The advent of smart phones, tablets, laptops and other portable devices have opened new horizons in the way enterprise IT infrastructures are developed, engineered and deployed in order to support employees and customers. We are living in the era of “mobile first” strategies, where providing IT services to mobile users is a top priority and sometimes more important than supporting conventional stationary users. This is largely due to the proliferation of mobile devices and due to the rise of a mobile workforce in almost every organization. In this context, organizations must ensure that applications, data, services and other IT resources are securely accessible through the mobile devices of their employees, even in cases where these devices are not owned by the organization but rather by the employees themselves. This is very important given that most employees, when at work, still use their own devices rather than devices owned by their employer.
The BYOD (Bring Your Own Device) movement has emerged to address these considerations based on systems and policies that provide anywhere, anytime accessibility to corporate data and information, even in cases where the users use their personal devices rather devices provided by the enterprise. BYOD is considered a booster to employee productivity, yet it also ensures higher accuracy of the exchanged data and lower IT costs. Nevertheless, BYOD deployments are associated with a host of challenges that have to be successfully confronted at the technical, management and organizational levels.
Understanding BYOD Challenges
BYOD means that enterprise IT assets such as data and services become accessible to a selective set of devices outside the organization. In particular, a properly BYOD strategy should enable access to enterprise applications data from anywhere in the world and using any device, without however compromising the security of the enterprise. This implies a need for changes in the security policy of the organization towards authenticating and authorizing a broader set of devices. It also asks for organizational changes that will enable the engagement of users regardless of the type of devices that they possess and the location from where their connect to the enterprise IT infrastructure.
The greatest BYOD threat is cybersecurity related and concerns due to potential data loss. In particular, BYOD opens new holes in the security of an organization, which provides a host of opportunities for conducting cybercrimes and attacking the enterprise IT infrastructure. Previously, any party operating a device outside an organization was classified as suspicious and could be directly banned from accessing the enterprise infrastructure, regardless of whether the owner of the device had valid credentials for accessing resources or not. This provided fine-grained control over the devices that could access enterprise resources, including control of their security features (e.g., their security patches and malware protection programs). With BYOD, this strict but safe banning principle is no longer valid. Hence, malicious parties are provided with opportunities for exploiting the vulnerabilities of BYOD devices towards gaining access to servers, data and applications. Likewise, they are also given more opportunities for eavesdropping or hacking a user’s access credentials, as several BYOD devices reside outside the security perimeter of the organization.
Tips for a Secure BYOD Environment
BYOD deployers are in most cases following some basic principles as part of their security policies, which can safeguard them against BYOD-based adversaries. These includes:
- Responsible and Consistent Password Management: BYOD security requires disciplined and consistent password management across all devices that participate in the BYOD program. In practice strong passcodes must be used, while passwords should be changed frequently as part of a strict password management policy.
- Device-Level Protection: BYOD devices are no longer alone, but rather part of the enterprise infrastructure. As such they must host modern antivirus protection at all times, as a means of alleviating common threats such as malware and ransomware.
- Data Encryption for Sensitive Information: Sensitive information transmitted and exchanged between BYOD devices and the enterprise infrastructure should be encrypted.
- Erase Sensitive Data when devices are Lost: BYOD security needs to deal with cases where devices are lost or stolen. When such loss or theft is suspected, BYOD programs must provide the means for erasing any sensitive data from the device, while excluding them from accessing the enterprise infrastructure. There are several mobile device management (MDM) solutions that offer such functionalities.
- User-Based and Role-Based Access Control: Beyond the authentication of the device, BYOD programs must also activate user and role-based access control and authorization. In this case, even when devices are stolen, malicious parties will need to gain access to the user credentials prior to causing serious damage in the enterprise (such as data theft). This reduces the overall risks of device theft.
- Setup Policies for Employees Leaving the Organization: In cases of employees leaving the organization, BYOD policies must cater for erasing data and credentials from their devices, while at the same time uninstalling the applications that support their BYOD operations. This will prevent them (or other parties that use their devices) from launching or facilitating cyberattacks against the infrastructure of their previous employer. This policy should be applied both to employees leaving for another company and to retiring employees.
- Employ Unified Endpoint Management: BYOD requires more thorough security management processes, as it increases the number and diversity of the devices that access the enterprise infrastructure. Hence, a proper security monitoring infrastructure should be put in place. This can be supported by emerging Unified Endpoint Management solutions, which provide the means for monitoring, auditing, provisioning and enforcing endpoint from a single access point and using a unified and user-friendly interface. In addition to providing stronger security guarantees, Unified Endpoint Management is ultimately reducing security management and configuration costs.
- Differentiate Personal from Enterprise Traffic: In a BYOD environment it’s essential to differentiate the personal traffic of the user/employee from corporate traffic. This is because these two different types of traffic have to be treated differently from the security viewpoint. Enterprise mobility management solutions provide such differentiation functionality, through tagging traffic streams that belong to the enterprise applications.
BYOD as a Risk Management and Investment Management Exercise
Despite the availability of enterprise mobility management solutions that account for BYOD needs, many security managers and CIOs (Chief Information Officers) remain reluctant to deploy BYOD infrastructures. Their concerns lie mainly in the security risks and the potential enterprise damage that they might cause, while also considering the costs of the BYOD deployment that comprise personnel costs, solutions licensing costs, security management costs and more. While these concerns are valid, they are out weighted by the potential benefits of the solution, which reflect directly on enterprise productivity and employees’ satisfaction. At the end of the day, managers should undertake an investment management exercise, which shall calculate the Return On Investment (ROI) of the BYOD solutions taking into account the solution’s costs and making reasonable estimates about its benefits. In recent years, there is good evidence that BYOD solutions yield a very compelling ROI. As part of the ROI analysis, enterprise managers should reflect on the security risks of the BYOD solution, as a means of identifying the ones with the higher probability and impact on the enterprise. The alleviation of these risks should be prioritized as part of the development and deployment of the solution, and accordingly used to drive the selection of the most appropriate enterprise mobility management technology.
BYOD is certainly here to stay, as it is already delivering business value to thousands of enterprises worldwide. In this context a defensive stance against BYOD does not really help enterprise productivity. Rather a different approach is required, which shall thoroughly consider BYOD risks and how they can be remedied. Fortunately, there are already a host of mobility management solutions available, including solutions that treat BYOD as an integral element of the enterprise IT infrastructure.