Running head: BRING YOUR OWN DEVICES Bring Your Own Devices Security Challenges, Guidelines, and Recommendations IST623 Fall 2012 Syracuse University Ryan Backus Taurean Boyd Kenneth Brenner Edison Bylyku 0 1 Table of Contents Statement of the Problem…………………………………………………………………p2 Acceptable Use Policy…………………………………………………………………..…p3 - 9 NIST Security Standards & Guidelines ………………………………………………...p9-16 Implementing BYOD……………………………………………………………………..p16-19 User Compliance…………………………………………………………………………..p24-32 Recommendations…………………………………………………………………………p19-26 Works Cited……………………………………………………………………………….p32-34 Appendix A: BYOD Readiness Assessment……………………………………………..p35 2 Abstract To increase the efficiency of employees and reduce costs, companies have been merging personal and business devices. Today mobile devices pack impressive computing capabilities. This has allowed employees to conduct work remotely and take care of personal tasks on the same device. This is a cultural shift transition to accommodate the need for greater productivity, collaboration and a generation of early adapters of mobile technology. Typical user allocation is no longer a simple 1 to 1 computer to LAN connection (Holtsnider, 2012). Value creation should come from the acceptance of new business models in the workplace (Carruthers). 3 Acceptable Use Policy for BYOD To increase the efficiency of employees and reduce costs, companies have been merging personal and business devices. This has allowed employees to conduct work remotely and take care of personal tasks on the same device. Coinciding with an increase in efficiency by combining these devices is an increase in risk from unacceptable use. An important mechanism for reducing the occurrence of inappropriate use of company assets is a formal acceptable use policy. Having an acceptable use policy in place promotes desirable usage and effective security behaviors (Doherty, Anastasakis, & Fulford, 2011). The benefits of implementing an acceptable use policy for shared devices will be detailed along with recommendations for the policy. One of the most positive impacts of BYOD is the increase in employee efficiency, blending remote work and personal tasks on the same device. Although the rise of BYOD has led to an increase in efficiency, it also opens the door to vulnerabilities (Canela, 2009). The vulnerabilities include data theft, loss, and improper use. To reduce these risks, a shared device acceptable use policy needs to be implemented for organizations implementing BYOD. The purpose of developing an acceptable use policy is to provide guidelines for acceptable actions when using shared mobile devices. Ensuring employees are using shared devices for their intended purpose will be beneficial for an organization. Under an acceptable use policy, employees will be prohibited from misusing the devices, whether negligently or intentionally. To make the acceptable use policy successful, it should adhere to four primary goals (Doherty, Anastasakis, & Fulford, 2011): 4 1. Ensuring the integrity, reliability, and security of the organization's assets 2. Ensuring the use of devices is consistent with the principles of the organization 3. Ensuring the devices are used for their intended purposes 4. Establishing guidelines for addressing violations and outline sanctions for violators Ensuring the integrity, reliability, and security of the organization's assets Acceptable use of shared mobile devices will maintain the integrity, reliability, and security of the organization's assets. This primarily pertains to the organization's information and network. The organization's information will be stored and transmitted on the employee's devices. This creates many new data vulnerabilities that can often be outside the traditional realm of IT control. This is especially important because most knowledge intensive organization's competitive advantage is derived from a proprietary body of information (Kubal, 2005). The organization's network and system infrastructure can also face increased vulnerability from unacceptable use. Malware and other threats can originate from the device and make its way on to the network when connected. The acceptable use policy will reduce the exposure to these risks. If the policy is lacking, it can decrease the integrity, reliability, and security of organization's assets. Loss and theft of proprietary information is a concern to the organization due to the value of the data. The acceptable use policy should establish guidelines for handling and securing the device. If the device were to be lost, the policy will ensure that it has proper encryption. Any device lost without proper encryption greatly increases the risk for an organization. To ensure proper encryption and adequate security measures, the Information Security department should 5 be involved. The InfoSec department will analyze each type of device and determine which software and security policies need to be enforced before use is allowed. Additionally, as new devices become available, the acceptable use policy will need to be updated to cover them. If the software and security policies are not enforced, the device could be compromised without drawing notice. This can be especially harmful as access to the device can be more relaxed outside of the organization's work environment. Involving the InfoSec department will ensure the device is secure and reliable. This will help protect the organization against data theft and loss. While the type of data on the device will vary from department to department, regardless of its origin, it will be governed by the policy. This is especially important to US organizations because the cost of data theft and loss has skyrocketed in the US. Intellectual property theft and loss cost US organizations over 250 billion dollars annually (Alan, 2009). To reduce the exposure to this threat, it is necessary to implement a BYOD acceptable use policy. Ensuring that any device containing proprietary information is safe is a high priority for knowledge-intensive organizations (Doherty, Anastasakis, & Fulford, 2011). Both internal and external threats exploit the vulnerabilities created by merging personal and business devices. The employees themselves are the internal threat. The weakest link in the security of proprietary data is the employee (Okenyi & Owens, 2007). Rouge employees can perpetrate malicious actions and loyal employees can threaten the organization through negligence. External threats can range from hackers, competitors, and foreign governments. The goals of the attackers can vary from thrill seeking to financial gain. Although it may appear that external threats should receive the highest priority, most security incidents and unacceptable device usage are caused by employees (Stanton, Stam, Mastrangelo, & Jolton, 2005). 