Seventy percent of respondents in a recent survey by Gartner, Inc. said that they have or are
planning to have "bring your own device" (BYOD) policies within the next 12 months to allow
employees to use personal mobile devices to connect to enterprise applications. Thirty-three
percent of all organizations surveyed currently have BYOD policies in place for mobile devices,
such as smartphones and tablets.
Shifting from an enterprise-owned mobile device fleet to having employees bringing their
own devices has a major impact on the way of thinking and acting about mobile security, said
Dionisio Zumerle, principal research analyst at Gartner. Policies and tools initially put in place
to deal with mobile devices offering consumer-grade security must be revised to deal with these
devices being under the ultimate control of a private user, rather than the organization.
Gartner believes that organizations must consider and take action on three major impacts when
moving to a BYOD policy:
Impact 1 - The right of users to leverage the capabilities of their personal devices conflicts
with enterprise mobile security policies and increases the risk of data leakage and the
exploiting of vulnerabilities.
Outside the enterprise's premises, employees may define their own usage policy for personal
devices. Users can, therefore, install apps and visit URLs of their choice, whereas enterprises
can limit applications and Web access on enterprise-owned devices. Users can also decide the
level of protection for their personally owned devices. When enterprise data is allowed on these
devices, the risk of leakage increases for the enterprise, not just because of the rise of mobile
malware, but also because legitimate but unsupported apps may inadvertently create security
risks for the organization and, most importantly, because of device loss.
Using mobile device management (MDM) software is one way to enforce policy on mobile
devices. Users should obtain access to enterprise information only after having accepted an
MDM agent on their personal devices, and possibly a URL filtering tool, such as a cloud-based
secure Web gateway (SWG) service, to safeguard and enforce enterprise policy on Internet
traffic. Enterprises should consider using application whitelisting, blacklisting and containerization,
as well as setting up an enterprise app store, or app catalog, for apps that are supported.
Impact 2 - User freedom of choice of device and the proliferation of devices with
inadequate security make it difficult to properly secure certain devices, as well as keep
track of vulnerabilities and updates.
Allowing users, rather than the IT department, to select operating systems (OS) and versions
of mobile devices opens the door to devices that are inadequate from a security standpoint.
An essential security baseline should require enhanced password controls, lock timeout period
enforcement, lock device after password retry limit, data encryption, remote lock and/or wipe.
The enterprise mobility baseline must also express minimum requirements on hardware OS
versions will not be sufficient.
In alignment with the mobile security policy, network access control policies should be used
for example, to deny access to enterprise resources such as email and apps from devices that
cannot support the security baseline. Preventive action should be taken to ban noncompliant
devices or create an alert for them by using tools such as MDM software.
Nevertheless, excessively limiting the types of allowed devices eliminates the benefits of BYOD
for users. There should be no compromise of security for the sake of device variety, but where it
is possible to manage and secure a new device model, it should be done. The policies that are
enforced will depend on the risk appetite of the organization and the sensitivity of data allowed to
reside on the device.
Impact 3 - The user's ownership of device and data raises privacy concerns and stands in
the way of taking corrective action for compromised devices.
Most people consider data on their personal devices as their property, and would strongly object
to having it manipulated by the organization without their explicit consent. When shifting from
enterprise to user-owned devices, "remote wipe," which is a fundamental security feature in
a mobile security policy, becomes complicated from a legal and cultural point of view. Thus,
sufficient attention should be paid to this issue to avoid repercussions. In practice, "selective
wipe" is proving to be difficult in ensuring that all business data, and only business data, has been
deleted from the device.
In this situation, it is recommended to liaise with the legal department to obtain advice, because
there may be legal implications related to device wiping. Problems may arise if the user refuses
a remote wipe. Time is of the essence when performing this task, and asking the user for
permission after the compromise, when a remote wipe is considered necessary, will be impacted
by message exchange delays that can be critical. It is therefore advisable to obtain the explicit,
written consent of users to delete their data in case of compromises, or the loss or theft of
devices, at the time of the user's initiation to the BYOD program.
