Bring your own device -- but secure it first!
You've probably sat in a meeting with your CIO or CFO and heard about the business benefits of the "Consumerization of IT." Advocates for this practice, also known as Bring Your Own Device (BYOD), say that workers are more productive when using devices with which they're more comfortable. Proponents also say that real cost savings can result from allowing users to connect their own devices to the corporate network, by eliminating the need to buy cell phones and tablets for each user and by reducing calls to IT Help desks as people use familiar devices. Managers might believe that employees who use their own personal devices to connect to corporate email systems, websites, and document management systems are more likely to be available outside of normal business hours and thus to work more than their colleagues. Even your HR department might be a proponent of BYOD because it helps attract and keep younger talent fresh out of college. It might cite studies and reports that younger employees expect to work where and when they want, with the tools and devices with which they feel most comfortable.
Similar to BYOD is shared ownership of devices, in which employees are given a budget to buy a cell phone or tablet of their own choosing for work purposes but can also use it as a personal device. Emerging evidence indicates that shared ownership results in fewer lost and broken devices because employees are more likely to take care of these items, especially when they do double duty as primary personal devices. However, for all the potential benefits, there are certainly pitfalls and issues that enterprises of all sizes must consider before openly accepting and promoting BYOD. In fact, there is a strong chance that some employees in your organization are practicing BYOD surreptitiously and potentially in violation of policy. Such folks might already have connected their personal cell phones and tablets to your enterprise systems, placing the enterprise at risk.
Risks of BYOD
Over the past few years, organizations have gone to extraordinary lengths to ring-fence and defend their most valuable data assets against loss or theft. This effort is due in part to an explosion of concerns about privacy, the passing of data-breach notification laws, and corporate espionage. Many organizations have invested heavily in Data Loss Prevention (DLP) technologies and regularly review who has access to data, when they access that data, and for what reason. Unfortunately, BYOD-related activity can quickly render DLP solutions and access reviews useless, and organizations can find out far too late that they have suffered a data breach.
Consider the Apple iPad, which increasingly turns up in conference rooms and meetings, regardless of whether BYOD is sanctioned or whether your organization has a policy to manage the use of personal devices. A user might open a document attached to an email message that was sent to a corporate email account or might download a document from a Microsoft SharePoint site, and then use Apple iWork Pages to open that document for use in a meeting. The iPad automatically syncs the document to Apple's iCloud, and the document is then available from every iOS device that the user owns, including iPhone and iPod touch devices (and soon, Macintosh computers). The document is available from the iCloud website when the user logs on from any PC or Mac. If the document contains any personally identifiable information or other sensitive data (e.g., unreleased financial data) and if the user loses an iCloud-connected device or if the user's iCloud credentials are compromised, your organization might need to notify authorities, partners, and customers. Just the fact that the document is no longer under your organization's control could be grounds for breach notification.
The problem isn't unique to Apple mobile devices. Employees with Windows Phones, Android tablets and phones, and other devices can pose similar risks by using these devices to access enterprise data, especially if their use isn't managed and monitored.
A common concern across all devices is whether user data that is stored on the device, including data downloaded from enterprise email and document management systems, is encrypted to help prevent access by unauthorized individuals. Other concerns are whether the device includes a removable media card, such as a Micro SD card (some of which can store as much as 64GB); whether data can be stored on the cards; and whether the card is encrypted and paired to the mobile device so that it can't be inserted into another device and its contents accessed.
Another issue that must be considered is how to disable and wipe devices that are lost or stolen or that belong to employees who quit or are terminated, especially if those devices contain sensitive data.
Other risks can come with BYOD-related activity, and more will likely emerge over time as these devices become more powerful or are updated to new software releases with new features. The only way to manage risk is to establish a BYOD policy, put it in place with appropriate controls, and monitor it.
Creating a BYOD Policy
I recommend that all organizations, even those that don't intend to allow employees to use their own devices to access enterprise systems and data, create a BYOD policy. I'll be candid: Despite your best efforts, you're highly unlikely to prevent employees from using their own devices. Accept that fact, allow employees to use their devices, and take appropriate steps to manage the risk.
