File

advertisement
Running head: BRING YOUR OWN DEVICES
Bring Your Own Devices
Security Challenges, Guidelines, and Recommendations
IST623 Fall 2012
Syracuse University
Ryan Backus
Taurean Boyd
Kenneth Brenner
Edison Bylyku
0
1
Table of Contents
Statement of the Problem…………………………………………………………………p2
Acceptable Use Policy…………………………………………………………………..…p3 - 9
NIST Security Standards & Guidelines ………………………………………………...p9-16
Implementing BYOD……………………………………………………………………..p16-19
User Compliance…………………………………………………………………………..p24-32
Recommendations…………………………………………………………………………p19-26
Works Cited……………………………………………………………………………….p32-34
Appendix A: BYOD Readiness Assessment……………………………………………..p35
2
Abstract
To increase the efficiency of employees and reduce costs, companies have been merging
personal and business devices. Today mobile devices pack impressive computing capabilities.
This has allowed employees to conduct work remotely and take care of personal tasks on the
same device. This is a cultural shift transition to accommodate the need for greater productivity,
collaboration and a generation of early adapters of mobile technology. Typical user allocation is
no longer a simple 1 to 1 computer to LAN connection (Holtsnider, 2012). Value creation should
come from the acceptance of new business models in the workplace (Carruthers).
3
Acceptable Use Policy for BYOD
To increase the efficiency of employees and reduce costs, companies have been merging
personal and business devices. This has allowed employees to conduct work remotely and take
care of personal tasks on the same device. Coinciding with an increase in efficiency by
combining these devices is an increase in risk from unacceptable use. An important mechanism
for reducing the occurrence of inappropriate use of company assets is a formal acceptable use
policy. Having an acceptable use policy in place promotes desirable usage and effective security
behaviors (Doherty, Anastasakis, & Fulford, 2011). The benefits of implementing an acceptable
use policy for shared devices will be detailed along with recommendations for the policy.
One of the most positive impacts of BYOD is the increase in employee efficiency,
blending remote work and personal tasks on the same device. Although the rise of BYOD has
led to an increase in efficiency, it also opens the door to vulnerabilities (Canela, 2009). The
vulnerabilities include data theft, loss, and improper use. To reduce these risks, a shared device
acceptable use policy needs to be implemented for organizations implementing BYOD.
The purpose of developing an acceptable use policy is to provide guidelines for
acceptable actions when using shared mobile devices. Ensuring employees are using shared
devices for their intended purpose will be beneficial for an organization. Under an acceptable
use policy, employees will be prohibited from misusing the devices, whether negligently or
intentionally. To make the acceptable use policy successful, it should adhere to four primary
goals (Doherty, Anastasakis, & Fulford, 2011):
4
1. Ensuring the integrity, reliability, and security of the organization's assets
2. Ensuring the use of devices is consistent with the principles of the organization
3. Ensuring the devices are used for their intended purposes
4. Establishing guidelines for addressing violations and outline sanctions for violators
Ensuring the integrity, reliability, and security of the organization's assets
Acceptable use of shared mobile devices will maintain the integrity, reliability, and
security of the organization's assets. This primarily pertains to the organization's information
and network. The organization's information will be stored and transmitted on the employee's
devices. This creates many new data vulnerabilities that can often be outside the traditional
realm of IT control. This is especially important because most knowledge intensive
organization's competitive advantage is derived from a proprietary body of information (Kubal,
2005). The organization's network and system infrastructure can also face increased
vulnerability from unacceptable use. Malware and other threats can originate from the device
and make its way on to the network when connected. The acceptable use policy will reduce the
exposure to these risks. If the policy is lacking, it can decrease the integrity, reliability, and
security of organization's assets.
Loss and theft of proprietary information is a concern to the organization due to the value
of the data. The acceptable use policy should establish guidelines for handling and securing the
device. If the device were to be lost, the policy will ensure that it has proper encryption. Any
device lost without proper encryption greatly increases the risk for an organization.
To ensure
proper encryption and adequate security measures, the Information Security department should
5
be involved. The InfoSec department will analyze each type of device and determine which
software and security policies need to be enforced before use is allowed. Additionally, as new
devices become available, the acceptable use policy will need to be updated to cover them.
If the software and security policies are not enforced, the device could be compromised
without drawing notice. This can be especially harmful as access to the device can be more
relaxed outside of the organization's work environment. Involving the InfoSec department will
ensure the device is secure and reliable. This will help protect the organization against data theft
and loss. While the type of data on the device will vary from department to department,
regardless of its origin, it will be governed by the policy. This is especially important to US
organizations because the cost of data theft and loss has skyrocketed in the US. Intellectual
property theft and loss cost US organizations over 250 billion dollars annually (Alan, 2009). To
reduce the exposure to this threat, it is necessary to implement a BYOD acceptable use policy.
Ensuring that any device containing proprietary information is safe is a high priority for
knowledge-intensive organizations (Doherty, Anastasakis, & Fulford, 2011).
Both internal and external threats exploit the vulnerabilities created by merging personal
and business devices. The employees themselves are the internal threat. The weakest link in the
security of proprietary data is the employee (Okenyi & Owens, 2007). Rouge employees can
perpetrate malicious actions and loyal employees can threaten the organization through
negligence. External threats can range from hackers, competitors, and foreign governments.
