Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

10/10/2012
12:55 PM
50%
50%

BYOD: Filling The Holes In Your Security Policy

Allowing personal mobile devices at work can create new risks for your enterprise. Is your security policy ready?

3. Set the rules

If you experiment with BYOD, you must consider where and how to enforce the rules, says Sophos's Svajcer. Do you want to allow every type of new device on your network but curtail access to resources, or provide more extensive access to select devices that meet security standards?

Mobile device management software is a fast-growing area of interest and investment. Gartner counts more than 100 companies in the enterprise MDM market worldwide. MDM vendors include large IT services and security companies such as IBM, SAP, Sophos, and Symantec, as well as specialized firms such as AirWatch, Good Technologies, and Zenprise.

Depending on the package you go with, MDM software and services let you set policies across a range of mobile device hardware and software platforms. They enforce strong passwords and application downloading and patching, as well as detect jailbroken devices, and provide auditing and remote wiping and locking for lost and stolen devices.

Some MDM vendors are introducing data monitoring capabilities that give businesses a window into what data is moving to and from managed mobile devices. Vendors such as Zenprise also offer "geofencing," which lets IT detect when devices leave a certain geographic area and take action to secure them (such as locking or remotely wiping data on the device).

Companies also are finding alternatives to an all-or-nothing approach to BYOD that encourage productive use of mobile devices but retain a measure of control.

One such approach is enterprise mobile application stores, in which businesses provide access to company-approved mobile apps for download by employees, while using mobile security policies to prevent unapproved applications from being installed on managed devices.

Startups such as AppCentral, which has Pepsi and Anheuser-Busch as customers, provide services that let companies control and manage their employees' access to custom mobile applications. Similarly, Cisco's AppHQ platform helps companies create their own internally hosted application stores.

Branded mobile application storefronts can go a long way to easing enterprise concerns about application integrity and corporate control. In the long term, however, Sourcefire's Huger believes that the BYOD trend may come back full circle to LYDAH (leave your device at home).

Whether employees like it or not, security and management require employers to run software on employees' devices. As noted previously, that can be a sensitive issue when the employer doesn't own the device. Companies can skirt the issue by supplying employees with attractive mobile devices loaded with the necessary security and management tools.

"I've started to see exactly that," Huger says. "I have a customer who just purchased 500 iPhones for employees. They spent a lot of money to do it, but it's cheaper and more effective to control the software on the devices," he says. "In the long term, you just can't have these powerful devices unrestricted and loose on your network."

Employees may be more amenable to that approach than all the BYOD talk suggests, according to Forrester data. A Forrester Forrsights Workforce Employee Survey of 322 enterprise users from the fourth quarter of 2011 found that, while 45% of respondents would like to have their choice of mobile phone or smartphone, only 23% would be willing to contribute to the cost of the device in exchange for choice. Fully 32% of those surveyed say they "don't care" about choosing their own work mobile phone or smartphone.

4. Confront the issues

Finally, while companies should take seriously the risks of BYOD, they shouldn't overcorrect for the perceived loss of control that employee-owned devices create.

"You want to have sensible, but not restrictive policies," Mahaffey says. "The most important thing is to empower people to be productive."

Don't take the "slumlord approach to network security," says Johannes Ullrich of the SANS Institute in an article he wrote for the Forbes website. Like landlords for low-rent apartments, Ullrich says, many network administrators remove or disable features that could potentially cause security problems, rather than incur risk by letting employees benefit from those features. By overreacting to perceived risk, those administrators create rules-bound IT environments that can crush workers' souls--especially younger, digital natives. Like stripped-down apartment houses, those restrictive, punitive IT environments drive away creative employees and encourage those that remain to circumvent security features, rather than live with them.

BYOD is a great example of embracing reality rather than fighting it. Employees are going to use their own devices anyway, so it's better to support them, Ullrich says. Rather than crack down on non-company-owned devices, he says, "it may be more secure to set up a dedicated network for these devices that's controlled and managed versus having employees work around these issues."

Education may, in the end, be the simplest, cheapest, and most effective tool that companies can use to reduce the risks employee-owned devices pose. Talking to employees about mobile threats and the importance of using passwords to secure physical access to devices, as well as encryption to protect the data that's stored on them, is critical, especially in the absence of corporate-wide policies and tools to enforce them.

Rather than banishing employee-owned devices, smart organizations will embrace them and learn how to address the security shortcomings. "Don't freak out and stop people from using their phone," says Mahaffey. "Confront the issues and deal with them." That approach puts you in control of the devices on your network, ensures that employees are well educated about potential problems, and makes it less likely they'll sneak devices on the network or otherwise violate policies.

Previous
3 of 4
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
parmerchristian
50%
50%
parmerchristian,
User Rank: Apprentice
11/5/2012 | 7:56:43 PM
re: BYOD: Filling The Holes In Your Security Policy
82% of those respondents say they use smartphones to read or view documents, presentations, and spreadsheets for work - this is the reality, but also it is a large security risk. The article makes important points about BYOD policy, and it is criticle to have a good policy. Also important is education of that policy. We changed our BYOD to have all doctors use a HIPAA compliant text messaging app called TIgertext to send patient info, but the adoption rate was very low, until we brought every docotr in, explained the policy, what we have it, and how to use the app. Now was have about a 97% use rate.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13632
PUBLISHED: 2020-05-27
ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.
CVE-2020-13253
PUBLISHED: 2020-05-27
sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.
CVE-2020-13630
PUBLISHED: 2020-05-27
ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.
CVE-2020-13631
PUBLISHED: 2020-05-27
SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.
CVE-2020-4226
PUBLISHED: 2020-05-27
IBM MobileFirst Platform Foundation 8.0.0.0 stores highly sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 175207.