For an increasing number of organizations, business is not only happening when employees are in defined workspaces but also when employees are on the move. Today’s organizations are going mobile, and mobile computing is revolutionizing the workplace. Many organizations have already embraced the Bring Your Own Device (BYOD) trend, and many are contemplating implementing BYOD programs, which can significantly improve productivity, increase revenue, and reduce operational costs. An essential component of any BYOD strategy is security: securing the invaluable data on mobile devices, and shielding the devices and data from threats.
Securing personal devices requires an in-depth knowledge of not only the unique aspects of mobile devices but also the unique approaches to securing mobile devices that aren’t owned by company. Multiple platforms and multiple mobile device management (MDM) solutions only complicate the BYOD puzzle. In this article, we’ll explore the threat landscape, the unique challenges that must be addressed when securing personal devices, and best practices for creating an effective mobile security strategy for a successful BYOD program.
The BYOD Challenge
Countless organizations have embraced the BYOD trend, but many are still struggling to provide secure mobile access to employees and keep company data secure, all while balancing competing interests: organizations want to increase productivity, revenue, and reduce costs, while employees want access to corporate data from anywhere and the freedom to choose any type of mobile device.
Enterprises want to give their employees access to company resources, but they want to do so in a secure manner. To achieve this, organizations need to be able to manage employee devices. In the event a device is compromised (e.g., stolen), they need to be able to lock/locate it and wipe the device to protect corporate data; likewise, to reduce the chances of employees installing malicious apps, they need to be able to control the types of apps employees can install.
Employees, meanwhile, want to enjoy the freedom mobile devices provide. Employees also don’t want organizations to have the ability to track their locations or know which apps they’ve installed on their mobile devices.
Satisfying both sides’ needs while keeping both sides happy is a big challenge. One of the reasons organizations have been slow to respond to this challenge is because of the unique characteristics of mobile devices.
Most of the mobile devices today are consumer-oriented, with consumer-grade security. Different platforms offer different security features and capabilities; even within a single platform there are many variations of the same operating system (OS), such as Android, and organizations have no control over OS updates and patches (unlike traditional mobile devices, where enterprises had complete control).
On the application side, organizations now have to support multiple platforms and decide whether to develop native apps or web apps. Organizations also need to make sure only authenticated users are accessing their line-of-business apps and that they have the right level of access within those apps. On the legal side, organizations must comply with various privacy laws and regulations; in some countries, for example, there are legal consequences for remote wiping personal devices.
These are just a few of the unique characteristics of mobile devices that must be considered when securing personal devices. Too much security can significantly impact employee satisfaction, but too little security can leave enterprises vulnerable to irreparable damage. It’s essential to strike a balance between security and the user experience. To increase BYOD adoption and security, organizations must evaluate the threat landscape for mobile devices and then find a solution that meets the needs of both employees and security teams.
The Threat Landscape
Mobile devices aren’t always in the secure enterprise fence, and that makes them vulnerable to additional threats, aside from the usual threats of social engineering, phishing, etc. These devices also have multiple attack vectors, including Bluetooth, SD-cards, Internet downloads, and app downloads. Any communication between the device and the enterprise can be intercepted if it’s not encrypted; likewise, locally stored data in applications can be extracted if it’s not encrypted.
Mobile devices can also be used to launch attacks on the enterprise. For instance, malware on a mobile device can remain in stealth mode until it’s connected to another computer, such as a desktop. Some tech-savvy users can jailbreak or root their devices and break the built-in OS security. Lost or stolen devices also pose a big threat to the enterprise, and confidential data must be securely backed up and wiped off the devices.
These are some of the high-level threats that must be considered when creating a BYOD security strategy. The first step in securing corporate data is classifying the type of data on mobile devices. The table below provides a good overview of the basics of data classification.
|Data at rest
|Data that is persistently stored on the mobile device. This includes internal flash memory as well as removable storage.
||Typically native applications that store data on the mobile device, such as email, calendar, sales tracking, ERP, CRM, etc. |
|Data at rest
|Data that is persistently stored in the cloud.
||Typically email, directory, and database servers. |
|Data in transit
||Data that is being transmitted between the mobile device and other network entities, including enterprise servers in the cloud as well as other devices in a P2P/Adhoc communication mode.
||Email messages, VPN traffic, financial transactions, healthcare records, ERP data, P2P/Adhoc communications. |
|Data in use(mobile device)
||Data that is being used by a running application. This data may or may not be visible to the end user and is typically discarded after the application is shut down.
||Any enterprise data displayed on screen such as email, calendar, ERP, CRM, sales tracking, etc. |
Once corporate data has been appropriately classified, the next step is finding the right solution to secure the company’s data and employees’ mobile devices.
Traditional MDM solutions focus primarily on the physical security of the device (versus software-level security). For this reason alone, MDMs are typically a better fit for company-owned devices than personal devices. However, MDMs are evolving past basic device-level security and should be carefully evaluated for additional features, such as content management, data containerization, mobile VPN, etc.
Container-based solutions typically sandbox corporate data and keep that data separate from personal data on mobile devices. This can be a great solution from a security standpoint. However, there can be significant development costs as companies start developing enterprise apps using container SDK for mobile apps. There’s typically no built-in enterprise app store for distributing apps that are built in-house. Also, container solutions aren’t always user-friendly, which can have a negative impact on the user experience.
VDI solutions are excellent at keeping corporate data off personal devices. These solutions are ideal for tablets, but they don’t usually work well with smartphones, mainly because of the small screen size. Most applications aren’t purpose-built for the tablet or smartphone form factor. Data connection speed and latency can cause a noticeable lag, which, again, can have a negative impact on the user experience.
VM solutions, which separate the personal and company workspaces on mobile devices, are very promising. This solution allows employees to perform personal activities on the personal side and company activities on the company side. However, the current hardware in mobile devices was not built to support virtualization, so these solutions can have a significant impact on performance and battery life. VM solutions should be ready for prime time when performance and battery life are no longer issues and manufacturers and wireless carriers are all on board.
To ensure the success of your BYOD program, it’s always best to have an executive sponsor for your strategy. Typically, you’ll want to create an approved-device list so you can test the allowed operating systems for security, management, and enterprise app compatibility, and you’ll need to draft policies and governance around protecting corporate data. You’ll also want to consult with your organization’s legal team to make sure you understand the rules and regulations in different countries. Finally, you’ll want to rank mobile applications based on security risk and make that list accessible to employees.
The key is balancing security with usability. Too much security can impact the BYOD adoption rate; too little security can put enterprise data at risk. It’s critical that the organization understands the needs of the business and its employees, is familiar with the unique aspects of mobile devices, and understands the threat landscape. Each of these factors play a key role in finding the right solution and implementing the right policies to secure the personal devices in a successful BYOD program.
TJ Singh is currently a senior consultant in the Mobility and Machine-to-Machine (M2M) practice of Verizon Professional Services within Verizon Business. TJ has more than nine years of experience as a mobility and technology professional. He has successfully designed and implemented comprehensive mobility solutions, and he’s a subject matter expert in mobile security. TJ holds a number of certifications, including Security+, Network+, and ITIL Foundation, and he contributed to the development of the Mobility+ certificate. He’s also presented at several industry conferences, including Microsoft TechEd, CTIA, Verizon DBIR, and Enterprise Mobility Exchange. TJ received his MS in information technology from the University of Dallas.