Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

6/30/2014
12:00 PM
Bret Arsenault
Bret Arsenault
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How Microsoft Cracks The BYOD Code: 3 Tips

Microsoft's CISO shares best-practices for balancing employee autonomy and security in today's bring-your-own world.

Securing a company’s IT environment can be a daunting task, and the growing adoption of bring-your-own-device can only add to the complexity. To effectively manage BYOD, security managers need to define new strategies to manage the resulting risks.

It likely won’t surprise you that recent research we conducted in a Trust in Computing survey shows that 78 percent of organizations allow employees to bring their own computers to the office for work purposes. BYOD can improve employee satisfaction and productivity, and the trend is becoming more commonplace today.

The good news is that BYOD can be implemented without eroding security. But it’s no small task for enterprises. At Microsoft’s, our IT group coordinates data security management across 340,000 devices connecting to the network and 2 million remote connections each month.

The internal BYOD policies we have developed, which I oversee as chief information security officer, provide a framework for enabling employees to use their personal devices while helping to maintain protections for corporate information. I believe that companies of many sizes can leverage at least some of what we’ve instituted in their own organizations. Here’s a sampling of some of our best-practices:

Best-Practice 1:  Develop a BYOD strategy
Effective security starts with a detailed strategy. At Microsoft we set out to define:

  • The company’s goals for the BYOD framework
  • The capabilities we need to reach those goals
  • A plan for supporting and securing access from personal devices
  • A strategy for accountability and implementation

To help put that into perspective, here’s a breakdown of how this works at Microsoft. Our goals for BYOD are to give employees access to messaging, collaboration, and line-of-business applications, to boost productivity, and to help employees balance their work and personal lives. This approach includes employee training and engages various departments like Human Resources and Legal.

Our standards for the use and integration of personally managed devices require employees to:

  • Accept security controls on personal phones in order to access email
  • Set personal phones to lock automatically after a period of inactivity
  • Provide ability to remotely wipe company data from a device that is lost or stolen

The final piece in the strategy is assigning accountability for implementing and overseeing BYOD. At Microsoft, our IT department oversees a coordinated effort to help secure data on more than 340,000 end-user devices being used at the company; and 90,000, or a quarter of the devices used in our environment, are personally owned.

Best-Practice 2: Manage between personal and corporate data
Companies need to take steps to segregate and protect corporate data effectively. For example, at Microsoft, any device accessing company email must adhere to security standards that:

  • Encrypt the data on the device
  • Require a PIN
  • Allow remote maintenance and updates to protect company applications and data

We continuously evolve this standard using technologies such as Microsoft Intune and other similar products that manage personally owned devices from the cloud by removing company data from a device without impacting personal files, apps, or pictures when employees leave the company or lend their phones to someone else.

Best-Practice 3: Define conditions for access
At Microsoft, we’ve moved to a Variable User Access model, which looks at the strength and trustworthiness of the device, and the identity presented by the employee, to determine the level of access to company resources. For example, we ask:

  • Is the employee using a non-corporate identity, such as a personal email account, or are they using a trusted ID from the corporate managed directory?
  • Is the device authenticated and fully managed by the company, using a mobile device management solution, or is the device personally owned by the employee?
  • Is the device being used from a known location or from a new, unknown external location?

The strength of those and other factors will determine the level of employee access, ranging from full network access and data, to full network access but no local data, to some access to web applications, to no access (guest Internet).

As BYOD continues to become more mainstream in the workplace, security can’t be an afterthought. Each company should determine which BYOD-friendly devices, services, and practices will best balance the benefits of BYOD with the increased security risks that come with it.

As Microsoft's Chief Information Security Officer, Bret Arsenault is responsible for enterprise-wide information security, compliance, and business continuity efforts. He leads a global team of security professionals with a strategic focus on information protection, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/3/2014 | 9:52:35 PM
Re: Variable Access Model
Ok thanks! Based on your last statement:

"if we see an employee attempting to access the network through a known and highly assured device, compared to an employee using a computer kiosk at the airport, the experience is going to be different."

I know you can't quantify your user data publicly. However, can you divulge confirmation that this is a container based approach on distinct levels of trust? Or is there some other methodology thats being used? Thanks.

 
BretArsenault
50%
50%
BretArsenault,
User Rank: Author
7/3/2014 | 12:16:25 PM
Re: Variable Access Model
Marilyn and Ryan, thank you for commenting. I'm glad you found my post valuable. Unfortunately, we can't share data on the number of employees at each access level. One reason for this is that those numbers can vary greatly from day to day, as one of the factors that we take into account is the device's location. The numbers can also change regularly as employees change the device they are using. For example, if we see an employee attempting to access the network through a known and highly assured device, compared to an employee using a computer kiosk at the airport, the experience is going to be different.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/1/2014 | 2:50:01 PM
Re: Variable Access Model
Me too, though, most companies dealing with BYOD don't have the scale (or resources) of a Microsft. It's still illuminating to see how an organzation of that size handles the problem.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2014 | 9:17:39 PM
Re: Variable Access Model
Good question Marilyn! I would think that whatever the quantity would be that they would have to implement some container methodology based on set trust levels for there MDM/EMM solution. I would be interested to here the technical aspect of there plan.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/30/2014 | 1:56:04 PM
Variable Access Model
Thanks for sharing some of the inner workings of Microsoft's byod policy.  340,000 devices is a lot of BYO to manage! Curious to know how many of those have full access to corporate assets and does that number encompass employees or strategic partners as well?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10694
PUBLISHED: 2019-12-12
The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1....
CVE-2019-10695
PUBLISHED: 2019-12-12
When using the cd4pe::root_configuration task to configure a Continuous Delivery for PE installation, the root user�s username and password were exposed in the job�s Job Details pane in the PE console. These issues have been resolved in version 1.2.1 of the ...
CVE-2019-5085
PUBLISHED: 2019-12-12
An exploitable code execution vulnerability exists in the DICOM packet-parsing functionality of LEADTOOLS libltdic.so, version 20.0.2019.3.15. A specially crafted packet can cause an integer overflow, resulting in heap corruption. An attacker can send a packet to trigger this vulnerability.
CVE-2019-5090
PUBLISHED: 2019-12-12
An exploitable information disclosure vulnerability exists in the DICOM packet-parsing functionality of LEADTOOLS libltdic.so, version 20.0.2019.3.15. A specially crafted packet can cause an out-of-bounds read, resulting in information disclosure. An attacker can send a packet to trigger this vulner...
CVE-2019-5091
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the Dicom-packet parsing functionality of LEADTOOLS libltdic.so version 20.0.2019.3.15. A specially crafted packet can cause an infinite loop, resulting in a denial of service. An attacker can send a packet to trigger this vulnerability.