6 In addition to the threat of data theft is the impact of losing data. Having both personal and business data stored on the phone creates vulnerability for the organization and the employee. If the device were to be lost without regular backups made, it would negatively impact the organization. Depending on the value and difficulty to replace the data, it could have a large financial impact. The policy will guide the InfoSec department in establishing backup procedures for BYOD. Aside from the business data, if personal data is lost, it can negatively affect the employee. The problems arising from personal data loss and any time spent trying to recover data can decrease employee work performance and satisfaction (Bell, 2010). Having a proper acceptable use policy will reduce the risk of information theft and loss. Along with the InfoSec department's security enforcement, the acceptable use policy should ensure employees only house necessary information on the device. If information that does not belong on the device is carelessly stored and transmitted, it can leave the organization in a vulnerable position. Compounding this is the value of the employee's device itself. This can present an even more lucrative target for theft. While the theft of proprietary data is the primary concern, the acceptable use policy will also need to cover proper care for the device. It is common for devices to be targeted by thieves because the organization did not have proper security and use policies in place (Daniel, 2004). A thorough acceptable use policy will reduce the organization's exposure to theft of information and devices. Ensuring the use of devices is consistent with the principles of the organization To further the benefits of an acceptable use policy, the use of BYOD should be consistent with the principles of the organization. By adapting the policy to the principles of the 7 organization, it will explicitly prohibit unethical and illegal behavior conducted with the devices. Any behavior that falls under those categories will be prohibited, whether it is a personal or business action. As the lines of personal and business use are blurred, it is necessary that the employee device use is aligned with the organization's principles. Without this instruction, prohibited use of the device can be an another source of vulnerabilities. The acceptable use policy will outline what device actions are prohibited as they do not share the principles of the organization. The committee that designs the policy will need to explicitly classify activities such as downloading illegal material, hacking, and accessing pornography as prohibited. These types of actions and any others that do not align with the organization's principles can open the organization up to lawsuits (Herath & Wijayanayake, 2009). Ensuring the devices are used for their intended purposes Another goal of establishing the policy is to make sure devices are used for their intended purposes. The misuse of the shared mobile devices will be prohibited whether it was negligent or intentional. A high proportion of security incidents caused by employees are the results of malpractice and negligence (Stanton, Stam, Mastrangelo, & Jolton, 2005). Employees could use the devices for harassment of others, hacking/cracking, and disseminating illegal material. Additionally, loss and corruption of data can be caused by employees misusing the device. Due to these reasons, organizations often deal with major threats to proprietary information from their own employees (Berrong, 2009). 8 When the devices are not used for their intended purpose, it can cause damage to the organization. Lawsuits have been successful against organizations whose employees use assets to harass, decimate, or breach copyright laws (Herath & Wijayanayake, 2009). If there is no acceptable use policy in place, the organization could become the target of lawsuits for actions taken by employees. If employees are fired for improper actions that were not documented as unacceptable, they could also sue the company for false dismissal. By implementing a proper acceptable use policy, the risk exposure for lawsuits decreases. An acceptable use policy can shield the organization from employee claims originating from unacceptable use of information assets (Corbitt, 2005). Another impact of using the devices for their intended purposes is the cost benefits for the IT and InfoSec departments. Using the devices for purposes other than intended can increase the threat of security incidents and violations, which in turn increases costs. Any support from the Information Technology department costs the company time and money. In addition to this, analyzing and removing security threats from devices will incur costs for the Information Security department. This will lead to schedule slips on strategic projects for the organization as more attention is shifted to the shared devices (Batke, 2011). An acceptable use policy will benefit all departments because the IT and InfoSec departments can focus on their primary goals of keeping the information system running smooth and safe. Establishing guidelines for addressing violations and outline sanctions for violators Lastly, guidelines should be established to address violations and repercussions for employees who violate the policy. The acceptable use policy not only outlines desirable device usage, it also guides the organization in responding to unacceptable use. To enforce the policy, 9 deter employees from violations, and ensure equality, instructions will be listed on how to handle violations. The level of repercussions for a violation should align with the organization's stance on employee misconduct. NIST Standards and Guidelines, Privacy, and Security Today mobile devices pack impressive computing capabilities and their presence in consumer’s hands has become mandatory. Organizations have recognized the potential of mobile devices not only as technology tools that provide flexibility, increased productivity and reduce cost, but also as communicative means or channels to remain in contact with their customers’ needs. Due to their popularity and increased capabilities, mobile devices have become the victims of security threats and vulnerabilities and the tools to carryout malicious attacks against other mobile devices. Mobile devices are currently being used by organizations such as government agencies and healthcare organizations that facilitate sensitive and private information up to national security classified information. It is in everyone’s best interest that security, privacy and integrity of information is top priority even when such information is obtained, stored, and transmitted via mobile devices and wireless/cellular networks. NIST (ITL) Standards and Guidelines The surge and diversity of mobile devices have caught the digital world by surprise and therefor the security of such mobile devices has become a world known challenge. This has prompted governments and organizations to implement guidelines, standards, and policies regarding mobile device security. 