Mobile Security – Bring Your Own Device
/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */
There is a massive upsurge of mobile devices in the consumer market. Corporations are also demanding their employees to have instant connectivity to their working environment. These two factors are reshaping the IT landscape. IT consumerization has blurred the lines
between work and personal life – especially when it comes to mobile devices. People use mobile devices for their personal life and for work with the desire to access corporation IT systems anytime and anywhere.
According to Forrester, more than 50% of the information workface will use three or more devices. Gartner is also predicting that by 2017, half of the employers will require employees to use their own mobile devices for work purposes.
Bring Your Own Device (BYOD) refers to the arrangement of allowing employees to bring personal mobile devices to perform company work related activities. This trend is becoming inevitable and it is imperative that corporations form a strategy to deal with it.
To examine the prevalence of BYOD, Dell commissioned Vanson Bourne interviewed 1,485 IT heads from across the globe regarding their opinion toward BYOD. The results indicated that companies could
realize corporate gains from BYOD4.
69% or more of the surveyed organizations believe that BYOD can help their employees be more productive, respond faster to customers, improve work processes, work better in the future and improve operational efficiencies.
BYOD Security Concerns
BYOD poses new security threats to companies because companies have little
control over employees’ personal mobile devices. Sensitive corporate information can be stored in personal mobile devices with little protection. Malware can be introduced into corporate environment by negligent employees connecting their personal mobile devices into the corporate
Mobile Device Management
Mobile Device Management (MDM) is management software that allows corporations to centrally control the policy and configuration for employee’s mobile devices. It helps corporations manage their BYOD program by supporting security, network services, software and hardware management across multiple mobile device platforms. This allows employees to use personal devices for work related activities in a much more controlled and secure environment.
Key Functions and Features
General policy refers to the enforcement of corporate security policies on mobile devices. Examples of policy restrictions include restricting user and application access to hardware and restriction to native OS services (e.g. built-in web browser, calendaring, contacts, etc.). Policy can also control the management of wireless network interfaces, automatically monitor, detect and report policy violations, and limit or prevent access based on the operating system version, vendor model, and whether the device has been rooted or jail broken.
Data Communication and Storage
Data communication and storage refers to the capability of encrypting data communications between the mobile device and the corporation, and encrypting data on both built-in storage and removable media storage. Also, there should be the capability to support remote wiping of the mobile device data if the device is reported to be lost or stolen.
User and Device Authentication
It is important to authenticate a user before granting access to corporate resources. This includes basic parameters for password strength and a limit on the number of retries permitted without negative consequences. The control should also be able to automatically lock a mobile device after an idle period of inactivity.
Some MDM solutions even provide the functionality of controlling the installation and execution of mobile applications.
Application control can restrict permissions (e.g. camera access, location access) assigned to each mobile application, verify digital signatures on applications to ensure that only applications from trusted entities are installed and verify that code has not been modified.
There are also some MDM solutions designated to perform finer grained mobile application management. They are often referred as Mobile Application Management (MAM). Besides controlling installation and execution of mobile applications, MAM manage the entire life cycle of mobile applications.
The power of BYOD allows employees to use personal mobile devices to access corporate applications. What if the application does not have a mobile equivalent version which can be managed under MDM?
Virtualization is a technological solution which allows IT departments to present corporate applications securely on user devices regardless of the device model. Virtualization can also provide control over data storage and location. For mobile devices such as tablets, virtualization allows existing applications to be delivered to tablet users without the need to wait for the availability of an iOS or Android mobile version of the application.
Considerations when Exploring Virtualization as part of BYOD
The touch screen interface will not be suitable for many Windows applications.
Client-host desktop virtualization is not an option on tablets because they do not have sufficient computing power or memory to run a locally hosted virtual Windows desktop.
Application compatibility can be a problem. Applications that are available for a certain mobile device platform might not be available on others.
Even if the above challenges can be addressed, virtualization to support delivery of corporate applications to mobile devices should be implemented step by step.
It is important to understand that BYOD is not the same as MDM. MDM is only one of the components of a complete strategy and program implementation for securing personal devices used for business. Corporations are unlikely to succeed implementing BYOD and achieve all its benefits with just MDM alone; they also need a strategy, supporting policies and operational processes.
The first upmost step is to define the BYOD strategy and the scope of coverage. Part of this strategy can be to implement a stipend program to encourage employees to use their own personal devices for work. Whatever the strategy is, the strategy should be clearly defined, including how to realize the stated objectives and benefits. The corporation should also be clear about whether BYOD will only include personal smartphones, tablets or even laptops.
Associated IT policies supporting BYOD should also be defined so that the users understand what is deemed acceptable and what is not. If the corporation has sensitive data, the corporation will have to determine whether they allow certain employees to access and store such sensitive data in their personal devices.