Seventy percent of respondents in a recent survey by Gartner, Inc. said that they have or areplanning to have "bring your own device" (BYOD) policies within the next 12 months to allowemployees to use personal mobile devices to connect to enterprise applications. Thirty-threepercent of all organizations surveyed currently have BYOD policies in place for mobile devices,such as smartphones and tablets.
Shifting from an enterprise-owned mobile device fleet to having employees bringing theirown devices has a major impact on the way of thinking and acting about mobile security, saidDionisio Zumerle, principal research analyst at Gartner. Policies and tools initially put in placeto deal with mobile devices offering consumer-grade security must be revised to deal with thesedevices being under the ultimate control of a private user, rather than the organization.
Gartner believes that organizations must consider and take action on three major impacts whenmoving to a BYOD policy:
Impact 1 - The right of users to leverage the capabilities of their personal devices conflictswith enterprise mobile security policies and increases the risk of data leakage and theexploiting of vulnerabilities.Outside the enterprise's premises, employees may define their own usage policy for personaldevices. Users can, therefore, install apps and visit URLs of their choice, whereas enterprisescan limit applications and Web access on enterprise-owned devices. Users can also decide thelevel of protection for their personally owned devices. When enterprise data is allowed on thesedevices, the risk of leakage increases for the enterprise, not just because of the rise of mobilemalware, but also because legitimate but unsupported apps may inadvertently create securityrisks for the organization and, most importantly, because of device loss.
Using mobile device management (MDM) software is one way to enforce policy on mobiledevices. Users should obtain access to enterprise information only after having accepted anMDM agent on their personal devices, and possibly a URL filtering tool, such as a cloud-based secure Web gateway (SWG) service, to safeguard and enforce enterprise policy on Internettraffic. Enterprises should consider using application whitelisting, blacklisting and containerization,as well as setting up an enterprise app store, or app catalog, for apps that are supported.
Impact 2 - User freedom of choice of device and the proliferation of devices withinadequate security make it difficult to properly secure certain devices, as well as keeptrack of vulnerabilities and updates.Allowing users, rather than the IT department, to select operating systems (OS) and versionsof mobile devices opens the door to devices that are inadequate from a security standpoint.An essential security baseline should require enhanced password controls, lock timeout periodenforcement, lock device after password retry limit, data encryption, remote lock and/or wipe.The enterprise mobility baseline must also express minimum requirements on hardware OSversions will not be sufficient.
In alignment with the mobile security policy, network access control policies should be used for example, to deny access to enterprise resources such as email and apps from devices thatcannot support the security baseline. Preventive action should be taken to ban noncompliantdevices or create an alert for them by using tools such as MDM software.Nevertheless, excessively limiting the types of allowed devices eliminates the benefits of BYODfor users. There should be no compromise of security for the sake of device variety, but where itis possible to manage and secure a new device model, it should be done. The policies that areenforced will depend on the risk appetite of the organization and the sensitivity of data allowed toreside on the device.
Impact 3 - The user's ownership of device and data raises privacy concerns and stands inthe way of taking corrective action for compromised devices.Most people consider data on their personal devices as their property, and would strongly objectto having it manipulated by the organization without their explicit consent. When shifting fromenterprise to user-owned devices, "remote wipe," which is a fundamental security feature ina mobile security policy, becomes complicated from a legal and cultural point of view. Thus,sufficient attention should be paid to this issue to avoid repercussions. In practice, "selectivewipe" is proving to be difficult in ensuring that all business data, and only business data, has beendeleted from the device.
In this situation, it is recommended to liaise with the legal department to obtain advice, becausethere may be legal implications related to device wiping. Problems may arise if the user refusesa remote wipe. Time is of the essence when performing this task, and asking the user forpermission after the compromise, when a remote wipe is considered necessary, will be impactedby message exchange delays that can be critical. It is therefore advisable to obtain the explicit,written consent of users to delete their data in case of compromises, or the loss or theft ofdevices, at the time of the user's initiation to the BYOD program.
Chuck Taylor All Star
In
Add new comment