Mobile
6/30/2014
12:00 PM
Bret Arsenault
Bret Arsenault
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How Microsoft Cracks The BYOD Code: 3 Tips

Microsoft's CISO shares best-practices for balancing employee autonomy and security in today's bring-your-own world.

Securing a company’s IT environment can be a daunting task, and the growing adoption of bring-your-own-device can only add to the complexity. To effectively manage BYOD, security managers need to define new strategies to manage the resulting risks.

It likely won’t surprise you that recent research we conducted in a Trust in Computing survey shows that 78 percent of organizations allow employees to bring their own computers to the office for work purposes. BYOD can improve employee satisfaction and productivity, and the trend is becoming more commonplace today.

The good news is that BYOD can be implemented without eroding security. But it’s no small task for enterprises. At Microsoft’s, our IT group coordinates data security management across 340,000 devices connecting to the network and 2 million remote connections each month.

The internal BYOD policies we have developed, which I oversee as chief information security officer, provide a framework for enabling employees to use their personal devices while helping to maintain protections for corporate information. I believe that companies of many sizes can leverage at least some of what we’ve instituted in their own organizations. Here’s a sampling of some of our best-practices:

Best-Practice 1:  Develop a BYOD strategy
Effective security starts with a detailed strategy. At Microsoft we set out to define:

  • The company’s goals for the BYOD framework
  • The capabilities we need to reach those goals
  • A plan for supporting and securing access from personal devices
  • A strategy for accountability and implementation

To help put that into perspective, here’s a breakdown of how this works at Microsoft. Our goals for BYOD are to give employees access to messaging, collaboration, and line-of-business applications, to boost productivity, and to help employees balance their work and personal lives. This approach includes employee training and engages various departments like Human Resources and Legal.

Our standards for the use and integration of personally managed devices require employees to:

  • Accept security controls on personal phones in order to access email
  • Set personal phones to lock automatically after a period of inactivity
  • Provide ability to remotely wipe company data from a device that is lost or stolen

The final piece in the strategy is assigning accountability for implementing and overseeing BYOD. At Microsoft, our IT department oversees a coordinated effort to help secure data on more than 340,000 end-user devices being used at the company; and 90,000, or a quarter of the devices used in our environment, are personally owned.

Best-Practice 2: Manage between personal and corporate data
Companies need to take steps to segregate and protect corporate data effectively. For example, at Microsoft, any device accessing company email must adhere to security standards that:

  • Encrypt the data on the device
  • Require a PIN
  • Allow remote maintenance and updates to protect company applications and data

We continuously evolve this standard using technologies such as Microsoft Intune and other similar products that manage personally owned devices from the cloud by removing company data from a device without impacting personal files, apps, or pictures when employees leave the company or lend their phones to someone else.

Best-Practice 3: Define conditions for access
At Microsoft, we’ve moved to a Variable User Access model, which looks at the strength and trustworthiness of the device, and the identity presented by the employee, to determine the level of access to company resources. For example, we ask:

  • Is the employee using a non-corporate identity, such as a personal email account, or are they using a trusted ID from the corporate managed directory?
  • Is the device authenticated and fully managed by the company, using a mobile device management solution, or is the device personally owned by the employee?
  • Is the device being used from a known location or from a new, unknown external location?

The strength of those and other factors will determine the level of employee access, ranging from full network access and data, to full network access but no local data, to some access to web applications, to no access (guest Internet).

As BYOD continues to become more mainstream in the workplace, security can’t be an afterthought. Each company should determine which BYOD-friendly devices, services, and practices will best balance the benefits of BYOD with the increased security risks that come with it.

As Microsoft's Chief Information Security Officer, Bret Arsenault is responsible for enterprise-wide information security, compliance, and business continuity efforts. He leads a global team of security professionals with a strategic focus on information protection, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/3/2014 | 9:52:35 PM
Re: Variable Access Model
Ok thanks! Based on your last statement:

"if we see an employee attempting to access the network through a known and highly assured device, compared to an employee using a computer kiosk at the airport, the experience is going to be different."

I know you can't quantify your user data publicly. However, can you divulge confirmation that this is a container based approach on distinct levels of trust? Or is there some other methodology thats being used? Thanks.

 
BretArsenault
50%
50%
BretArsenault,
User Rank: Author
7/3/2014 | 12:16:25 PM
Re: Variable Access Model
Marilyn and Ryan, thank you for commenting. I'm glad you found my post valuable. Unfortunately, we can't share data on the number of employees at each access level. One reason for this is that those numbers can vary greatly from day to day, as one of the factors that we take into account is the device's location. The numbers can also change regularly as employees change the device they are using. For example, if we see an employee attempting to access the network through a known and highly assured device, compared to an employee using a computer kiosk at the airport, the experience is going to be different.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/1/2014 | 2:50:01 PM
Re: Variable Access Model
Me too, though, most companies dealing with BYOD don't have the scale (or resources) of a Microsft. It's still illuminating to see how an organzation of that size handles the problem.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2014 | 9:17:39 PM
Re: Variable Access Model
Good question Marilyn! I would think that whatever the quantity would be that they would have to implement some container methodology based on set trust levels for there MDM/EMM solution. I would be interested to here the technical aspect of there plan.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/30/2014 | 1:56:04 PM
Variable Access Model
Thanks for sharing some of the inner workings of Microsoft's byod policy.  340,000 devices is a lot of BYO to manage! Curious to know how many of those have full access to corporate assets and does that number encompass employees or strategic partners as well?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.