With mobile technology advancement and affordability to possess smartphones and tablets by people, high-speed internet at better cost drives work from anywhere and anytime opportunity. This thrives an Enterprise to introduce Bring Your Own Device (BYOD) culture across the globe. This article narrates the risk elements while using BYOD and describes a set of governance and policies to be implemented and list of controls to be deployed before implementing the BYOD.
The capability of an enterprise has increased to handle its business risks and technology risks over a period of time by vast experience, lessons learned during their daily operations and also adopted to new technologies. With the introduction of BYOD (Bring Your Own Device) has increased an enterprise’s boundaries and bringing work to personal device creates storms and anxious around.
Many Enterprises has allowed BYOD only for its operational applications for a selective group of senior management and some enterprises are monitoring how others are performing and waiting to introduce BYOD with their customized security policies.
The introduction BYOD culture would bring Confidentiality, Integrity and Availability concerns when the device is lost or stolen. It is possible that the corporate data may be disclosed to an unauthorized people and once the password is compromised, the data could be altered by unauthorized people causing data Integrity Issues. Non-availability of device on the employee’s possession would cause availability issue as an employee is not able to perform critical functions when it is required.
Although BYOD would increase employee productivity and lost and stolen of device causing availability issues and the employee is not able to perform his/her job on time which are originally planned and it certainly create opportunity for Business continuity planning or an alternative arrangement to reduce lead time for the work.
BYOD – Governance and Policies
An Enterprise certainly should prepare Governance and security policies around the cases listed below.
- Device enrollment with enterprise as part of asset and periodic re-enrollment of the device
- BYOD would improve the productivity
- Provide opportunity to employee to work from anywhere and anytime
- Introduction of BYOD would be business as usual with reduced business risks
- Decrease in operational cost
- Optimum security incidents which are manageable
- Employee Awareness training
- Strong protection against data leakage
- Organization approved devices
- Implement enterprise’s certified applications download into the device
- Continuous monitoring and Audit
- Data wipeout from the device in case of lost or stolen
- Stringent Access controls on enterprise application
- Physical protection to device during use and travel
- Automatic device scan
Periodic device health check-up to certify the used device or recommend for a new device, if the current device has any security concerns.
BYOD – Risks and Controls
Although everyone says that BYOD brings productivity gain and improve employee morale and reduce employee attrition, it has its own setbacks and primary concern is enterprise’s data leakage and unauthorized access to corporate network.
This section is focused on list of risks to be considered and take appropriate steps to mitigate those risks. As a first phase define strong security policies on BYOD. The enterprise should allow their employees to bring tested, proved and organization approved devices with approved application installed on them. This process failure results in inviting sub-standard and vulnerable devices which shall cause lot more security issues and risks to an enterprise.
The employees must enroll their device with the enterprise and get an asset ID allocated. It is important that the devices must be re-registered periodically, tested and re-certified by the enterprise.
This process would eliminate misuse of a device by a stranger. The enrollment correction must be performed in the case of the device is lost / stolen and the credentials are compromised and this would potentially eliminate enterprise data theft.
Periodic re-certifying the device would eliminate any malware present in the device and also every device has Mean Time between Failure (MTBF) and the reliability of the device should be maintained and this helps to replace the device as recommended by the vendor. This would also avoid any availability issue and ensure that the device is always working and productivity is maintained as expected.
The current enterprise application access to the workstations should not be replicated to BYOD. The employee’s device access must be reviewed again and ensure that he /she gets least privilege access to perform the job function. The reason is that he/she is going to work remotely or working during travelling and access restriction to PII and enterprise’s critical data is very important.
All the activities in the device must be monitored, logged and reviewed periodically. It is essential to deploy context-based access and content based access controls as lot of times the employees are prefer to work remotely and this will eliminate any data leakage.
