefore don’t manage it. So, do you know how many of your employees already have corporate email and potentially sensitive information on their personal mobile phones with no security provision? If you can answer ‘yes’ to this question, then you’re well on your way to creating a successful BYOD programme.