The goals of the attackers can vary from thrill seeking to financial gain. Although it may appear
that external threats should receive the highest priority, most security incidents and unacceptable
device usage are caused by employees (Stanton, Stam, Mastrangelo, & Jolton, 2005).
6
In addition to the threat of data theft is the impact of losing data. Having both personal
and business data stored on the phone creates vulnerability for the organization and the
employee. If the device were to be lost without regular backups made, it would negatively
impact the organization. Depending on the value and difficulty to replace the data, it could have
a large financial impact. The policy will guide the InfoSec department in establishing backup
procedures for BYOD. Aside from the business data, if personal data is lost, it can negatively
affect the employee. The problems arising from personal data loss and any time spent trying to
recover data can decrease employee work performance and satisfaction (Bell, 2010). Having a
proper acceptable use policy will reduce the risk of information theft and loss.
Along with the InfoSec department's security enforcement, the acceptable use policy
should ensure employees only house necessary information on the device. If information that
does not belong on the device is carelessly stored and transmitted, it can leave the organization in
a vulnerable position. Compounding this is the value of the employee's device itself. This can
present an even more lucrative target for theft. While the theft of proprietary data is the primary
concern, the acceptable use policy will also need to cover proper care for the device. It is
common for devices to be targeted by thieves because the organization did not have proper
security and use policies in place (Daniel, 2004). A thorough acceptable use policy will reduce
the organization's exposure to theft of information and devices.
Ensuring the use of devices is consistent with the principles of the organization
To further the benefits of an acceptable use policy, the use of BYOD should be consistent
with the principles of the organization. By adapting the policy to the principles of the
7
organization, it will explicitly prohibit unethical and illegal behavior conducted with the devices.
Any behavior that falls under those categories will be prohibited, whether it is a personal or
business action. As the lines of personal and business use are blurred, it is necessary that the
employee device use is aligned with the organization's principles.
Without this instruction, prohibited use of the device can be an another source of
vulnerabilities. The acceptable use policy will outline what device actions are prohibited as they
do not share the principles of the organization. The committee that designs the policy will need
to explicitly classify activities such as downloading illegal material, hacking, and accessing
pornography as prohibited. These types of actions and any others that do not align with the
organization's principles can open the organization up to lawsuits (Herath & Wijayanayake,
2009).
Ensuring the devices are used for their intended purposes
Another goal of establishing the policy is to make sure devices are used for their intended
purposes. The misuse of the shared mobile devices will be prohibited whether it was negligent
or intentional. A high proportion of security incidents caused by employees are the results of
malpractice and negligence (Stanton, Stam, Mastrangelo, & Jolton, 2005). Employees could use
the devices for harassment of others, hacking/cracking, and disseminating illegal material.
Additionally, loss and corruption of data can be caused by employees misusing the device. Due
to these reasons, organizations often deal with major threats to proprietary information from their
own employees (Berrong, 2009).
8
When the devices are not used for their intended purpose, it can cause damage to the
organization. Lawsuits have been successful against organizations whose employees use assets
to harass, decimate, or breach copyright laws (Herath & Wijayanayake, 2009). If there is no
acceptable use policy in place, the organization could become the target of lawsuits for actions
taken by employees. If employees are fired for improper actions that were not documented as
unacceptable, they could also sue the company for false dismissal. By implementing a proper
acceptable use policy, the risk exposure for lawsuits decreases. An acceptable use policy can
shield the organization from employee claims originating from unacceptable use of information
assets (Corbitt, 2005).
Another impact of using the devices for their intended purposes is the cost benefits for
the IT and InfoSec departments. Using the devices for purposes other than intended can increase
the threat of security incidents and violations, which in turn increases costs. Any support from
the Information Technology department costs the company time and money. In addition to this,
analyzing and removing security threats from devices will incur costs for the Information
Security department. This will lead to schedule slips on strategic projects for the organization as
more attention is shifted to the shared devices (Batke, 2011). An acceptable use policy will
benefit all departments because the IT and InfoSec departments can focus on their primary goals
of keeping the information system running smooth and safe.
Establishing guidelines for addressing violations and outline sanctions for violators
Lastly, guidelines should be established to address violations and repercussions for
employees who violate the policy. The acceptable use policy not only outlines desirable device
usage, it also guides the organization in responding to unacceptable use. To enforce the policy,
9
deter employees from violations, and ensure equality, instructions will be listed on how to handle
violations. The level of repercussions for a violation should align with the organization's stance
on employee misconduct.
NIST Standards and Guidelines, Privacy, and Security
Today mobile devices pack impressive computing capabilities and their presence in
consumer’s hands has become mandatory. Organizations have recognized the potential of
mobile devices not only as technology tools that provide flexibility, increased productivity and
reduce cost, but also as communicative means or channels to remain in contact with their
customers’ needs. Due to their popularity and increased capabilities, mobile devices have
become the victims of security threats and vulnerabilities and the tools to carryout malicious
attacks against other mobile devices.
Mobile devices are currently being used by organizations such as government agencies
and healthcare organizations that facilitate sensitive and private information up to national
security classified information. It is in everyone’s best interest that security, privacy and
integrity of information is top priority even when such information is obtained, stored, and
transmitted via mobile devices and wireless/cellular networks.
NIST (ITL) Standards and Guidelines
The surge and diversity of mobile devices have caught the digital world by surprise and
therefor the security of such mobile devices has become a world known challenge. This has
prompted governments and organizations to implement guidelines, standards, and policies
regarding mobile device security.
