Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

6/30/2014
12:00 PM
Bret Arsenault
Bret Arsenault
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How Microsoft Cracks The BYOD Code: 3 Tips

Microsoft's CISO shares best-practices for balancing employee autonomy and security in today's bring-your-own world.

Securing a company’s IT environment can be a daunting task, and the growing adoption of bring-your-own-device can only add to the complexity. To effectively manage BYOD, security managers need to define new strategies to manage the resulting risks.

It likely won’t surprise you that recent research we conducted in a Trust in Computing survey shows that 78 percent of organizations allow employees to bring their own computers to the office for work purposes. BYOD can improve employee satisfaction and productivity, and the trend is becoming more commonplace today.

The good news is that BYOD can be implemented without eroding security. But it’s no small task for enterprises. At Microsoft’s, our IT group coordinates data security management across 340,000 devices connecting to the network and 2 million remote connections each month.

The internal BYOD policies we have developed, which I oversee as chief information security officer, provide a framework for enabling employees to use their personal devices while helping to maintain protections for corporate information. I believe that companies of many sizes can leverage at least some of what we’ve instituted in their own organizations. Here’s a sampling of some of our best-practices:

Best-Practice 1:  Develop a BYOD strategy
Effective security starts with a detailed strategy. At Microsoft we set out to define:

  • The company’s goals for the BYOD framework
  • The capabilities we need to reach those goals
  • A plan for supporting and securing access from personal devices
  • A strategy for accountability and implementation

To help put that into perspective, here’s a breakdown of how this works at Microsoft. Our goals for BYOD are to give employees access to messaging, collaboration, and line-of-business applications, to boost productivity, and to help employees balance their work and personal lives. This approach includes employee training and engages various departments like Human Resources and Legal.

Our standards for the use and integration of personally managed devices require employees to:

  • Accept security controls on personal phones in order to access email
  • Set personal phones to lock automatically after a period of inactivity
  • Provide ability to remotely wipe company data from a device that is lost or stolen

The final piece in the strategy is assigning accountability for implementing and overseeing BYOD. At Microsoft, our IT department oversees a coordinated effort to help secure data on more than 340,000 end-user devices being used at the company; and 90,000, or a quarter of the devices used in our environment, are personally owned.

Best-Practice 2: Manage between personal and corporate data
Companies need to take steps to segregate and protect corporate data effectively. For example, at Microsoft, any device accessing company email must adhere to security standards that:

  • Encrypt the data on the device
  • Require a PIN
  • Allow remote maintenance and updates to protect company applications and data

We continuously evolve this standard using technologies such as Microsoft Intune and other similar products that manage personally owned devices from the cloud by removing company data from a device without impacting personal files, apps, or pictures when employees leave the company or lend their phones to someone else.

Best-Practice 3: Define conditions for access
At Microsoft, we’ve moved to a Variable User Access model, which looks at the strength and trustworthiness of the device, and the identity presented by the employee, to determine the level of access to company resources. For example, we ask:

  • Is the employee using a non-corporate identity, such as a personal email account, or are they using a trusted ID from the corporate managed directory?
  • Is the device authenticated and fully managed by the company, using a mobile device management solution, or is the device personally owned by the employee?
  • Is the device being used from a known location or from a new, unknown external location?

The strength of those and other factors will determine the level of employee access, ranging from full network access and data, to full network access but no local data, to some access to web applications, to no access (guest Internet).

As BYOD continues to become more mainstream in the workplace, security can’t be an afterthought. Each company should determine which BYOD-friendly devices, services, and practices will best balance the benefits of BYOD with the increased security risks that come with it.

As Microsoft's Chief Information Security Officer, Bret Arsenault is responsible for enterprise-wide information security, compliance, and business continuity efforts. He leads a global team of security professionals with a strategic focus on information protection, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/30/2014 | 1:56:04 PM
Variable Access Model
Thanks for sharing some of the inner workings of Microsoft's byod policy.  340,000 devices is a lot of BYO to manage! Curious to know how many of those have full access to corporate assets and does that number encompass employees or strategic partners as well?
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2014 | 9:17:39 PM
Re: Variable Access Model
Good question Marilyn! I would think that whatever the quantity would be that they would have to implement some container methodology based on set trust levels for there MDM/EMM solution. I would be interested to here the technical aspect of there plan.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/1/2014 | 2:50:01 PM
Re: Variable Access Model
Me too, though, most companies dealing with BYOD don't have the scale (or resources) of a Microsft. It's still illuminating to see how an organzation of that size handles the problem.
BretArsenault
50%
50%
BretArsenault,
User Rank: Author
7/3/2014 | 12:16:25 PM
Re: Variable Access Model
Marilyn and Ryan, thank you for commenting. I'm glad you found my post valuable. Unfortunately, we can't share data on the number of employees at each access level. One reason for this is that those numbers can vary greatly from day to day, as one of the factors that we take into account is the device's location. The numbers can also change regularly as employees change the device they are using. For example, if we see an employee attempting to access the network through a known and highly assured device, compared to an employee using a computer kiosk at the airport, the experience is going to be different.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/3/2014 | 9:52:35 PM
Re: Variable Access Model
Ok thanks! Based on your last statement:

"if we see an employee attempting to access the network through a known and highly assured device, compared to an employee using a computer kiosk at the airport, the experience is going to be different."

I know you can't quantify your user data publicly. However, can you divulge confirmation that this is a container based approach on distinct levels of trust? Or is there some other methodology thats being used? Thanks.

 
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5347
PUBLISHED: 2020-04-04
Dell EMC Isilon OneFS versions 8.2.2 and earlier contain a denial of service vulnerability. SmartConnect had an error condition that may be triggered to loop, using CPU and potentially preventing other SmartConnect DNS responses.
CVE-2020-5348
PUBLISHED: 2020-04-04
Dell Latitude 7202 Rugged Tablet BIOS versions prior to A28 contain a UAF vulnerability in EFI_BOOT_SERVICES in system management mode. A local unauthenticated attacker may exploit this vulnerability by overwriting the EFI_BOOT_SERVICES structure to execute arbitrary code in system management mode.
CVE-2020-8142
PUBLISHED: 2020-04-03
A security restriction bypass vulnerability has been discovered in Revive Adserver version < 5.0.5 by HackerOne user hoangn144. Revive Adserver, like many other applications, requires the logged in user to type the current password in order to change the e-mail address or the password. It was how...
CVE-2020-8143
PUBLISHED: 2020-04-03
An Open Redirect vulnerability was discovered in Revive Adserver version < 5.0.5 and reported by HackerOne user hoangn144. A remote attacker could trick logged-in users to open a specifically crafted link and have them redirected to any destination.The CSRF protection of the “/...
CVE-2020-8147
PUBLISHED: 2020-04-03
Flaw in input validation in npm package utils-extend version 1.0.8 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using utils-extend.