Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

6/30/2014
12:00 PM
Bret Arsenault
Bret Arsenault
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How Microsoft Cracks The BYOD Code: 3 Tips

Microsoft's CISO shares best-practices for balancing employee autonomy and security in today's bring-your-own world.

Securing a company’s IT environment can be a daunting task, and the growing adoption of bring-your-own-device can only add to the complexity. To effectively manage BYOD, security managers need to define new strategies to manage the resulting risks.

It likely won’t surprise you that recent research we conducted in a Trust in Computing survey shows that 78 percent of organizations allow employees to bring their own computers to the office for work purposes. BYOD can improve employee satisfaction and productivity, and the trend is becoming more commonplace today.

The good news is that BYOD can be implemented without eroding security. But it’s no small task for enterprises. At Microsoft’s, our IT group coordinates data security management across 340,000 devices connecting to the network and 2 million remote connections each month.

The internal BYOD policies we have developed, which I oversee as chief information security officer, provide a framework for enabling employees to use their personal devices while helping to maintain protections for corporate information. I believe that companies of many sizes can leverage at least some of what we’ve instituted in their own organizations. Here’s a sampling of some of our best-practices:

Best-Practice 1:  Develop a BYOD strategy
Effective security starts with a detailed strategy. At Microsoft we set out to define:

  • The company’s goals for the BYOD framework
  • The capabilities we need to reach those goals
  • A plan for supporting and securing access from personal devices
  • A strategy for accountability and implementation

To help put that into perspective, here’s a breakdown of how this works at Microsoft. Our goals for BYOD are to give employees access to messaging, collaboration, and line-of-business applications, to boost productivity, and to help employees balance their work and personal lives. This approach includes employee training and engages various departments like Human Resources and Legal.

Our standards for the use and integration of personally managed devices require employees to:

  • Accept security controls on personal phones in order to access email
  • Set personal phones to lock automatically after a period of inactivity
  • Provide ability to remotely wipe company data from a device that is lost or stolen

The final piece in the strategy is assigning accountability for implementing and overseeing BYOD. At Microsoft, our IT department oversees a coordinated effort to help secure data on more than 340,000 end-user devices being used at the company; and 90,000, or a quarter of the devices used in our environment, are personally owned.

Best-Practice 2: Manage between personal and corporate data
Companies need to take steps to segregate and protect corporate data effectively. For example, at Microsoft, any device accessing company email must adhere to security standards that:

  • Encrypt the data on the device
  • Require a PIN
  • Allow remote maintenance and updates to protect company applications and data

We continuously evolve this standard using technologies such as Microsoft Intune and other similar products that manage personally owned devices from the cloud by removing company data from a device without impacting personal files, apps, or pictures when employees leave the company or lend their phones to someone else.

Best-Practice 3: Define conditions for access
At Microsoft, we’ve moved to a Variable User Access model, which looks at the strength and trustworthiness of the device, and the identity presented by the employee, to determine the level of access to company resources. For example, we ask:

  • Is the employee using a non-corporate identity, such as a personal email account, or are they using a trusted ID from the corporate managed directory?
  • Is the device authenticated and fully managed by the company, using a mobile device management solution, or is the device personally owned by the employee?
  • Is the device being used from a known location or from a new, unknown external location?

The strength of those and other factors will determine the level of employee access, ranging from full network access and data, to full network access but no local data, to some access to web applications, to no access (guest Internet).

As BYOD continues to become more mainstream in the workplace, security can’t be an afterthought. Each company should determine which BYOD-friendly devices, services, and practices will best balance the benefits of BYOD with the increased security risks that come with it.

As Microsoft's Chief Information Security Officer, Bret Arsenault is responsible for enterprise-wide information security, compliance, and business continuity efforts. He leads a global team of security professionals with a strategic focus on information protection, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/3/2014 | 9:52:35 PM
Re: Variable Access Model
Ok thanks! Based on your last statement:

"if we see an employee attempting to access the network through a known and highly assured device, compared to an employee using a computer kiosk at the airport, the experience is going to be different."

I know you can't quantify your user data publicly. However, can you divulge confirmation that this is a container based approach on distinct levels of trust? Or is there some other methodology thats being used? Thanks.

 
BretArsenault
50%
50%
BretArsenault,
User Rank: Author
7/3/2014 | 12:16:25 PM
Re: Variable Access Model
Marilyn and Ryan, thank you for commenting. I'm glad you found my post valuable. Unfortunately, we can't share data on the number of employees at each access level. One reason for this is that those numbers can vary greatly from day to day, as one of the factors that we take into account is the device's location. The numbers can also change regularly as employees change the device they are using. For example, if we see an employee attempting to access the network through a known and highly assured device, compared to an employee using a computer kiosk at the airport, the experience is going to be different.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/1/2014 | 2:50:01 PM
Re: Variable Access Model
Me too, though, most companies dealing with BYOD don't have the scale (or resources) of a Microsft. It's still illuminating to see how an organzation of that size handles the problem.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2014 | 9:17:39 PM
Re: Variable Access Model
Good question Marilyn! I would think that whatever the quantity would be that they would have to implement some container methodology based on set trust levels for there MDM/EMM solution. I would be interested to here the technical aspect of there plan.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/30/2014 | 1:56:04 PM
Variable Access Model
Thanks for sharing some of the inner workings of Microsoft's byod policy.  340,000 devices is a lot of BYO to manage! Curious to know how many of those have full access to corporate assets and does that number encompass employees or strategic partners as well?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/10/2020
Zscaler to Buy Cloudneeti
Dark Reading Staff 4/9/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18375
PUBLISHED: 2020-04-10
The ASG and ProxySG management consoles are susceptible to a session hijacking vulnerability. A remote attacker, with access to the appliance management interface, can hijack the session of a currently logged-in user and access the management console.
CVE-2019-18376
PUBLISHED: 2020-04-10
A CSRF token disclosure vulnerability allows a remote attacker, with access to an authenticated Management Center (MC) user's web browser history or a network device that intercepts/logs traffic to MC, to obtain CSRF tokens and use them to perform CSRF attacks against MC.
CVE-2019-7305
PUBLISHED: 2020-04-10
Information Exposure vulnerability in eXtplorer makes the /usr/ and /etc/extplorer/ system directories world-accessible over HTTP. Introduced in the Makefile patch file debian/patches/debian-changes-2.1.0b6+dfsg-1 or debian/patches/adds-a-makefile.patch, this can lead to data leakage, information di...
CVE-2020-8832
PUBLISHED: 2020-04-10
The fix for the Linux kernel in Ubuntu 18.04 LTS for CVE-2019-14615 ("The Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors.") was discovered to be incomplete, meaning that in versions of the kernel before 4.15.0-91.92, an attacke...
CVE-2020-1633
PUBLISHED: 2020-04-09
Due to a new NDP proxy feature for EVPN leaf nodes introduced in Junos OS 17.4, crafted NDPv6 packets could transit a Junos device configured as a Broadband Network Gateway (BNG) and reach the EVPN leaf node, causing a stale MAC address entry. This could cause legitimate traffic to be discarded, lea...