10
NIST (National Institute of Standards and Technology) is a government agency founded
in 1901 and is now part of U.S. Department of Commerce. NIST’s goal is to solve science and
technology challenges in support of U.S. industry. Part of NIST, ITL (Information Technology
Laboratory) focuses on developing testing, and analyzing technical, physical, administrative and
management standards and guidelines in support of cost-effective security and privacy of
classified Federal information and information technology tools. It is important to recognize the
advantage that today’s mobile devices provide for businesses and organizations, as well as the
challenge such mobile devices present in keeping them secure. Mobile Devices should be
implemented in a way that they have the ability to fulfill information security principles;
Confidentiality, Integrity and Availability (CIA). With this awareness in mind, NIST has
developed guidelines for managing and securing mobile devices in the enterprise.
The nature and capabilities of mobile devices are always evolving and constantly changing.
At the same pace, security threats, controls and vulnerabilities are evolving and changing. It is
important to recognize the nature of mobile devices and define a baseline of features that make
up a mobile device before an organization can consider a secure and effective implementation of
mobile device solutions. The following are the main, but not limited to, characteristics that
define a mobile device:



Small Factor – Is what makes a mobile device mobile, small factor size gives the end user
the flexibility to travel with it, without requiring extra supporting components.
Wireless Connectivity - Able to receive and send data (communicate) wirelessly via WiFi, cellular field, Bluetooth etc. This capability gives the mobile device the ability to
connect to network infrastructures and systems via internet connectivity, wirelessly.
Local Storage – Built-in or removable storage, gives the mobile device the ability to store
data.
11







Operating System – A non-full-fledged desktop like operating system, provides the
mobile device the ability to run applications and clients in an efficient, quick & easy to
use way.
Third party Applications – Able to install applications in different ways, via online store,
or through web-browser.
Syncing/Synchronizing – Able to sync data with local machines such as desktops or
cloud computing systems.
NFC (Near-Field Communications) – Via Bluetooth or other NFC type technologies
GPS (Global Positioning Systems) – Providing the mobile device with the ability of
utilizing location services.
Camera – Utilized to capture video, images, or communicate via non-third party or third
party applications such as Skype
Microphone – Able to record audio
The capabilities and features listed above will continue to evolve as technology capabilities
evolves. Because of this, mobile devices need additional protection given the wide range of
capabilities that make up a mobile device. It is important that common security principles (CIA)
are strictly enforced in order to protect against high-level security vulnerability and threats.
NIST’s standards and guidelines focus on physical security controls, application layer
security, and access control of mobile devices in order to remain compliant and secure.
Because of the nature of mobile devices and security threats and vulnerabilities associated
with them, NIST’s recommendation is to utilize centralized mobile device management
technologies in order to:



Manage the configuration and updating of mobile devices
Secure the security settings and access control to organization network
Control and segregate applications and capabilities of personal use and organization use
within the same device
Centralized mobile device management technologies can be third party based or developed by a
mobile device brand. A third party based centralized mobile device management system
provides the capability to support multiple brands of mobile devices, giving the organization the
12
flexibility of having a diverse population of mobile devices yet be able to control and manage
them as they would if they had one brand.
Taking this approach, organizations are strongly recommended to consider and
implement the following key guidelines in order to improve security and manageability of
mobile devices:
Develop system threat models for mobile devices and the systems that are integrated and
accessed with mobile devices
Given the small size of mobile devices, they can be misplaced, in addition require access
to the outside world normally through an outside-facing system/server placed in the DMZ. This
makes the mobile devices system as well as the resources that integrate with, very vulnerable to
threats and attacks. Conducting security scans and analysis in a controlled laboratory
environment and network domain is key in identifying security vulnerabilities of the system.
Classifying the vulnerabilities from low to high risk is important to risk management analysis for
the system and the information processed by the system. The security threat transparency
achieved will help insuring that the mobile device and the system considered for implementation
fits the organization’s security and infrastructure requirements.
Implement information security measures and services on mobile devices and its integrated
systems at all levels of information security;
Policy – Define and enforce specific enterprise security polices for mobile devices.
Such as access to hardware and software, connectivity to vulnerable public wireless networks.
Encryption – Implement strong encryption for data communications and data at rest
(stored) and remotely erasing data on the device in case of stolen mobile device where
information can be recovered from an unauthorized party.
13
Access Control – require user authentication and machine authentication before access to
internal network is granted to access resources. Idle lock out policy, remote password resetting,
and remotely locking devices in case of being accessed by unauthorized party.
Application Management and Control – Implement application filtering through white
listing and black listing of non-authorized installations, updates, and synchronization. Insuring
updates at the operating system level and application level are controlled and blocked if not
tested and approved for general availability by the organization.
Implementation of mobile device solutions should be done by organizations in a control
environment and network domain to prove integrity of solution prior to implementing in
production
Following a three prong approach in implementing mobile device solutions is imperative
to insuring that not only CIA principles are fulfilled but also functionality and business
continuity requirements are met. In a three prong approach a controlled domain such as a LAB
is created to implement one to two potential mobile device solutions. In this environment
security scans and vulnerability and threat testing are performed to insure the integrity of the
system. Basic functionality testing should be performed at this level as part of the over-all
acceptance of the product.