10 NIST (National Institute of Standards and Technology) is a government agency founded in 1901 and is now part of U.S. Department of Commerce. NIST’s goal is to solve science and technology challenges in support of U.S. industry. Part of NIST, ITL (Information Technology Laboratory) focuses on developing testing, and analyzing technical, physical, administrative and management standards and guidelines in support of cost-effective security and privacy of classified Federal information and information technology tools. It is important to recognize the advantage that today’s mobile devices provide for businesses and organizations, as well as the challenge such mobile devices present in keeping them secure. Mobile Devices should be implemented in a way that they have the ability to fulfill information security principles; Confidentiality, Integrity and Availability (CIA). With this awareness in mind, NIST has developed guidelines for managing and securing mobile devices in the enterprise. The nature and capabilities of mobile devices are always evolving and constantly changing. At the same pace, security threats, controls and vulnerabilities are evolving and changing. It is important to recognize the nature of mobile devices and define a baseline of features that make up a mobile device before an organization can consider a secure and effective implementation of mobile device solutions. The following are the main, but not limited to, characteristics that define a mobile device: Small Factor – Is what makes a mobile device mobile, small factor size gives the end user the flexibility to travel with it, without requiring extra supporting components. Wireless Connectivity - Able to receive and send data (communicate) wirelessly via WiFi, cellular field, Bluetooth etc. This capability gives the mobile device the ability to connect to network infrastructures and systems via internet connectivity, wirelessly. Local Storage – Built-in or removable storage, gives the mobile device the ability to store data. 11 Operating System – A non-full-fledged desktop like operating system, provides the mobile device the ability to run applications and clients in an efficient, quick & easy to use way. Third party Applications – Able to install applications in different ways, via online store, or through web-browser. Syncing/Synchronizing – Able to sync data with local machines such as desktops or cloud computing systems. NFC (Near-Field Communications) – Via Bluetooth or other NFC type technologies GPS (Global Positioning Systems) – Providing the mobile device with the ability of utilizing location services. Camera – Utilized to capture video, images, or communicate via non-third party or third party applications such as Skype Microphone – Able to record audio The capabilities and features listed above will continue to evolve as technology capabilities evolves. Because of this, mobile devices need additional protection given the wide range of capabilities that make up a mobile device. It is important that common security principles (CIA) are strictly enforced in order to protect against high-level security vulnerability and threats. NIST’s standards and guidelines focus on physical security controls, application layer security, and access control of mobile devices in order to remain compliant and secure. Because of the nature of mobile devices and security threats and vulnerabilities associated with them, NIST’s recommendation is to utilize centralized mobile device management technologies in order to: Manage the configuration and updating of mobile devices Secure the security settings and access control to organization network Control and segregate applications and capabilities of personal use and organization use within the same device Centralized mobile device management technologies can be third party based or developed by a mobile device brand. A third party based centralized mobile device management system provides the capability to support multiple brands of mobile devices, giving the organization the 12 flexibility of having a diverse population of mobile devices yet be able to control and manage them as they would if they had one brand. Taking this approach, organizations are strongly recommended to consider and implement the following key guidelines in order to improve security and manageability of mobile devices: Develop system threat models for mobile devices and the systems that are integrated and accessed with mobile devices Given the small size of mobile devices, they can be misplaced, in addition require access to the outside world normally through an outside-facing system/server placed in the DMZ. This makes the mobile devices system as well as the resources that integrate with, very vulnerable to threats and attacks. Conducting security scans and analysis in a controlled laboratory environment and network domain is key in identifying security vulnerabilities of the system. Classifying the vulnerabilities from low to high risk is important to risk management analysis for the system and the information processed by the system. The security threat transparency achieved will help insuring that the mobile device and the system considered for implementation fits the organization’s security and infrastructure requirements. Implement information security measures and services on mobile devices and its integrated systems at all levels of information security; Policy – Define and enforce specific enterprise security polices for mobile devices. Such as access to hardware and software, connectivity to vulnerable public wireless networks. Encryption – Implement strong encryption for data communications and data at rest (stored) and remotely erasing data on the device in case of stolen mobile device where information can be recovered from an unauthorized party. 