Bring Your Own Device (BYOD) is the latest trend in organizations globally. Business requirements encompass the Work-from-home model, require accessing the e-mail 24*7, instant customer support, etc are increasing, and the trending forecast looks like this will continue to increase.
In early 2010, most companies were using BlackBerry wherein the companies provided mobile phone devices. Soon, the smartphone took over almost the entire market of BlackBerry. The advent of the smartphone made life easy, user friendly and cost effective. Companies realized that the going cost of BlackBerry server, user license, device cost and service cost were high. While from a security perspective, BlackBerry was reasonably secured thanks to varied security policy options available on the BlackBerry server, it proved to be too costly as compared to the smartphone.
Further it is also became cumbersome for the IT team to manage an inventory of such mobile devices. Other issues as well, e.g. finance to maintain book value, depreciation in device is lost or stolen, IT team to maintain Asset Allocation Form, repair in case device is faulty, coordination with vendor, follow purchase procedure etc. After all of these tasks, and spending a huge amounts of money, business users were not satisfied due to the quality of the company phone, restriction and controls over a company-provided phone.
In order to avoid these multiple hurdles and save cost, many companies have begun allowing users to use their smartphone devices. However, I personally have seen many companies implement a BYOD policy without even thinking of “Information Security Risk”.
Risk Assessment (Without implementing any BYOD Security Solution)
|Information Leakage through BYOD||No segregation between “Corporate Information” and “Personal Information”||There is risk of Information sharing (Intentional or Unintentional) with unauthorized person or competitor due to absent of security controls over BYOD mobile; this may lead to loss of business / reputation.|
|User can download any attachments on BYOD phone memory card.|
|In case of user separation, IT Team cannot delete files stored on personal memory card.|
|Single user can configure company’s E-mail account on multiple mobile phone devices without IT/Security Team’s knowledge.|
I hope above table is enough to alert business stakeholders on information security assurance. No Firewall can help to prevent Information Leakage if this is not taken care.
So many security companies have developed BYOD security solution. It is important for the company’s security officer to choose right solution to protect information. When we think of allowing user owned device for official purpose, Follow MUST be taken care:
- Ensure company’s information is protected on the user-owned device
- Ensure user’s privacy. Eventually, it’s a user’s device and the company has no rights to monitor what’s stored on it
Most recognized BYOD Security Solutions are providing the MOST IMPORTANT SECURITY FEATURE CALL – SECURE CONTAINER.
Such a tool creates a “Corporate Space” within the phone memory, to segregate the company’s information and personal information. Users can access the “Corporate Space” through a BYOD client installed on their device. The magic of this control is: “Users cannot copy and paste any information from the “Corporate Space” to “Personal Space”.
Following are the top 10 security controls, which MUST be considered as part of a BYOD security solution
|1||Secure Container||As mentioned above. Please don’t even do POC if solution does not provide secure container feature. All business E-mail attachments to store on corporate space only and not on personal space. Copy and paste should not be allowed from corporate space to personal space.|
|2||Restrict screenshot||No screenshot on corporate space|
|3||Integrate with company’s central authentication control||BYOD security solution should be able to integrate with company’ AD to access E-mails. This feature reduce IT team’s headache to maintain separate user management system.|
|4||Remote wipe-out||In case of theft of stolen, company’s IT team should be able to wipe out device remotely without anybody’s intervention.|
|5||Selective wipe-out||There should be option of “Selective Wide-out” to wide only “Corporate Space”. No personal data should be wiped out.|
|6||Password Policy||Few BYOD Security solutions do ask for “Password” while accessing corporate emails. This is separate from phone lock password.|
|7||Device Restriction||User should be restricted to configure company’s email account only on ONE device. In case users attempts to configure another device, BYOD security solutions should prevent and through alert to security administrator.|
|8||Audit Logs||Various logs:
9 Compatibility – Does your solution support IOS, Android, and Windows Phone etc.?
10 User’s Private data – BYOD solutions should not access a user’s private space. Instead, a solution should respect the user’s privacy.
A security checklist can be further enhanced along with a BYOD security solution vendor and security officer, based on the need. Once a solution is implemented, an organization’s HR team rolls out a BYOD policy complete with eligibility criteria, does and don’ts etc.
There are lots of BYOD security solutions in market and generally speaking, a CISO function should lead the BYOD security solution assessment.
Visit http://highersecurity.blogspot.in for more information security-related blogs.