A quality assurance QA environment that resembles that of a production is created to
insure that the selected mobile device solution goes through stringent functionality and security
testing to insure the system performs, integrates, and meets all network, security, and
infrastructure requirements of the organization before rolling out to production. All
implementation steps that are taken to implement the mobile device solution in QA should be
documented and strictly followed during production roll-out to insure expected results.
14
Pre-stage each mobile device and insure that each mobile device is set up correctly and
fully complying with policy, standards, and requirements before end users access the
device.
Insuring a level of trust with each device that is exposed to end users and production is an
important step to insure left over information from previous uses is no longer residing in the
device.
Constant maintenance of mobile device security insures for continuity of business and
continuity of information security on mobile devices. This includes checking for updates,
upgrades, and security patches and testing them to insure that such updates and patching does not
present security and functionality vulnerabilities. Monitoring and testing the performance of
processes to insure that all processes and procedures are being followed properly is important.
Privacy and Security
The very features and characteristics that make mobile devices the cutting edge
productivity tools in the hands of mobile end-users are what make mobile devices classified as a
high risk and high vulnerability for an enterprise or organization. People rely on mobile devices
daily to accomplish tasks on the move such as, web browsing, email and document reading and
sending, phone calling, contact sharing etc. Over time a vast amount data is accumulated and
stored on mobile devices. Compared to desktops and laptops mobile devices lack important
security features, combined with the characteristic of being always in the move physically,
mobile devices are even harder to administer and account for, at any time. Simply put, mobile
devices could be a ticking security bomb on the move making it even harder to identify and to
account for if and when it goes off.
15
Portability characteristic of mobile devices is prone to higher chance of physical loss of
the device and a very high risk of loss of data is associated with it. With unlimited physical
access to the device, unauthorized users can overcome many of security barriers that can be
implemented on mobile devices. The security risks associated with the mobility of devices are
plenty however the key security risks according to NIST are as follows:
Loss, theft, or disposal – their portable size makes mobile devices easier to misplace and
lose. Their high demand in the black market makes them prone to theft resulting in loss of
physical device and information. Disposing mobile devices is normally done via reset of the
device, even though this means that information is erased from a virtual perspective, from a
physical perspective information can be recovered.
Unauthorized Access – Because of the access frequency to mobile device from end users,
easy authentication passwords and PIN’s are often used by end users resulting in weak
authentication mechanism. Easily guessed passwords or PIN’s combined with possible stored
credentials built-in to mobile device make this a major weakness of mobile devices.
Malware and SPAM – Malware is mostly built for mobile devices that run a popular
operating system as well as for those devices for which SDK is available. Penetration of
malware to a mobile device can happen during synchronization with a desktop, or through
storage devices such as micro storage cards. Other methods of infection could be through
internet downloads, data sharing via messaging or NFC. Malware can exploit the device’s
security weaknesses to gain passwords, contact information, and credit card information and
send them to an external repository server or open a backdoor for an attacker to allow for full
16
access to the device. Mobile spam has also become popular and it is used to trick end users to
call or text chargeable services as a form of social engineering.
Electronic Eavesdropping – Utilizing spy software, attackers can eaves drop on the
activity on mobile devices. When spy software is installed silently on the device, it can be used
to turn on features on mobile devices such as microphone or camera to eavesdrop/spy on
sensitive meetings or discussions resulting on leak of sensitive and classified information.
Implementing BYOD
With the adoption of BYOD and the introduction of mobile devices into corporate
networks, a new set of security issues arise. Not only do corporations need to worry about mobile
devices with sensitive data being lost, but also the possibility that an infected device can connect
to the corporate network and potentially have access to sensitive information. To combat these
issues, a market has been developed to create software which can mitigate these risks.
Specifically, two products of this market: mobile device management software and desktop
virtualization have allowed corporations to have better management over mobile devices and
how they connect to their networks. From here the question arises, how does a corporation
introduce BYOD while using these two products?
Before we can adequately answer the before-mentioned question we should first further
define Mobile Device Management (MDM) software and Desktop Virtualization (VDI). As
defined by Gartner research firm, MDM is "a range of products and services that enables
organizations to deploy and support corporate applications to mobile devices, such as
smartphones and tablets, possibly for personal use - enforcing policies and maintaining the
17
desired level of IT control across multiple platforms." In other words, MDM software empowers
corporations to place corporate applications (with access to sensitive information) on employees'
personal devices without fear of risks. This is achieved by granting the ability to enforce
corporate policies on those mobile devices. Gartner also defines Desktop Virtualization as
follows, "A technology that decouples a PC desktop environment from a physical device so that
the virtual machine (VM) of the PC desktop stored in a centralized server can be accessed from a
remote client device through a network." With the use of Desktop Virtualization, corporations
can grant access to their networks via a whole host of different remote clients or devices and still
only need to provide one desktop PC to the user. These are just a couple of benefits that come
with using these technologies. Other benefits are as follows:
Benefits of MDM:







Cloud-based, so updates are automatic and painless
Remote configuration and monitoring
Passwords, blacklists and other security policies enforcement
Backup/restore functionality of corporate data
Logging/reporting for compliance purposes
Remote disconnection or disabling of unauthorized devices and applications
Scalable, so new users and increasingly sophisticated devices can be accommodated
easily
Benefits of Desktop Virtualization:






Simpler provisioning of new desktops
Lower cost of deploying new applications
Desktop image-management capabilities
Increased data security
Longer refresh cycle for client desktop infrastructure
Secure remote access to an enterprise desktop environment
18
Now that we've uncovered some of the benefits of each technology, let's explore how each of
these technologies works. Mobile Device Management software is typically distributed as clientserver architecture. A corporation or third-party provider will produce a server which will
contain the policies that will be enforced on each client or remote device. The server will also
contain information about each of the client devices which will be used to send policies and
controls to those client devices OTA or Over-The-Air. On each remote device, a software client
or application will be installed. This software client will listen for policies that are provided by
the server and will modify phone configurations in order to enforce those policies.