13 Access Control – require user authentication and machine authentication before access to internal network is granted to access resources. Idle lock out policy, remote password resetting, and remotely locking devices in case of being accessed by unauthorized party. Application Management and Control – Implement application filtering through white listing and black listing of non-authorized installations, updates, and synchronization. Insuring updates at the operating system level and application level are controlled and blocked if not tested and approved for general availability by the organization. Implementation of mobile device solutions should be done by organizations in a control environment and network domain to prove integrity of solution prior to implementing in production Following a three prong approach in implementing mobile device solutions is imperative to insuring that not only CIA principles are fulfilled but also functionality and business continuity requirements are met. In a three prong approach a controlled domain such as a LAB is created to implement one to two potential mobile device solutions. In this environment security scans and vulnerability and threat testing are performed to insure the integrity of the system. Basic functionality testing should be performed at this level as part of the over-all acceptance of the product. A quality assurance QA environment that resembles that of a production is created to insure that the selected mobile device solution goes through stringent functionality and security testing to insure the system performs, integrates, and meets all network, security, and infrastructure requirements of the organization before rolling out to production. All implementation steps that are taken to implement the mobile device solution in QA should be documented and strictly followed during production roll-out to insure expected results. 14 Pre-stage each mobile device and insure that each mobile device is set up correctly and fully complying with policy, standards, and requirements before end users access the device. Insuring a level of trust with each device that is exposed to end users and production is an important step to insure left over information from previous uses is no longer residing in the device. Constant maintenance of mobile device security insures for continuity of business and continuity of information security on mobile devices. This includes checking for updates, upgrades, and security patches and testing them to insure that such updates and patching does not present security and functionality vulnerabilities. Monitoring and testing the performance of processes to insure that all processes and procedures are being followed properly is important. Privacy and Security The very features and characteristics that make mobile devices the cutting edge productivity tools in the hands of mobile end-users are what make mobile devices classified as a high risk and high vulnerability for an enterprise or organization. People rely on mobile devices daily to accomplish tasks on the move such as, web browsing, email and document reading and sending, phone calling, contact sharing etc. Over time a vast amount data is accumulated and stored on mobile devices. Compared to desktops and laptops mobile devices lack important security features, combined with the characteristic of being always in the move physically, mobile devices are even harder to administer and account for, at any time. Simply put, mobile devices could be a ticking security bomb on the move making it even harder to identify and to account for if and when it goes off. 15 Portability characteristic of mobile devices is prone to higher chance of physical loss of the device and a very high risk of loss of data is associated with it. With unlimited physical access to the device, unauthorized users can overcome many of security barriers that can be implemented on mobile devices. The security risks associated with the mobility of devices are plenty however the key security risks according to NIST are as follows: Loss, theft, or disposal – their portable size makes mobile devices easier to misplace and lose. Their high demand in the black market makes them prone to theft resulting in loss of physical device and information. Disposing mobile devices is normally done via reset of the device, even though this means that information is erased from a virtual perspective, from a physical perspective information can be recovered. Unauthorized Access – Because of the access frequency to mobile device from end users, easy authentication passwords and PIN’s are often used by end users resulting in weak authentication mechanism. Easily guessed passwords or PIN’s combined with possible stored credentials built-in to mobile device make this a major weakness of mobile devices. Malware and SPAM – Malware is mostly built for mobile devices that run a popular operating system as well as for those devices for which SDK is available. Penetration of malware to a mobile device can happen during synchronization with a desktop, or through storage devices such as micro storage cards. Other methods of infection could be through internet downloads, data sharing via messaging or NFC. Malware can exploit the device’s security weaknesses to gain passwords, contact information, and credit card information and send them to an external repository server or open a backdoor for an attacker to allow for full 16 access to the device. Mobile spam has also become popular and it is used to trick end users to call or text chargeable services as a form of social engineering. Electronic Eavesdropping – Utilizing spy software, attackers can eaves drop on the activity on mobile devices. When spy software is installed silently on the device, it can be used to turn on features on mobile devices such as microphone or camera to eavesdrop/spy on sensitive meetings or discussions resulting on leak of sensitive and classified information. Implementing BYOD With the adoption of BYOD and the introduction of mobile devices into corporate networks, a new set of security issues arise. Not only do corporations need to worry about mobile devices with sensitive data being lost, but also the possibility that an infected device can connect to the corporate network and potentially have access to sensitive information. To combat these issues, a market has been developed to create software which can mitigate these risks. Specifically, two products of this market: mobile device management software and desktop virtualization have allowed corporations to have better management over mobile devices and how they connect to their networks. From here the question arises, how does a corporation introduce BYOD while using these two products? Before we can adequately answer the before-mentioned question we should first further define Mobile Device Management (MDM) software and Desktop Virtualization (VDI). As defined by Gartner research firm, MDM is "a range of products and services that enables organizations to deploy and support corporate applications to mobile devices, such as smartphones and tablets, possibly for personal use - enforcing policies and maintaining the 17 desired level of IT control across multiple platforms." In other words, MDM software empowers corporations to place corporate applications (with access to sensitive information) on employees' personal devices