What should your BYOD policy consist of? Consider the audience for the policy. Few end users of IT services -- your employees -- are likely aware of your organization's policy, even if they’re required to acknowledge and adhere to it. What employees know about what they may to do with corporate assets -- including computers, email systems, and data -- they usually get from awareness training, colleagues, and their own sense of propriety. A policy is typically used only by managers, lawyers, and HR staff when dealing with compliance obligations, data breaches, and gross violations of policy. For this reason, I recommend that your BYOD policy be high-level and provide general guidelines rather than specific details.
For example, the policy might state that only approved devices (as determined by the IT department) can be used to access corporate systems and networks that contain certain categories of data (as authorized by the legal department). The policy might also state that the organization reserves the right to manage the devices remotely, including wiping and inspecting them. This last part is extremely important, and you should have your legal department review the terms. Without a policy statement that says the organization can manage employees' personal devices when they are connected to the corporate network or used to access corporate information, your organization might find itself in court defending its actions after remotely wiping a terminated employee's cell phone, which contained holiday pictures along with confidential corporate information!
After putting the high-level policy in place and making your employees aware of it, the next steps are to determine which systems and data your employees are allowed to access from their personal devices and which device makes and models employees can use. Separating these details from the actual policy and placing them into standards and guidelines allow you to update them later, without the approvals that are usually necessary for a change in policy. Standards and guidelines are usually written without the legal language of policies, making them more understandable and more likely to be adhered to.
Determining Accessible Systems and Data
Rushing into a definition of which personal devices can be used is tempting. But first, consider the systems and data that can be accessed. When you perform a risk assessment, you focus on the asset value (usually the collected, held, and processed data) in determining security controls. In the same way, you need to start with the systems and data to determine which security features the accessing devices must support.
Try to avoid the rush judgment that some systems and data (e.g., email systems) are safe to access from personal devices. Email might be the most commonly used means of distributing information between employees, and most of it might seem routine. But it can be used to convey highly sensitive information, such as personnel matters, financial information, and customer details. Any of these pieces of information might require your company to follow breach-notification rules if a device containing them is lost or stolen.
The simplest approach is to turn to your asset classification policy, assuming that you have one. Most organizations define levels of classification -- such as Low, Medium, or High Impact -- arising from the loss, disclosure, or destruction of the asset. Low Impact data is typically public information, such as online sales systems, published price lists, parts databases, and the like. Medium Impact data usually includes project planning schedules and reports, sales forecasts and reports, most non-routine email messages, and source code to in-house developed line of business (LoB) applications. High Impact data is typically regulated data or data that, if lost, would result in significant loss to the organization. Examples of High Impact data include personally identifiable information about employees and customers, protected healthcare information, confidential product plans, and revenue projections and forecasts for publicly traded companies.
A decision to permit access from personal devices to Low Impact data and the systems that process it is probably acceptable. Access to Medium Impact data, which would include email, can be more problematic. Still, with the right access-control features on personal devices, access to some or all of this data might be acceptable. This is especially true if you use other technologies, such as Secure MIME (S/MIME) encryption or Active Directory Rights Management Services (AD RMS) and Information Rights Management (IRM), to protect sensitive email in the environment. You likely won't want to permit access from personal devices to High Impact data. For executives and other employees with a need to access this type of data from phones and tablets, consider issuing devices that are locked down to meet the most stringent requirements.
Defining BYOD Standards
When you have a list of data that you're willing to permit employees to access from personal devices as well as the systems that host or process that data, you next need to define device standards. Device standards are simply the software, features, and controls that must be present on personal devices to access enterprise data. In defining these standards, look at the standards that you have in place for the existing systems and networks that host and process the data. These standards should be met or exceeded on the devices that your employees will use. Focus on areas such as identity and access management (IAM), encryption of data at rest and in transit, encryption algorithms and key lengths, endpoint security, data loss prevention, and so on.
