BYOD: How to Minimize RiskSecurity for Personal Mobile Devices Used for Business
When it comes to mobile devices, accommodating BYOD, or bring your own device, is a fact of life for organizations in all industry sectors worldwide. So, what can information security professionals do to minimize the risks involved in enabling staff members to use personally-owned tablets, smart phones, USB drives and other mobile devices for business purposes?
It all boils down to this: Conduct an inventory of all the types of personally-owned devices employees want to use for work-related tasks. Take every possible step to apply as many of the same precautions to these personally-owned devices as you apply to corporate-owned devices. And be sure to enter a clearly spelled-out legal agreement with those who use personal devices for work-related purposes, and then provide them with extensive ongoing training.
Whether overall security risks increase or decrease by accommodating BYOD "is probably a moot point," says Christopher Buse, chief information security officer for the State of Minnesota. "BYOD is already happening, and the trend will surely continue because that is what people want."
Vishal Salvi, chief information security officer at HDFC Bank in India, agrees that the BYOD trend is here to stay. "But the success of BYOD programs will depend on how security leaders handle complex issues of trust and liability resulting from the shifting ownership of mobile devices," he stresses.
Balancing Risks, Benefits
Accommodating personally-owned tablets, smart phones, USB drives and other mobile devices brings risks. The devices are easily lost, which can make any data stored on them vulnerable. And unless organizations make a concerted effort to make sure security controls, such as encryption and remote-wipe capability, are in place on these devices, they could be much riskier to use than corporate-owned devices, which routinely have security controls installed.
But BYOD also can yield substantial benefits, not the least of which is hefty cost savings.
Faced with limited government funding, the U.S. Department of Veterans Affairs, for example, couldn't afford to provide a smart phone or tablet to everyone on staff who wants to use one, acknowledges Roger Baker, CIO. He expects mobile devices eventually will replace desktop computers, dramatically decreasing the VA's costs while increasing user convenience.
Some experts argue that those who own the mobile devices they use for business purposes are more motivated to protect them and the information they contain.
"If there are pictures of your kid's birthday party on your iPhone, you're going to keep tighter control of it compared to just another corporate device," argues Malcolm Harkins, chief information security officer at Intel Corp. "Allowing personal ownership and use will go a long way in getting users to protect the device."
Because of overwhelming demand, the VA, which provides healthcare to veterans, recently began accommodating the use of corporate-owned iPads and iPhones in addition to BlackBerries and laptops. The VA will gradually accommodate personally-owned Apple devices this year, at first allowing the devices to be used only for viewing, and not storing, patient information. Eventually, the VA expects to accommodate devices running the Android operating system as well.
The security issues involved when allowing personally-owned devices are legal, rather than technical, Baker contends. "We're establishing what it is we need to have the user sign, relative to their personally-owned device, that will ensure, for example, that I have the right to wipe any VA information off of it at my discretion ... and ensure that I have the right to access the device to review it as needed."
Baker says the key issue is "what level of control do we need to have, as the government, in order to ensure that all the right things are happening with the device when it connects to us or when it contains veterans' information."
An effective way to enforce mobile device security strategies is using a mobile device manager application to monitor all devices, no matter who owns them, some experts say (see: How to Enforce Your Mobile Policy). That's the approach the VA is taking.
Requiring the use of specific security controls on personally-owned mobile devices can lead some workers to forego BYOD.
For example, about half of the Delaware state employees who had been using their own mobile devices to access the state network opted not to use them once the state required added security measures about a year ago, notes Elayne Starkey, the state's chief security officer. "If I used to have unfettered access to the state network and now I have to jump through a couple hoops to continue that access, I'm just not going to go to the trouble," she says, voicing the thoughts of some state workers. "I'm just not going to continue to be maybe as diligent about keeping up with my e-mail in the evening hours. I'll wait until 8 the next morning."
Until late 2010, Delaware state employees could access remotely - with few restrictions - government IT systems using their own iPhones, Androids and BlackBerries. "That was the piece that was keeping me up at night," Starkey says. "It was kind of an oversight on our part, more or less. We had not locked that down as tightly as we should have. In the beginning, it was not such an issue, but as the smart phones became more and more popular, we found that the number of devices accessing the state network was continuing to grow."
Starkey didn't want to ban the use of personally-owned devices for conducting state business; she recognizes that many state employees want to use a single device for personal and business purposes. The solution was to place controls on the personal devices that would help ensure the safety of the state IT system. The seven controls Delaware requires are:
- Strong password;
- Password history;
- Password that expires;
- Inactivity time out;
- Lock out after seven failed attempts to log on;
- Remote wipe if the device is compromised; and
- Encryption, if devices are capable of employing it.
"We're not trying to be difficult; we're not trying to impose rules," Starkey says. "But we are working to ... prevent data leakage and data loss out of the state network."
To Store, or Not to Store?
One major issue when using either corporate-owned or personally-owned devices is whether to permit storage of sensitive information on the devices.
Over the long haul, it could prove impractical to limit data storage, says security consultant Rebecca Herold. Although allowing the use of personally-owned devices solely for viewing sensitive information, such as medical records, is a good security measure, "I believe there will be a lot of pushback" regarding such a policy, she says. "Once personnel are allowed to use their own mobile computers, they will want, and actually expect, that they can use them in all the same ways as the entity-owned devices," she says.
But if sensitive information is, indeed, stored on personally-owned devices, it must be protected with encryption, stresses Herold, who heads the consulting firm Rebecca Herold & Associates.
Some mobile devices, however, cannot accommodate full disk-level encryption. That's why certain organizations are requiring any stored data to reside within specific applications that can accommodate appropriate encryption. For example, that's the approach the VA is taking for iPhones and iPads.
Importance of Education
Education and ongoing awareness training play key roles in ensuring that a mobile device security policy is actually followed by the rank and file, whether they're using corporate-owned or personally-owned devices, Herold contends.
That training should address a wide range of issues, including when and how to use encryption, how to back up sensitive information and how to use anti-malware software.
Despite the risks involved, accommodating BYOD is part of doing business in the 21st century, Herold and other security experts acknowledge.
"You should allow employees to bring their own devices," says Bill Wansley, who oversees multidisciplinary teams at the consultancy Booz Allen Hamilton. "It's a trend that organizations need to embrace."
But in embracing the trend, Wansley says, executives must "think about their policies and procedures and what potential risks they may be bringing on to their enterprise, unwittingly, and what they can do to help mitigate that risk."
(Eric Chabrow, Upasana Gupta and Tracy Kitten contributed to this story).