To help illustrate this idea, let's explore an example. Suppose a smartphone which contains
an MDM client is lost by an employee on the subway. The company that this employee works
for has a policy in which they remote wipe any phone that has been reported lost. So, an
administrator connects to the MDM server and sends a command to the lost smartphone telling it
to initiate a remote wipe. When the smartphone retrieves that command, it will execute the task.
Another feature of MDM client software is that it can collect phone state information and
report it back to the MDM server. With this, a company may be able to build reports which will
tell them information such as the types of phone their employees are using, the most popular
applications used among their employees, etc. This information can be useful in the case when a
report about a malicious application has been found available to the public. If any of the client
devices have this application, a command can be created and distributed to the client devices and
a report of how many devices were have this application could be developed.
Desktop Virtualization grants the ability to provide a desktop PC experience on multiple
devices. To do this, first a centralized server (or set of servers) is created which will house sets of
19
the virtualized desktops. Each of these virtual machines will share the local hardware resources
such as RAM, CPU, and Hard Disk via software called a Hypervisor. This software regulates the
resources each VM can use in order to ensure that all VMs can adequately run. Then software
such as VMware’s VMware Infrastructure is installed on each server and is used to develop
virtual machines (or desktops). Administrators generally create a base virtual machine template.
This template houses the operating system that will be used and some default applications that
should be shared among all or a group of employees. Then, when the administrator needs to
create an individual desktop, they can take the base template and add virtualized applications
which are required by that specific user. They will also create a persistent disk which will hold
all of the employees’ personal documents and customizations for their desktop.
After the desktop is finished, the employee will need a way to connect to their new virtual
desktop PC. The employee will install software called a thin-client which will allow them to
connect to another set of software such as VMware Virtual Desktop Manager. This software will
first authenticate the user using an application such as Active Directory or Lightweight Directory
Access Protocol and once the user is authenticated, will forward that user to their individual
desktop.
User Compliance
Technology infrastructure is no longer isolated to the IT shop. Electronic data runs the
business core sectors. The ease of sharing information has become challenging to manage and
potentially costly against earned revenue. Network access control for collaborative
environments is a risk management threshold of trusted and untrusted inventory control.
20
Let’s be practical and suggest most use mobile devices with or without a company
computer use policy. In 2015 there will be an estimated 15 billion mobile devices with a data
plan (PC World). Facebook has documented in May 2012, 900 million users used their mobile
devices to access content, representing more than half of total system users (Caldwell, 2012).
President Obama in recognizing the importance of mobile phones and E-Government devised a
digital law strategy for better services (NIST). NIST, through the Information Technology
Laboratory division n, is mandated through FISMA 2002 standards to identify NAC
vulnerabilities of BYOD and create compliance guidelines.
Of course, mobile devices are not the only way for an on the ERP. Data port control is a
universal problem of any technological computing device. Maintaining security is likely more of
a management issue than technological. Technology than should be considered a tool used or
misused regardless of a strong security policy. My literature search located very little
information on the topic of security management and user adherence.
BYOD can be defined as a portable device running third party applications and several
functions, including: GPS, camera, media slots, WIFI, Bluetooth, microphone, etc. Firmware,
middleware and compiler are proprietary by manufacturer. This can be costly for new software
license versions. Hardware and software trust issues can also be of concern.
The Confidentiality (C), Integrity (I), Accessibility (A) framework can be used to
illustrate how companies can protect against BYOD insider threats.

C: Transmitted and stored data cannot be ready by unauthorized parties.

I: Detect any intentional or unintentional changes to transmitted data.

A: Users can access resources using mobile devices whenever needed.
21
General Policy
Data Communication &
User & Device Authentication
Storage
Restrict user & application
VPN encryption
access to built in web browser
(VPN &/or IBM Thin Client
Solution AKA: device just
used as a “viewer”)
Restrict user & application
Encrypt removal media
access to built-in device
storage – mitigating risk of
peripherals (GPS, Bluetooth,
offline attacks.
etc)
Mange WIFI & Bluetooth
Software installed to remotely
wireless network interfaces.
wipe device if lost or stolen.
Automatically monitor, detect Sandboxing mobile
& report when policy
applications.
violations occur.
*Adapted from (Souppaya, 2012)
Device requires strong PSWD
&/or domain authentication.
SYSAdmin remote access
reset control.
Automatic lock after period of
idle.
The vulnerability threat assessment will look different depending on identified business core
functions and metric derived thresholds. There are many BYOD product driven readiness
assessment surveys available for free online. Typically the survey results offer a high-level view
of BYOD readiness based on set security policies.