Of increasing concern is the ability to keep the software on mobile endpoints current. Recent research has shown that many devices, especially those shipped by mobile phone operators (often as part of a one- or two-year service contract), aren't updated to address known vulnerabilities. Even when updates are available, evidence strongly suggests that device owners and users are unaware of the availability of updates or of how to apply them. When considering device standards, you need to be aware of the software revisions that are available for the multitude of devices (e.g., the various versions of the Android OS, tailored for each handset and tablet manufacturer) and the vulnerabilities in each. This knowledge will help you define minimum acceptable software versions that must be in place.
Although your focus should be on features and controls that must be in place to allow a particular device to access enterprise resources, you can't ignore how owners and users of these devices will use them away from work. For example, which applications will the user install, and will those apps have access to your corporate data? A typical example is an application downloaded from an online app store supported by the device manufacturer. What if the app has access to contact lists on the device and a contact list is synchronized with your corporate email system -- which contains the names, addresses, and other personally identifiable information of your employees and even some customers? You must consider how to restrict access to that data to approved applications only, and what to do if a device doesn't support this feature. You might need to prevent employees from installing some or even all applications on their personal devices, or permit them to install applications on a pre-approved list. If employees are allowed to install applications on their personal devices, then consider a means to ensure that those apps are updated with releases that address discovered vulnerabilities.
When you have identified the features and controls (i.e., standards) that must be in place on devices, the next step is to identify the devices that support those standards. This step isn't as easy as you might hope, given the multitude of devices and software versions in existence. You typically need to visit each manufacturer website and spend time looking for details for each device. Some manufacturers, such as Apple, provide enterprise and business features and integration information (see Apple's business webpage); others don't.
After you have created your policy, identified the data and systems that can be accessed by personal devices, and identified which devices can connect to your enterprise network, you need to find a way to manage those devices to ensure that the policy is adhered to and standards met. You also need to ensure that you can track the use of personal devices to access enterprise resources and data. And you need the ability to remove data or decommission lost or stolen devices, as well as devices that belong to employees separated from the company. This is often the most challenging aspect of implementing a BYOD policy.
The good news is that if you have Microsoft Exchange 2010 and you choose to allow devices to connect to your email system, you have a rudimentary management toolset that can allow, deny, or quarantine devices, allow connections to corporate networks and systems based on basic characteristics such as strong password or device encryption capabilities, and apply policies to enable each. The bad news is that this toolset requires devices to be honest when reporting device characteristics and capabilities and to actually enforce the policies that are pushed down. In the past, some devices that were purported to have these characteristics and capabilities didn't. Hackers can also take the protocols that the Microsoft Exchange ActiveSync (EAS) service uses to manage devices, and mock up devices that don't honor policies and can be used to extract data from your organization.
Companies such as Research In Motion (RIM) and Apple provide tools that enterprises can use to manage their products. These companies typically allow the enterprise to create policies that can be distributed to devices by email or some other means and to restrict users' ability to adjust or remove those policies. These tools are free, or can be used for free by small-to-midsized businesses (SMBs). The problem is that if you choose to support multiple device manufacturers and different versions of devices and software, managing each in silos quickly becomes infeasible, especially in a large enterprise environment or one in which end users have multiple devices that they exchange or upgrade frequently. In such environments, you need to invest in a mobile device management solution. The major solution providers support multiple devices from all major manufacturers. A note of caution, however: These solutions can be complex and overwhelming, although they typically come with enterprise-class features such as VPN solutions and sophisticated monitoring and reporting tools.
Bringing It All Together
BYOD is fast becoming an employee expectation. However, it brings high risk to the enterprise if it isn't managed carefully. To minimize the risk, organizations need to create policy surrounding the use of personal devices to access enterprise systems and data. Make employees aware of this policy and provide appropriate training that covers what is and isn't acceptable. Organizations need to determine which data and systems personal devices can access, and how. The classification of these systems can be used to identify device capabilities and characteristics, which will determine which devices employees are permitted to use. Lastly, the organization needs to use a toolset to create and enforce technical policies on employee devices and to remotely manage and wipe lost or stolen devices or those that belong to employees separated from the organization.