without fear of risks. This is achieved by granting the ability to enforce corporate policies on those mobile devices. Gartner also defines Desktop Virtualization as follows, "A technology that decouples a PC desktop environment from a physical device so that the virtual machine (VM) of the PC desktop stored in a centralized server can be accessed from a remote client device through a network." With the use of Desktop Virtualization, corporations can grant access to their networks via a whole host of different remote clients or devices and still only need to provide one desktop PC to the user. These are just a couple of benefits that come with using these technologies. Other benefits are as follows: Benefits of MDM: Cloud-based, so updates are automatic and painless Remote configuration and monitoring Passwords, blacklists and other security policies enforcement Backup/restore functionality of corporate data Logging/reporting for compliance purposes Remote disconnection or disabling of unauthorized devices and applications Scalable, so new users and increasingly sophisticated devices can be accommodated easily Benefits of Desktop Virtualization: Simpler provisioning of new desktops Lower cost of deploying new applications Desktop image-management capabilities Increased data security Longer refresh cycle for client desktop infrastructure Secure remote access to an enterprise desktop environment 18 Now that we've uncovered some of the benefits of each technology, let's explore how each of these technologies works. Mobile Device Management software is typically distributed as clientserver architecture. A corporation or third-party provider will produce a server which will contain the policies that will be enforced on each client or remote device. The server will also contain information about each of the client devices which will be used to send policies and controls to those client devices OTA or Over-The-Air. On each remote device, a software client or application will be installed. This software client will listen for policies that are provided by the server and will modify phone configurations in order to enforce those policies. To help illustrate this idea, let's explore an example. Suppose a smartphone which contains an MDM client is lost by an employee on the subway. The company that this employee works for has a policy in which they remote wipe any phone that has been reported lost. So, an administrator connects to the MDM server and sends a command to the lost smartphone telling it to initiate a remote wipe. When the smartphone retrieves that command, it will execute the task. Another feature of MDM client software is that it can collect phone state information and report it back to the MDM server. With this, a company may be able to build reports which will tell them information such as the types of phone their employees are using, the most popular applications used among their employees, etc. This information can be useful in the case when a report about a malicious application has been found available to the public. If any of the client devices have this application, a command can be created and distributed to the client devices and a report of how many devices were have this application could be developed. Desktop Virtualization grants the ability to provide a desktop PC experience on multiple devices. To do this, first a centralized server (or set of servers) is created which will house sets of 19 the virtualized desktops. Each of these virtual machines will share the local hardware resources such as RAM, CPU, and Hard Disk via software called a Hypervisor. This software regulates the resources each VM can use in order to ensure that all VMs can adequately run. Then software such as VMware’s VMware Infrastructure is installed on each server and is used to develop virtual machines (or desktops). Administrators generally create a base virtual machine template. This template houses the operating system that will be used and some default applications that should be shared among all or a group of employees. Then, when the administrator needs to create an individual desktop, they can take the base template and add virtualized applications which are required by that specific user. They will also create a persistent disk which will hold all of the employees’ personal documents and customizations for their desktop. After the desktop is finished, the employee will need a way to connect to their new virtual desktop PC. The employee will install software called a thin-client which will allow them to connect to another set of software such as VMware Virtual Desktop Manager. This software will first authenticate the user using an application such as Active Directory or Lightweight Directory Access Protocol and once the user is authenticated, will forward that user to their individual desktop. User Compliance Technology infrastructure is no longer isolated to the IT shop. Electronic data runs the business core sectors. The ease of sharing information has become challenging to manage and potentially costly against earned revenue. Network access control for collaborative environments is a risk management threshold of trusted and untrusted inventory control. 20 Let’s be practical and suggest most use mobile devices with or without a company computer use policy. In 2015 there will be an estimated 15 billion mobile devices with a data plan (PC World). Facebook has documented in May 2012, 900 million users used their mobile devices to access content, representing more than half of total system users (Caldwell, 2012). President Obama in recognizing the importance of mobile phones and E-Government devised a digital law strategy for better services (NIST). NIST, through the Information Technology Laboratory division n, is mandated through FISMA 2002 standards to identify NAC vulnerabilities of BYOD and create compliance guidelines. Of course, mobile devices are not the only way for an on the ERP. Data port control is a universal problem of any technological computing device. Maintaining security is likely more of a management issue than technological. Technology than should be considered a tool used or misused regardless of a strong security policy. My literature search located very little information on the topic of security management and user adherence. BYOD can be defined as a portable device running third party applications and several functions, including: GPS, camera, media slots, WIFI, Bluetooth, microphone, etc. Firmware, middleware and compiler are proprietary by manufacturer. This can be costly for new software license versions. Hardware and software trust issues can also be of concern. The Confidentiality (C), Integrity (I), Accessibility (A) framework can be used to illustrate how companies can protect against BYOD insider threats. C: Transmitted and stored data cannot be ready by unauthorized parties. I: Detect any intentional or unintentional changes to transmitted data. A: Users can access resources using mobile devices whenever needed. 