Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/3/2016
12:00 PM
Rob Greer
Rob Greer
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

BYOD Security: How To Shift Device Control & Grant Users More Choice

Gartner's 'managed diversity' model offers an ITIL-compliant information security solution to the problem of Shadow IT.

Information Technology departments too often have rigid policies circumvented by end users seeking convenience. At the same time, many employees have flexible work environments and more choice for how and where they work. This dichotomy leads to unchecked behaviors where users can bypass traditional security measures by using unsanctioned or unapproved applications, accessing insecure Wi-Fi networks, or choosing to store important data and files on their personal devices. It’s a growing security problem, seemingly, without a foreseeable resolution.

Or is there?

Information security teams looking for a way to resolve the problem of so-called “Shadow IT” should consider implementing Gartner’s Managed Diversity Model for BYOD and Choose Your Own Device (CYOD). Gartner’s model improves the relationship between IT and end users. The model has given businesses a new way to organize end users, specify device options and create a solid set of best practices—while still granting choice. By following its framework, IT and security pros can better respond to end-user preferences and re-address how security is deployed within their organizations. 

Finding the Right Balance

The key for a happy balance between employees’ wants and IT security management is two-way communication that addresses each party’s concerns. Instead of keeping rigid control from the top down, under Gartner’s model, IT can, and should, shift some decisions to end-users in a semi-managed device environment. There are still structured options, but with a broader scope: employees have more choice—with the caveat that users will be more responsible if they choose their own preference. This Information Technology Infrastructure Library (ITIL) compliant model presents three service choices to users, ranging from the traditional ‘IT controls and manages everything’ device to the ‘user free-for-all’ device.

While it may seem like this model can generate security risk, if applied correctly, offering more user choice need not come at the expense of security.

The fully managed device is the typical model most corporations employ, where IT and security decide what devices are used while also taking full responsibility for it, from purchase to everyday use. It allows organizations to implement any control(s) they deem fit for keeping the device, and the sensitive data it holds, safe, without interruption from the end user. Devices that usually fall under this category are those essential to an employee’s workflow, such as computers or mobile devices required for daily tasks. IT will usually select devices for which they know they can manage security and support, allowing them to control the entire device and deploy robust security measures at all levels.

In this model, security may seem straightforward on the surface—with management solutions like Enterprise Mobile Management (EMM), companies can keep an eye on their devices and curb any risk incurred by the end user. The downside to this model is the lack of choice and the likely response by end users to circumvent security to use devices and services they prefer.

Splitting the Security Responsibility

Gartner defines semi-managed devices as those for which information security and end users split the responsibility. This model has gained in popularity, as employees have increasingly demanded more choice. They have no qualms spending their own money to use their favored devices, often bypassing IT and security measures to do so. It’s the driving force behind organizations’ move toward the BYOD and CYOD norms generally adopted today.

Although providing a semi-managed device environment provides personal flexibility to end users, that same flexibility raises security issues. Enterprise IT leaders are forced to rethink their approaches, especially when it comes to safeguarding network and endpoints—in large part because the end user is 100 percent responsible for the device and its personally installed applications, while IT is only in control of enterprise content (e.g. corporate data, files, important login information and financial records).

Mitigation of potential security issues in this model must start with IT security teams working directly with human resources, legal and finance departments to ensure compliance is always met. Options should be limited to a set of devices IT knows are more secure and compatible with existent access control, management and security tools. More importantly, security management tools should be launched at the content and application level, not the device level. The ability to have safeguards at a granular level is paramount in a corporate environment where a personal application can be compromised and then negatively impact the larger device ecosystem, including critical content.

This level of security is even more important in the case of non-managed devices that interact with a corporate network. Clear delineation of responsibility along with education is important when end users are involved.

Ultimately, straying away from the traditional, fully managed device environment is inevitable. The result is a corporate ecosystem that makes it difficult to maintain secure systems and compliance. But with the right approach, training and tools, IT and security can better enable and satisfy the “choice-first” employee while still maintaining a secure network.

Related Content:

 

With more than 25 years of industry experience, Rob leads the global marketing and product management teams. Prior to joining ForeScout, he was vice president and general manager of network security products at HP Software. Before HP, Rob served in numerous leadership roles ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.