Considering the device lost / stolen or password compromise situation, it is necessary for an employee to take accountability to inform enterprise’s call center facility and deactivate the access to the device. In addition to this implementing password clipping level would reduce unauthorized access to the enterprise network. Furthermore deploy data wipeout function from the device after exceeding the clipping level and lost/stolen communication from the employee. This would reduce the data leakage and prevent unauthorized access to corporate’s network.
Shoulder surfing is another real concern when the employee is using his/her device during the travel or working from public places such as restaurant or office conferences. Strong security awareness training would mitigate this risk. In addition to this, the employee should lock his/her device to avoid any device theft. The security awareness training would change the behavior of an employee while handing the device such as do’s and don’ts and security training would enhance his/her skills.
When the employee works away from an office, it is important that he / she does not perform remote printing that may lead to data confidentiality issue and security awareness training would reduce this risk. In addition to this, disable the print function when the employee working remotely and connected to the public internet network.
For an organization, the cost includes device cost, data cost and how important is for this device to perform some critical task and other hidden costs.
Strong encryption controls must be deployed when the business sensitive data at rest on the device and also during the transition. It is highly recommended to restrict device access to live data and the access must be provided based on strong business case justification and it must be carefully reviewed by the business manager or data owner.
Installing GEO tracking and IP address tracking would help to trace the device in the event of lost / stolen circumstances if required.
The camera functions and data transfer applications including email, SMS etc. must be disabled automatically when the device is connected to enterprise’s network and this will eliminate potential data leakage and confidentiality issues.
The device must have automatic virus scan and proper patch management must be followed to avoid data corruption. All the devices must be protected by strong password and the O/S should be patched with latest patches to address any vulnerabilities.
Segregation of data for each application in compartmentalization must be considered to reduce the data exposure instead of total data exposure.
All the above-defined risks are mitigated if the device is connected to a virtual desktop model where all the data is stored on the server and not locally.
BYOD – Compliance
The business data is the life of an enterprise and fail to protect the data with strong controls and policies would affect organization reputation causing a reduction in customer base. The enterprise should follow local regulatory and data privacy laws while using live data especially PII in the device.
It is highly recommended to discourage employee to carry his/her device on an overseas trip or cross boundaries. The various data privacy laws such as HIPPA, SAFE Harbor, OECD (Organization for Economic Cooperation and Development) must be carefully considered.
When the device is to be transported to the vendor by courier or within the enterprise for any defect fix, make sure that 100% data is protected and the device is secured and in addition to this, insure the device. It is recommended to use organization approved courier service.
An enterprise must increase employee’s accountability and a strict penalty for absence from the job for considerable days must be considered and therefore, strong security policy must be prepared and get it signed by the employee.
In the event of device lost/stolen and compromise of credentials, the device could be misused by an attacker and banner with strong punishable content must be displayed while log-on the device. This is kind of deterrent control to discourage the attacker to use the device
The BCP plan must be planned in the event of device lost/stolen to continue the productivity and absence of employee for long time without notice is yet another issue and automatic data wipeout after specific enterprise data must be considered.
Only approved employee and based on their business justification must be encouraged to use their own device and the contractors must be exempted from using their device considering security related issues such as data leakage, Intellectual property rights and data alteration etc..
The above scenarios will be mitigated if the device is connected to a virtual desktop model where all the data is stored on the server and not locally.
Office work and personal work must be separated and one should not do both functions at the same time on the device. It means using virtualized desktop approach to storing data and logs in the centralized server instead of locally. The following cases are seriously considered before implementing the BYOD.
- How safe is the corporate data while using the device?
- Does the productivity gain is more important than enterprise’s business risk?
- Using the device does not impact the business as it may be used for daily operational activities
- Can an employee store the corporate data on his/her device?
- The enterprise reputation, regulatory and local laws, decreasing customer base, and penalty must be given serious thought before implementing BYOD.
- Strong business case must be justified before allowing BYOD on case by case basis and providing access to the employee
- Cost savings benefits need to be analyzed.
Authored by Ananda Narayanan G