22
BYOD Life Cycle Phases Diagram
Initiation
Development
Disposal
Operations &
Maintenance
Initiation
Development
Implementation
Operations & Maintenance
Disposal
Implementation
Sensitivity restrictions; level of security
confidence; cost; compliance with other
regulations; technological limitations.
Technical characteristics; feasibility (network
architecture, FIPS approved encryption;
configuration regulations).
Configuration management; updates &
authentication protection.
Reconfigure; log reviews; attack detection
Legal; erasing data
Generally effective BYOD implementation reduced operational cost. The state of
Delaware has reduced computer budget costs by 45% and has seen greater employee satisfaction
23
through implementing BYOD. However, the US LEOC BYOD project found it hard to monitor
3rd party software, like Dropbox, but saved the purchasing of 800 thousand Blackberry devices.
AT&T’s lesson learned section of their BYOD project noted difficulty in synching time with
network for accurate logs and legal and policy implications with loading software on personal
computers and added cost for servers and storage applications with increased user remote access.
(The White House, 2012).
What are the ethical implications of software on personally owned machines? Who
owns, manages and responsible for servicing devices? How can needed security encryption
layers remain compliant with the manufacturer standards? Do employee owned assets used the
company’s network count as part of ISO27001 incident reporting? Security breaches affecting
personal data increasingly significant in global IT. Kaiser Permanente reported a USB flashdrive was stolen containing 15,000 patient records (idexperts). Regulations, like HIPAA, must
be successfully integrated into the security policy. Employee consent is required for loading
company software and device access for forensic investigations.
BYOD devices likely use them for both personal and work. There is a strong urge by IT
to restrict and disable device peripherals to mitigate risk. This is important from a pure security
standpoint for protecting against such things as a malware attack from a QR scan or man-in-themiddle attacks from unauthorized third party software. Just enforcing with technology workers
are smart tech savvy users and will find a workaround. Users may not comply, especially if it
means a delay in productivity or pressure from productivity standards. In fact more restrictions
such as whitelisting can leave users with a false sense of security (Caldwell, 2012). Greater
focus should be on educating users on the risks. The RSA breach of 2011 manifested to higher-
24
level user targets from users lack of reporting and following policy protocol when resetting
password credentials after experiencing a lockout (2012 SU G.E.T. Speaker Series).
There are many learning theories to help deliver end user training. Training does not
transfer to learned knowledge unless aligned with daily habits (Nersen-Waly).
(5)
The Myers Briggs Indicator (MBI) can be useful to access the impact of personality patterns
when collaborating with groups to minimize conflict (Le Vie, 1998). User empowerment
transference theory suggests final product should a user driven decision through use of a
feedback survey as cognitive process for eliciting user comments and targeted motivational
25
awards (Le Vie, 1998). Problem based oriented education simulates interaction with bots
through a network management station hosts network. Management application is a user
centered tutoring approach (Leonhardt, 2007)
Process oriented training is more holistic and functional focusing risks on business impact
(Mozaffar, 2009). Knowledge management facilitates peer learning transfer of knowledge
through a mentor – mentee program (Yusof, 2012).
Training can be in-house, computer based or targeted. Training does not necessarily
translate to awareness. It is important for end users to understand the impact. This awareness
should extend from top executives, senior and middle management to create a known cultural
26
force. Guidelines should be well communicated with roles and responsibilities. Successful
training should be determined by reduction of operational costs and/or security breach incidents.
27
Recommendations
The creation of an acceptable use policy for BYOD will ensure the enhancement of an
organization's operations, productivity, and information security environment are not lost. To
accomplish this, an inclusive committee should be formed from representatives of each
department affected by BYOD. A lack of representation increases the risk of alienating
departments, which could lead to a decrease in the policy's effectiveness.
To increase effectiveness, the acceptable use policy should have a clear articulation of its
specific purpose (Kilman & Stamp, 2005). Using different departments will also increase the
diversity of knowledge used to create the policy. Most organizational policies that deal with
technology are too technically oriented (Dhillon & Torkzadeh, 2006). To this extent, the
acceptable use policy for BYOD must also focus on issues such as trust, ethics, and the integrity
of employees (Doherty, Anastasakis, & Fulford, 2011).
When creating the BYOD acceptable use policy, it is ideal to use an organization's
existing computer or information resource acceptable use policy as a reference. The committee
can then tailor the policy to shared device use. This creates a consistent policy set across the
organization. Organizations that lack existing policies would benefit from using a template and
adapting it to their organization's culture and structure.
When creating the policy, both external and internal threats to the devices must be
minimized. Reducing external threats will primarily be accomplished through security
mechanisms. The IT and InfoSec department will leverage their knowledge to ensure the policy
minimizes external threats to the device and its data. This will result in best practices for
keeping the device and data secure. This includes scheduled security software updates and data
28
backup. In addition to this, the InfoSec department will lead the effort to create guidelines for
safe handling and storage of devices used for business purposes. Doing this will reduce external
threat levels to devices and their data.
After the IT and InfoSec departments have covered external threats, internal threats will
need to be examined. Employee asset misuse and data loss presents a high level of risk for the
organization (Stanton, Stam, Mastrangelo, & Jolton, 2005). The Ethics and Human Resources
departments will leverage their knowledge to determine how employee misuse will be addressed.
Representatives from these departments will use their knowledge of employee conduct to
categorize what will be considered acceptable and unacceptable employee use of BYOD.