21 General Policy Data Communication & User & Device Authentication Storage Restrict user & application VPN encryption access to built in web browser (VPN &/or IBM Thin Client Solution AKA: device just used as a “viewer”) Restrict user & application Encrypt removal media access to built-in device storage – mitigating risk of peripherals (GPS, Bluetooth, offline attacks. etc) Mange WIFI & Bluetooth Software installed to remotely wireless network interfaces. wipe device if lost or stolen. Automatically monitor, detect Sandboxing mobile & report when policy applications. violations occur. *Adapted from (Souppaya, 2012) Device requires strong PSWD &/or domain authentication. SYSAdmin remote access reset control. Automatic lock after period of idle. The vulnerability threat assessment will look different depending on identified business core functions and metric derived thresholds. There are many BYOD product driven readiness assessment surveys available for free online. Typically the survey results offer a high-level view of BYOD readiness based on set security policies. 22 BYOD Life Cycle Phases Diagram Initiation Development Disposal Operations & Maintenance Initiation Development Implementation Operations & Maintenance Disposal Implementation Sensitivity restrictions; level of security confidence; cost; compliance with other regulations; technological limitations. Technical characteristics; feasibility (network architecture, FIPS approved encryption; configuration regulations). Configuration management; updates & authentication protection. Reconfigure; log reviews; attack detection Legal; erasing data Generally effective BYOD implementation reduced operational cost. The state of Delaware has reduced computer budget costs by 45% and has seen greater employee satisfaction 23 through implementing BYOD. However, the US LEOC BYOD project found it hard to monitor 3rd party software, like Dropbox, but saved the purchasing of 800 thousand Blackberry devices. AT&T’s lesson learned section of their BYOD project noted difficulty in synching time with network for accurate logs and legal and policy implications with loading software on personal computers and added cost for servers and storage applications with increased user remote access. (The White House, 2012). What are the ethical implications of software on personally owned machines? Who owns, manages and responsible for servicing devices? How can needed security encryption layers remain compliant with the manufacturer standards? Do employee owned assets used the company’s network count as part of ISO27001 incident reporting? Security breaches affecting personal data increasingly significant in global IT. Kaiser Permanente reported a USB flashdrive was stolen containing 15,000 patient records (idexperts). Regulations, like HIPAA, must be successfully integrated into the security policy. Employee consent is required for loading company software and device access for forensic investigations. BYOD devices likely use them for both personal and work. There is a strong urge by IT to restrict and disable device peripherals to mitigate risk. This is important from a pure security standpoint for protecting against such things as a malware attack from a QR scan or man-in-themiddle attacks from unauthorized third party software. Just enforcing with technology workers are smart tech savvy users and will find a workaround. Users may not comply, especially if it means a delay in productivity or pressure from productivity standards. In fact more restrictions such as whitelisting can leave users with a false sense of security (Caldwell, 2012). Greater focus should be on educating users on the risks. The RSA breach of 2011 manifested to higher- 24 level user targets from users lack of reporting and following policy protocol when resetting password credentials after experiencing a lockout (2012 SU G.E.T. Speaker Series). There are many learning theories to help deliver end user training. Training does not transfer to learned knowledge unless aligned with daily habits (Nersen-Waly). (5) The Myers Briggs Indicator (MBI) can be useful to access the impact of personality patterns when collaborating with groups to minimize conflict (Le Vie, 1998). User empowerment transference theory suggests final product should a user driven decision through use of a feedback survey as cognitive process for eliciting user comments and targeted motivational 25 awards (Le Vie, 1998). Problem based oriented education simulates interaction with bots through a network management station hosts network. Management application is a user centered tutoring approach (Leonhardt, 2007) Process oriented training is more holistic and functional focusing risks on business impact (Mozaffar, 2009). Knowledge management facilitates peer learning transfer of knowledge through a mentor – mentee program (Yusof, 2012). Training can be in-house, computer based or targeted. Training does not necessarily translate to awareness. It is important for end users to understand the impact. This awareness should extend from top executives, senior and middle management to create a known cultural 26 force. Guidelines should be well communicated with roles and responsibilities. Successful training should be determined by reduction of operational costs and/or security breach incidents. 27 Recommendations The creation of an acceptable use policy for BYOD will ensure the enhancement of an organization's operations, productivity, and information security environment are not lost. To accomplish this, an inclusive committee should be formed from representatives of each department affected by BYOD. A lack of representation increases the risk of alienating departments, which could lead to a decrease in the policy's effectiveness. To increase effectiveness, the acceptable use policy should have a clear articulation of its specific purpose (Kilman & Stamp, 2005). Using different departments will also increase the diversity of knowledge used to create the policy. Most organizational policies that deal with technology are too technically oriented (Dhillon & Torkzadeh, 2006). To this extent, the acceptable use policy for BYOD must also focus on issues such as trust, ethics, and the integrity of employees (Doherty, Anastasakis, & Fulford, 2011). When creating the BYOD acceptable use policy, it is ideal to use an organization's existing computer or information resource acceptable use policy as a reference. The committee can then tailor the policy to shared device use. This creates a consistent