MDM and virtualization should be regarded as the technological enablers for BYOD. A suitable MDM solution as well as the supporting virtualization technology should be sourced through careful testing and selection.
Corporations should prepare for the worst and know how to deal with incidents such as employees losing their personal mobile devices, which have been enrolled in the BYOD program. Moreover, employees may have questions and require technical assistance as part of the operational support. All these operational processes should be developed as part of the BYOD implementation strategy. It is also important that security fixes are taken into consideration so that the latest mobile security threats do not compromise a corporation’s IT security.
Implication to University
The business nature and operating environment of universities is different from those of commercial corporations. Universities advocates openness and freedom of knowledge sharing. Also, there are vast number of students and staff requiring network and computing access in a university. The turnover of students is very dynamic with new freshman and students graduating every year. Universities also has to support many different work conditions including full time staff, part time staff, visiting scholars, research assistants, etc. Because of all these complicated factors, the way corporations uses MDM to control the usage of personal mobile devices may not be entirely applicable to universities.
Nevertheless, BYOD has already been somewhat implemented in university environments. Staff and students are already connecting their personal devices to the campus network, and authentication is required before granting these personal computing devices access to university IT applications and resources. Facing the current wave of BYOD and constant alerting security threats affecting mobile devices, universities will have to look further to tighten the way BYOD should be supported.
IT Security Strategies for Universities
Universities can explore using Network Access Control (NAC) to ensure that mobile devices meet a set of security requirements and IT standards before they are allowed to be connected to the network. NAC can scan device operating systems, applications, and security software to ensure they are up-to-date and that the security software has recently run so that the device is clean. A self-provisioning portal can be setup to ease the burden of IT department registering every single device, and also speed up the process of registering and validating a device with the additional benefit of managing an inventory of devices.
Depending on the need to control security, MDM can still be implemented in phases according to the supported devices and user community. The first batch of supported devices can be university issued devices and then gradually cover personal devices. As for user community, the rollout can be initially to support full time staff, then faculty members and non-full time staff, and eventually the student community.
Mobile device has become an indispensable component in our personal life as well as work life. Many people are already using personal mobile devices in their work environment to perform work related activities. The wave of BYOD is becoming inevitable that corporations have to look into how to support BYOD with the proper implementation of security controls such as MDM and virtualization technology.
Although the work nature of university is different from commercial corporations, similar controls can be adopted to better govern the usage of personal mobile devices in the university environment.
- "BYOD Stats: What Business Leaders Need To Know Right Now." Leapfrog Extraordinary IT Services. Mar. 2013. Web. 02 July 2014.
- "SAMSUNG Mobile Index Reveals BYOD Trend." Samsung Electronics America. Samsung U.S. News, 08 Jan. 2013. Web. 02 July 2014.
- Jones, Jeff. "Microsoft Security Blog." BYOD- Is It Good, Bad or Ugly from the User Viewpoint? Microsoft, 26 July 2012. Web. 02 July 2014.
- A Vanson Bourne Survey Commissioned By Dell. BYOD: Putting Users First Produces Biggest Gains, Fewest Setbacks. Vanson Bourne. Web.
- "Bradford Network's Network Sentry Helps University of Kent Control and Manage Its Student Residence Network." Network Access Control (NAC), Network Security, BYOD, Mobile Security, Consumerization, Bradford Networks. University of Kent, Web.
- Souppaya, Murugiah. "NIST SPECIAL PUBLICATION 800-124." Guidelines for Managing the Security of Mobile Devices in the Enterprise. National Institute of Standards and Technology, June 2013. Web.
- "Mobile Application Management." Wikipedia. Wikimedia Foundation, 18 May 2014. Web.
- "Embracing Bring Your Own Device (BYOD) by Dell Software." Embracing Bring Your Own Device (BYOD) by Dell Software. Dell. Web. 02 July 2014.
- Bowker, Mark. "Desktop Virtualization." White Paper. Enterprise Strategy Group, Oct. 2009. Web.
- Farbush, James. "Mobile App Virtualization Eases Deployment Headaches for IT." Mobile App Virtualization Eases Deployment Headaches for IT. Search Consumerization, 24 Oct. 2012. Web.
- For Kaspersky Lab, The World’s Largest Private Developer Of Advanced Security Solutions For Home Users A. Global Corporate IT Security Risks: 2013. Kaspersky Lab, May 2013. Web.
- "Good News: Good Technology’s 2nd Annual S... | Good Community." Recent Posts. Good, Web.
- Geer, David. "Device Management Across the Network." University Business Magazine. UB University, Feb. 2013. Web. 02 July 2014.