Additionally, the InfoSec department will establish guidelines on how to properly store, transmit,
and receive proprietary information. By harnessing the synergy from combined department
knowledge areas, an inclusive acceptable use policy will be created to mitigate risk from BYOD.
It is a high risk for an organization to implement BYOD without an acceptable use policy
to govern it. Implementation of the policy will protect against repercussions that can affect the
finances and reputation of an organization. The immediate effects of the repercussions are
significant by themselves, but they have the possibility to create a lasting effect. It is a prudent
move to implement an acceptable use policy for BYOD.
Developing common API’s and SDK’s for all mobile devices provides the flexibility of
developing applications that could be implemented across different types of mobile devices,
however this flexibility can also be a benefit to attackers and malware developers to take
advantage in creating and implementing malware for a wide range of mobile devices. In addition
patching and updated at the OS level for mobile devices is far less frequently compared to
29
desktop operating systems, this makes mobile devices more vulnerable and a favorite target for
malware attack. According to NIST, Mobile Work Group (MPWG) has been developing
standards for hardware components named Mobile Trusted Module (MTM) which allows mobile
devices to trust other mobile devices similarly as is currently being done at the desktop level.
However even though such technology will be available for the mobile devices of the future,
certain safeguards should always be taken in consideration to mitigate risk that mobile devices
present. Such safeguards are simple but key to continues security of the devices such as; raise
security awareness and the end user level, constantly account for possession of all mobile
devices in the organization and update information, enforce strong user authentication, install
prevention and detection clients/applications at the mobile device level, disable prolonged
storage of sensitive of information and promote positive security behavior of mobile devices by
enforcing policies and procedures in place to minimize risk and impact.
Most organizations today are embracing the Bring Your Own Device (BYOD)
methodology mainly to reduce cost associated with purchasing and maintenance of physical
assets. Mobile devices are the among the most preferred technology tools to pilot such
methodology because of their characteristics. However as described above mobile devices
present an increased security risk for organizations that still have not figured out how to handle
such security challenge. Adding to this security challenge, in a BYOD solution model managing
end-user personal technology tools is a tricky and even more challenging business. While
organizations can utilize stringent guidelines for using a BYOD device to access on perform
work in integration with organization’s networks and systems, as well as implement strong
mobile device management tools and even monitoring systems that can oversee the activity of a
BYOD device, invasion of personal privacy rights have been questioned. Privacy requirements
30
and policies in this model add to the over-all challenge of maintaining organization sensitive
information secure at all times. Keeping apart work information from personal information in a
BYOD device such as a mobile device is a technical challenge and not doing so results in legal
issues related to personal privacy. Today such challenge is being worked around by
jurisdictions making it mandatory for organizations to obtain their employees full consent before
taking action to access their personal devices and information. However with the increase usage
of cloud storage and cloud computing, access to information through BYOD mobile devices
present new risks for an organization such as compliance failure for external devices accessing
sensitive information frequently in an not controlled way. It is clear that there is a mutual
interest from personal and organization perspective to resolve privacy and security related issues
not through implementation of device managing technologies but also through mutual
transparency and intelligent implementation of BYOD solution model at the architectural level
from a strategic, business, and IT perspective.
MDM software provides companies the ability to enforce their security policies are mobile
devices in a fairly simple manner. This is done via a client-server architecture in which a client
application is installed on the mobile device and has the ability to change phone configurations.
A MDM server is provided and contains all of the security policies that a company wants
enforced. The server communicates with the mobile devices OTA. Desktop Virtualization allows
companies the ability to create a single desktop for an employee and allow that employee to
connect to that desktop via several different types of devices. This is done by creating a virtual
machine which contains all of the applications an employee may use and storing it on a
centralized server with other VMs. The employee’s mobile device has software called a thinclient installed which grants the employee the ability to connect to the virtual desktop.
31
By using these two technologies, a company has the ability to ensure a few different things.
First, they allow the employee to be able to use their personal device while still maintaining
controls that are enforced on company provided workstations. Second, these technologies are
scalable and modifications to policies are fairly easy to deploy to all employees. Finally, these
technologies allow companies to collect information about their employee’s hardware which can
be used to create future controls and further mitigate risks. By combining all of these benefits,
the company has the ability to remain compliant with regulators and other important stakeholders
The personal conclusion from my lack of found literature on user compliance implies
training is nice to have but not essential. Oddly it is the user to be known as the weakest network
security leak and can have an average cost of 2 to 5% on revenue (Caldwell, 2012). Human error
accounts for 86% of all reported security incidents (Kearney, 2010). “…unless robots replace
the human workforce, human error is an issue that companies will continue to deal with
(Deliotte, 2009). My recommendations for adopting BYOD, as aligned with 2011 RSA lessons
learned (source? GET) seminar is to have assets clearly defined, communicate roles and
responsibilities for adhering to the security policy, in-place risk management plan and user
training. We should adopt a more sociological-technical approach to policy regulations where
human training is a primary organizational factor for minimizing security breaches.
32
References
The White House. (2012, August 23). Retrieved Decemeber 1, 2012, from A toolkit to support
Federal agencies implementing BYOD programs:
http://www.whitehouse.gov/digitalgov/bring-your-own-device
Alan, D. C. (2009). Whos watching your six in cyberspace?. Signal, 63(11), 42.
