Tech Insight: Getting A Handle On BYOD -- And Jailbroken Phones

Rolling out a mobile device management (MDM) solution is one option, but just how much control should you impose?
At the recent SANS Mobile Device Security Summit in Nashville, there was a common theme: The mobile BYOD (bring your own device) movement is upon us, and security professionals need to meet the challenge head-on. Security pros need to quickly ramp up their knowledge of the unique security issues posed by the influx of Apple iOS devices and the large number of different Android phones and tablets.

While some companies may choose to go the traditional route of purchasing a specific mobile phone and integrated management platform for end-to-end management, the simple truth of economics and employee demands are causing companies to rethink their strategies and allow personal devices into the corporate environment. But with the introduction of personal devices, the sticky decision must be made over what level of corporate control to impose on an employee's personal device.

What's the best approach for dealing with the BYOD movement? Ignoring it or trying to ban it completely isn't working; employees are still going to connect their devices to the network or plug them into their computers. Implementing a mobile device management (MDM) solution to control the mobile devices is certainly a strategy, but can be difficult when there is a large diversity in the types of devices being used. And there's that difficult question of how much control to exert.

A more conservative approach of monitoring and reporting can help alleviate the control issues while still providing visibility into the BYOD population. Anything that becomes too risky can be quickly dealt with either by a remote command to the device or a discussion with the device owner.

Companies looking to take a more risk-averse approach have started focusing on methods for segregating mobile devices from the rest of the corporate resources and "crown jewels." That was the topic of Josh Feinblum's "Protecting the Jewels: Mobile Device Segregation" presentation at SANS.

Feinblum reviewed the technical risks facing mobile devices and different ways that enterprises could leverage existing network firewalls and wireless deployments to corral mobile devices into a disparate and segregated environment. From there, the devices could interact with a highly controlled set of servers and only for specific purposes, such as Exchange, ActiveSync, and Citrix.

Or better yet, a hybrid approach using MDM for monitoring with minimal control combined with network controls for segregation would address several areas of concern.

What about jailbroken iPhones and rooted Android devices? The general consensus of the summit speakers and attendees is that these altered devices have no place in the corporate environment. Summit co-chair and Secure Ideas security consultant Kevin Johnson said that he is against jailbroken devices in the enterprise. He said there are certainly benefits to having a jailbroken/rooted device, but they also pose numerous risks to company networks and data.

What are those benefits and risks? The primary benefit is full access to the device's underlying operating system. Smartphone manufacturers put in controls to limit users' access to the underlying system. Jailbreaking and rooting bypasses those restrictions so the user has full rights over the system, similar to an administrator account on Windows, or root on Linux. This gives the ability to access files and data that were previously inaccessible, and, for Apple devices the ability to install applications from sources other than the Apple App Store.

According to SANS Mobile Summit speaker and VyStar Credit Union security analyst Brent Morris, there are some excellent applications available for iOS devices that actually provide a greater level of security for jailbroken iPhones and iPads. In particular, firewall applications like Firewall IP act like a personal firewall on a PC, allowing users to selectively allow and deny mobile app network traffic. Or you can whitelist and blacklist calls and SMS iBlacklist to deal with obnoxious salespeople and spam calls.

Of course, there's a dark side to jailbreaking and rooted mobile devices to keep in mind. The additional access to the file system and components of the operating system also means that third-party applications could have the same level of access. This access could leave sensitive data exposed, and can lead to passcode bypass in some cases.

Tom Eston, penetration testing manager at SecureState and SANS Summit speaker, cautions enterprises to not allow jailbreaks because of the security concerns surrounding data leakage and third-party apps not vetted by Apple. He specifically brought attention to the fact that some built-in security controls within iOS are disabled when a device is jailbroken. Eston recommends that organizations prevent jailbreaking by using a MDM solution to help prevent unforeseen issues posed by those devices.

Is there an easy answer for enterprises as they look to secure their network from the influx of mobile devices?

Not really. But there are enough options available that they can be bundled with traditional network security controls to meet an organization's needs.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Elizabeth Montalbano, Contributor, Dark Reading
Nate Nelson, Contributing Writer, Dark Reading
Nate Nelson, Contributing Writer, Dark Reading