policy set across the organization. Organizations that lack existing policies would benefit from using a template and adapting it to their organization's culture and structure. When creating the policy, both external and internal threats to the devices must be minimized. Reducing external threats will primarily be accomplished through security mechanisms. The IT and InfoSec department will leverage their knowledge to ensure the policy minimizes external threats to the device and its data. This will result in best practices for keeping the device and data secure. This includes scheduled security software updates and data 28 backup. In addition to this, the InfoSec department will lead the effort to create guidelines for safe handling and storage of devices used for business purposes. Doing this will reduce external threat levels to devices and their data. After the IT and InfoSec departments have covered external threats, internal threats will need to be examined. Employee asset misuse and data loss presents a high level of risk for the organization (Stanton, Stam, Mastrangelo, & Jolton, 2005). The Ethics and Human Resources departments will leverage their knowledge to determine how employee misuse will be addressed. Representatives from these departments will use their knowledge of employee conduct to categorize what will be considered acceptable and unacceptable employee use of BYOD. Additionally, the InfoSec department will establish guidelines on how to properly store, transmit, and receive proprietary information. By harnessing the synergy from combined department knowledge areas, an inclusive acceptable use policy will be created to mitigate risk from BYOD. It is a high risk for an organization to implement BYOD without an acceptable use policy to govern it. Implementation of the policy will protect against repercussions that can affect the finances and reputation of an organization. The immediate effects of the repercussions are significant by themselves, but they have the possibility to create a lasting effect. It is a prudent move to implement an acceptable use policy for BYOD. Developing common API’s and SDK’s for all mobile devices provides the flexibility of developing applications that could be implemented across different types of mobile devices, however this flexibility can also be a benefit to attackers and malware developers to take advantage in creating and implementing malware for a wide range of mobile devices. In addition patching and updated at the OS level for mobile devices is far less frequently compared to 29 desktop operating systems, this makes mobile devices more vulnerable and a favorite target for malware attack. According to NIST, Mobile Work Group (MPWG) has been developing standards for hardware components named Mobile Trusted Module (MTM) which allows mobile devices to trust other mobile devices similarly as is currently being done at the desktop level. However even though such technology will be available for the mobile devices of the future, certain safeguards should always be taken in consideration to mitigate risk that mobile devices present. Such safeguards are simple but key to continues security of the devices such as; raise security awareness and the end user level, constantly account for possession of all mobile devices in the organization and update information, enforce strong user authentication, install prevention and detection clients/applications at the mobile device level, disable prolonged storage of sensitive of information and promote positive security behavior of mobile devices by enforcing policies and procedures in place to minimize risk and impact. Most organizations today are embracing the Bring Your Own Device (BYOD) methodology mainly to reduce cost associated with purchasing and maintenance of physical assets. Mobile devices are the among the most preferred technology tools to pilot such methodology because of their characteristics. However as described above mobile devices present an increased security risk for organizations that still have not figured out how to handle such security challenge. Adding to this security challenge, in a BYOD solution model managing end-user personal technology tools is a tricky and even more challenging business. While organizations can utilize stringent guidelines for using a BYOD device to access on perform work in integration with organization’s networks and systems, as well as implement strong mobile device management tools and even monitoring systems that can oversee the activity of a BYOD device, invasion of personal privacy rights have been questioned. Privacy requirements 30 and policies in this model add to the over-all challenge of maintaining organization sensitive information secure at all times. Keeping apart work information from personal information in a BYOD device such as a mobile device is a technical challenge and not doing so results in legal issues related to personal privacy. Today such challenge is being worked around by jurisdictions making it mandatory for organizations to obtain their employees full consent before taking action to access their personal devices and information. However with the increase usage of cloud storage and cloud computing, access to information through BYOD mobile devices present new risks for an organization such as compliance failure for external devices accessing sensitive information frequently in an not controlled way. It is clear that there is a mutual interest from personal and organization perspective to resolve privacy and security related issues not through implementation of device managing technologies but also through mutual transparency and intelligent implementation of BYOD solution model at the architectural level from a strategic, business, and IT perspective. MDM software provides companies the ability to enforce their security policies are mobile devices in a fairly simple manner. This is done via a client-server architecture in which a client application is installed on the mobile device and has the ability to change phone configurations. A MDM server is provided and contains all of the security policies that a company wants enforced. The server communicates with the mobile devices OTA. Desktop Virtualization allows companies the ability to create a single desktop for an employee and allow that employee to connect to that desktop via several different types of devices. This is done by creating a virtual machine which contains all of the applications an employee may use and storing it on a centralized server with other VMs. The employee’s mobile device has software called a thinclient installed which grants the employee the ability to connect to the virtual desktop. 