Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

10/10/2012
12:55 PM
50%
50%

BYOD: Filling The Holes In Your Security Policy

Allowing personal mobile devices at work can create new risks for your enterprise. Is your security policy ready?

3. Set the rules

If you experiment with BYOD, you must consider where and how to enforce the rules, says Sophos's Svajcer. Do you want to allow every type of new device on your network but curtail access to resources, or provide more extensive access to select devices that meet security standards?

Mobile device management software is a fast-growing area of interest and investment. Gartner counts more than 100 companies in the enterprise MDM market worldwide. MDM vendors include large IT services and security companies such as IBM, SAP, Sophos, and Symantec, as well as specialized firms such as AirWatch, Good Technologies, and Zenprise.

Depending on the package you go with, MDM software and services let you set policies across a range of mobile device hardware and software platforms. They enforce strong passwords and application downloading and patching, as well as detect jailbroken devices, and provide auditing and remote wiping and locking for lost and stolen devices.

Some MDM vendors are introducing data monitoring capabilities that give businesses a window into what data is moving to and from managed mobile devices. Vendors such as Zenprise also offer "geofencing," which lets IT detect when devices leave a certain geographic area and take action to secure them (such as locking or remotely wiping data on the device).

Companies also are finding alternatives to an all-or-nothing approach to BYOD that encourage productive use of mobile devices but retain a measure of control.

One such approach is enterprise mobile application stores, in which businesses provide access to company-approved mobile apps for download by employees, while using mobile security policies to prevent unapproved applications from being installed on managed devices.

Startups such as AppCentral, which has Pepsi and Anheuser-Busch as customers, provide services that let companies control and manage their employees' access to custom mobile applications. Similarly, Cisco's AppHQ platform helps companies create their own internally hosted application stores.

Branded mobile application storefronts can go a long way to easing enterprise concerns about application integrity and corporate control. In the long term, however, Sourcefire's Huger believes that the BYOD trend may come back full circle to LYDAH (leave your device at home).

Whether employees like it or not, security and management require employers to run software on employees' devices. As noted previously, that can be a sensitive issue when the employer doesn't own the device. Companies can skirt the issue by supplying employees with attractive mobile devices loaded with the necessary security and management tools.

"I've started to see exactly that," Huger says. "I have a customer who just purchased 500 iPhones for employees. They spent a lot of money to do it, but it's cheaper and more effective to control the software on the devices," he says. "In the long term, you just can't have these powerful devices unrestricted and loose on your network."

Employees may be more amenable to that approach than all the BYOD talk suggests, according to Forrester data. A Forrester Forrsights Workforce Employee Survey of 322 enterprise users from the fourth quarter of 2011 found that, while 45% of respondents would like to have their choice of mobile phone or smartphone, only 23% would be willing to contribute to the cost of the device in exchange for choice. Fully 32% of those surveyed say they "don't care" about choosing their own work mobile phone or smartphone.

4. Confront the issues

Finally, while companies should take seriously the risks of BYOD, they shouldn't overcorrect for the perceived loss of control that employee-owned devices create.

"You want to have sensible, but not restrictive policies," Mahaffey says. "The most important thing is to empower people to be productive."

Don't take the "slumlord approach to network security," says Johannes Ullrich of the SANS Institute in an article he wrote for the Forbes website. Like landlords for low-rent apartments, Ullrich says, many network administrators remove or disable features that could potentially cause security problems, rather than incur risk by letting employees benefit from those features. By overreacting to perceived risk, those administrators create rules-bound IT environments that can crush workers' souls--especially younger, digital natives. Like stripped-down apartment houses, those restrictive, punitive IT environments drive away creative employees and encourage those that remain to circumvent security features, rather than live with them.

BYOD is a great example of embracing reality rather than fighting it. Employees are going to use their own devices anyway, so it's better to support them, Ullrich says. Rather than crack down on non-company-owned devices, he says, "it may be more secure to set up a dedicated network for these devices that's controlled and managed versus having employees work around these issues."

Education may, in the end, be the simplest, cheapest, and most effective tool that companies can use to reduce the risks employee-owned devices pose. Talking to employees about mobile threats and the importance of using passwords to secure physical access to devices, as well as encryption to protect the data that's stored on them, is critical, especially in the absence of corporate-wide policies and tools to enforce them.

Rather than banishing employee-owned devices, smart organizations will embrace them and learn how to address the security shortcomings. "Don't freak out and stop people from using their phone," says Mahaffey. "Confront the issues and deal with them." That approach puts you in control of the devices on your network, ensures that employees are well educated about potential problems, and makes it less likely they'll sneak devices on the network or otherwise violate policies.

Previous
3 of 4
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
parmerchristian
50%
50%
parmerchristian,
User Rank: Apprentice
11/5/2012 | 7:56:43 PM
re: BYOD: Filling The Holes In Your Security Policy
82% of those respondents say they use smartphones to read or view documents, presentations, and spreadsheets for work - this is the reality, but also it is a large security risk. The article makes important points about BYOD policy, and it is criticle to have a good policy. Also important is education of that policy. We changed our BYOD to have all doctors use a HIPAA compliant text messaging app called TIgertext to send patient info, but the adoption rate was very low, until we brought every docotr in, explained the policy, what we have it, and how to use the app. Now was have about a 97% use rate.
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
CVE-2019-4409
PUBLISHED: 2019-10-18
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...