Batke, K. (2011). Mitigating it security risks with layers of security. Business Credit, 113(6), 46.
Bell, R L. (2010). A three-step process to save troubled employees from themselves.
SuperVision, 71(11), 3-6.
Berrong, S. (2009). Creative approaches to security awareness training. Security Management,
53(7), 40.
Caldwell, T. (2012, September). Training - The Weakest Link. Computer Fraud & Security. Retrieved
December 1, 2012, from http://www.sciencedirect.com/science/journal/13613723
Canela, T. F. (2009). Mobile employees: Five questions to ask. Associations Now, 5(9), 22.
Corbitt, T. (2005). Managing employees' internet surfing. Management Services, 49(4), 38-39.
Daniel, W. (2004). In brief: Is wells data being held for ransom?. American Banker, 169(75), 7.
Dhillon, G., & Torkzadeh, G. (2006). Value-focused assessment of information system security
in organizations. Information Systems Journal, 16(3), 293-314.
Doherty, N. F., Anastasakis, L., & Fulford, H. (2011). Reinforcing the security of corporate
information resources: A critical review of the role of the acceptable use policy.
International journal of information management, 31(3), 201-209.
FCC, May 2012 – Comments Sought on Privacy and Security of Information Stored on
Herath, H. M. P. S., & Wijayanayake, W. M. J. I. (2009). Computer misuse in the workplace.
Journal of Business Continuity & Emergency Planning, 3(3), 259–270.
Mobile Communications Devices Retrieved from
http://hraunfoss.fcc.gov/edocs_public/attachmatch/DA-12-818A1.pdf
33
idexperts. (n.d.). Retrieved December 1, 2012, from Data Breach Press:
http://www2.idexpertscorp.com/press/healthcare-news/data-breaches-cost-the-healthcareindustry-an-estimated-65-billion/
Kearney, P. (2010). Security: The Human Factor. In P. Kearney, Security.
Kilman D., Stamp J. (2005). Framework for SCADA security policy. Technical report, Sandia
Corporation.
Kubal, L. (2005). Pov - The hidden value of proprietary information. Venture Capital Journal,
47.
Le Vie, D. (1998). Methods for Measuring Knowledge-Transfer Effectiveness in User and Training
Documentation.
Leonhardt, M. &. (2007). sing Chatbots for Network Management Training through Problem-based
Oriented Education. Seventh IEEE International Conference on Advanced Learning Technologies
(ICALT 2007), 2007. Niigata, Japan : IEE.
Mozaffar, H. (2009). Process-Oriented User Training for Enterprise Resource Planning Systems. World
Congress on Software Engineering, 1, pp. 421-425.
Nersen-Waly. (n.d.). Improving organisational information security management. IEE Computer Society.
Retrieved December 1, 2012, from http://www.computer.org/csdl/proceedings/hpccicess/2012/4749/00/4749b270-abs.html
NIST. (n.d.). Retrieved December 1, 2012, from Computer Security Division: Computer Security
Resource Center: http://csrc.nist.gov/
NIST Tech Beat, July 2012 – NIST Updates Guidelines for Mobile Device Security
Retrieved from http://www.nist.gov/itl/csd/mobile-071112.cfm
NIST, October 2008 – Guidelines on Cell Phone and PDA Security
Okenyi, P. O., & Owens, T. J. (2007). On the anatomy of human hacking. Information Systems
Security, 16(6), 302-14.
Retrieved from http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf
SANS, March 2012 – SANS Mobility/BYOD Security Survey (A SANS Whitepaper)
Retrieved from http://www.sans.org/reading_room/analysts_program/mobility-secsurvey.pdf
Simply Security, August 2012 – BYOD Stoking Privacy Concerns Across the
34
Organization Retrieved from http://www.simplysecurity.com/2012/08/28/byod-stokingprivacy-concerns-across-the-organization/
Souppaya, M. &. (2012). Guidelines for Managing and securing mobile devices in the enterprise.
DRAFT, NIST, Computer Security Division, Gaithersburg.
Stanton, J. M., Stam, K. R., Mastrangelo, P., & Jolton, J. (2005). Analysis of end-user security
behaviours. Computers & Security, 24(2), 124–133.
Yusof, A. (2012, May 21-22). Quality and effectiveness of knowledge management transfer using of
Mentor-mentee Program and on Job Training in work place. Innovation Management and
Technology Research (ICIMTR), 2012 International Conference. Retrieved December 1, 2012,
from
http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6236359&url=http%3A%2F%2Fieeexplo
re.ieee.org%2Fiel5%2F6226950%2F6236349%2F06236359.pdf%3Farnumber%3D6236359
http://web.ccsu.edu/neasc/selfstudy/virtual%20desktop%20infrastructure%20-%20vmware.htm
http://www.webroot.com/En_US/business/articles/mobile-device-management-do-you-need-it
http://www.vmware.com/products/view/overview.html
http://download3.vmware.com/demos/vdi
http://www.youtube.com/watch?v=qWf_WiaFedc
http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg
http://www.gartner.com/it-glossary/desktop-virtualization/
http://en.wikipedia.org/wiki/Desktop_virtualization#Advantages_and_disadvantages
35
Appendix A: BYOD Readiness Assessment
http://securityassessment.trendmicro.com/confirm.aspx?type=3
This is a high-level view to help begin the process of setting security policies. There are many
product driven assessments FREE on the Internet.
Download