31 By using these two technologies, a company has the ability to ensure a few different things. First, they allow the employee to be able to use their personal device while still maintaining controls that are enforced on company provided workstations. Second, these technologies are scalable and modifications to policies are fairly easy to deploy to all employees. Finally, these technologies allow companies to collect information about their employee’s hardware which can be used to create future controls and further mitigate risks. By combining all of these benefits, the company has the ability to remain compliant with regulators and other important stakeholders The personal conclusion from my lack of found literature on user compliance implies training is nice to have but not essential. Oddly it is the user to be known as the weakest network security leak and can have an average cost of 2 to 5% on revenue (Caldwell, 2012). Human error accounts for 86% of all reported security incidents (Kearney, 2010). “…unless robots replace the human workforce, human error is an issue that companies will continue to deal with (Deliotte, 2009). My recommendations for adopting BYOD, as aligned with 2011 RSA lessons learned (source? GET) seminar is to have assets clearly defined, communicate roles and responsibilities for adhering to the security policy, in-place risk management plan and user training. We should adopt a more sociological-technical approach to policy regulations where human training is a primary organizational factor for minimizing security breaches. 32 References The White House. (2012, August 23). Retrieved Decemeber 1, 2012, from A toolkit to support Federal agencies implementing BYOD programs: http://www.whitehouse.gov/digitalgov/bring-your-own-device Alan, D. C. (2009). Whos watching your six in cyberspace?. Signal, 63(11), 42. Batke, K. (2011). Mitigating it security risks with layers of security. Business Credit, 113(6), 46. Bell, R L. (2010). A three-step process to save troubled employees from themselves. SuperVision, 71(11), 3-6. Berrong, S. (2009). Creative approaches to security awareness training. Security Management, 53(7), 40. Caldwell, T. (2012, September). Training - The Weakest Link. Computer Fraud & Security. Retrieved December 1, 2012, from http://www.sciencedirect.com/science/journal/13613723 Canela, T. F. (2009). Mobile employees: Five questions to ask. Associations Now, 5(9), 22. Corbitt, T. (2005). Managing employees' internet surfing. Management Services, 49(4), 38-39. Daniel, W. (2004). In brief: Is wells data being held for ransom?. American Banker, 169(75), 7. Dhillon, G., & Torkzadeh, G. (2006). Value-focused assessment of information system security in organizations. Information Systems Journal, 16(3), 293-314. Doherty, N. F., Anastasakis, L., & Fulford, H. (2011). Reinforcing the security of corporate information resources: A critical review of the role of the acceptable use policy. International journal of information management, 31(3), 201-209. FCC, May 2012 – Comments Sought on Privacy and Security of Information Stored on Herath, H. M. P. S., & Wijayanayake, W. M. J. I. (2009). Computer misuse in the workplace. Journal of Business Continuity & Emergency Planning, 3(3), 259–270. Mobile Communications Devices Retrieved from http://hraunfoss.fcc.gov/edocs_public/attachmatch/DA-12-818A1.pdf 33 idexperts. (n.d.). Retrieved December 1, 2012, from Data Breach Press: http://www2.idexpertscorp.com/press/healthcare-news/data-breaches-cost-the-healthcareindustry-an-estimated-65-billion/ Kearney, P. (2010). Security: The Human Factor. In P. Kearney, Security. Kilman D., Stamp J. (2005). Framework for SCADA security policy. Technical report, Sandia Corporation. Kubal, L. (2005). Pov - The hidden value of proprietary information. Venture Capital Journal, 47. Le Vie, D. (1998). Methods for Measuring Knowledge-Transfer Effectiveness in User and Training Documentation. Leonhardt, M. &. (2007). sing Chatbots for Network Management Training through Problem-based Oriented Education. Seventh IEEE International Conference on Advanced Learning Technologies (ICALT 2007), 2007. Niigata, Japan : IEE. Mozaffar, H. (2009). Process-Oriented User Training for Enterprise Resource Planning Systems. World Congress on Software Engineering, 1, pp. 421-425. Nersen-Waly. (n.d.). Improving organisational information security management. IEE Computer Society. Retrieved December 1, 2012, from http://www.computer.org/csdl/proceedings/hpccicess/2012/4749/00/4749b270-abs.html NIST. (n.d.). Retrieved December 1, 2012, from Computer Security Division: Computer Security Resource Center: http://csrc.nist.gov/ NIST Tech Beat, July 2012 – NIST Updates Guidelines for Mobile Device Security Retrieved from http://www.nist.gov/itl/csd/mobile-071112.cfm NIST, October 2008 – Guidelines on Cell Phone and PDA Security Okenyi, P. O., & Owens, T. J. (2007). On the anatomy of human hacking. Information Systems Security, 16(6), 302-14. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf SANS, March 2012 – SANS Mobility/BYOD Security Survey (A SANS Whitepaper) Retrieved from http://www.sans.org/reading_room/analysts_program/mobility-secsurvey.pdf Simply Security, August 2012 – BYOD Stoking Privacy Concerns Across the 34 Organization Retrieved from http://www.simplysecurity.com/2012/08/28/byod-stokingprivacy-concerns-across-the-organization/ Souppaya, M. &. (2012). Guidelines for Managing and securing mobile devices in the enterprise. DRAFT, NIST, Computer Security Division, Gaithersburg. Stanton, J. M., Stam, K. R., Mastrangelo, P., & Jolton, J. (2005). Analysis of end-user security behaviours. Computers & Security, 24(2), 124–133. Yusof, A. (2012, May 21-22). Quality and effectiveness of knowledge management transfer using of Mentor-mentee Program and on Job Training in work place. Innovation Management and Technology Research (ICIMTR), 2012 International Conference. Retrieved December 1, 2012, from http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6236359&url=http%3A%2F%2Fieeexplo re.ieee.org%2Fiel5%2F6226950%2F6236349%2F06236359.pdf%3Farnumber%3D6236359 http://web.ccsu.edu/neasc/selfstudy/virtual%20desktop%20infrastructure%20-%20vmware.htm http://www.webroot.com/En_US/business/articles/mobile-device-management-do-you-need-it http://www.vmware.com/products/view/overview.html http://download3.vmware.com/demos/vdi http://www.youtube.com/watch?v=qWf_WiaFedc http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg http://www.gartner.com/it-glossary/desktop-virtualization/ http://en.wikipedia.org/wiki/Desktop_virtualization#Advantages_and_disadvantages 35 Appendix A: BYOD Readiness Assessment http://securityassessment.trendmicro.com/confirm.aspx?type=3 This is a high-level view to help begin the process of setting security policies. There are many product driven assessments FREE on the Internet.