A core element of computing access is end users and their devices. It is the device that will access a network or corporate application and it is often the device that represents the "last mile" of security for any organization. To understand device security, it's critical to have some measure of control and management over devices, which is a particular challenge in the modern Bring Your Own Device (BYOD) world.
What is BYOD?
There was a time when the only technology that an employee had was the technology provided by the company they worked for. Employees were given access to a computer, possibly a pager or cell phone, and it was all controlled, managed and secured by the company.
As consumer technology has grown and become increasingly accessible, the idea of having only corporate owned and provided devices has become rather quaint. Most individuals have their own phones and other personal electronic devices today and few (if any) will rely on their employers to be their sole source for computing devices.
So as opposed to the once-common approach of corporate-provisioned devices, the Bring Your Own Device (BYOD) phenomena begins with employees bringing their own phones into the workplace and using them to access corporate information in some way.
With the old model of corporate-provisioned devices, a mobile phone or a pager would also in many cases travel outside the confines of a corporate environment. With an employee-owned phone, there's a new wrinkle: The same device is often used for both personal and business use, both in the home and in the office.
BYOD is all about employees acquiring and using their own phones, tablets and other computing devices in the workplace, both in the office and on the go.
Benefits of BYOD
There are several key benefits to BYOD for both companies and individuals.
Enterprise cost savings: For companies, rather than being burdened with cumbersome device acquisition programs that require staff and financial resources, when employees bring their own phones, that means the company doesn't have to provide them. The cost of providing devices to employees has many different components. There is of course the initial acquisition cost, the costs associated with staff that make the acquisitions, and then there are also the ongoing support costs. With BYOD, costs can be reduced as employees bring in their own devices that they choose on their own (and might well support on their own as well).
Choice: For employees, BYOD offers the benefit of choice. No longer is the user tethered to the few models (or in many cases, just one), often legacy devices, that the company was providing. Employees might be more likely to buy better devices for their own use, with additional features and a more appealing aesthetic.
BYOD security risks
The downside, of course, is that there are a number of security risks with BYOD:
- Hardware: With corporate-provisioned devices, the company has direct control over the specific phone hardware choice, and it has often been vetted to meet corporate compliance needs. When companies provide phones and other devices to employees, those devices are typically provisioned with default configurations that meet corporate policies.
- Malware: When employees bring their own devices, much about the device is not known. Since the device is often used for personal business too, devices could well be at risk from malware and other cybersecurity risks that didn't originate within the company. The risk of BYOD users bringing their malware with them is no small concern for IT security managers.
- Data exfilitration: Beyond the risk of potentially introducing malware into a corporate environment, BYOD also exposes the company to the risk of data loss or leakage. With a corporate provisioned device, by default it should have security controls in place. With unmanaged BYOD devices, a user that gets unfettered access to a corporate network could take whatever they have access to and bring it with them outside the company. And that device could be stolen or lost too.
How to secure your BYOD program
Securing a BYOD program can take many different forms, involving different types of policies and technologies.
- Network Access Control (NAC): At the most basic foundational level is controlling access to corporate networks and resources. Simply allowing any device that walks in off the street to connect to a corporate network, without some form of validation or control, is a recipe for disaster in the modern threat landscape.
- Mobile Device Management (MDM): Enrolling hardware devices in an MDM platform enables organizations to track and have a degree of management over devices that are accessing a network.
- Enterprise Mobile Management (EMM): Going a step beyond MDM, the promise of an EMM solution is to manage devices, access, applications and data in a comprehensive approach.
For organizations that don't yet have an advanced MDM or EMM solution, best practice policies offer some protection.
- Hardware: A common BYOD policy is to use supported hardware; that is not to use older (or unsupported hardware) that might have security risks that cannot be remediated. Some organizations will also choose to provide users with a list of approved hardware platforms in an effort to help reduce risk and lower the burden on help desk support.
- Applications: Having a list of approved applications (for corporate use) is another common policy. With a full EMM platform, users are often provided access to a corporate app store that makes the application selection and installation process easier.
- Data access: Another common policy is to restrict access to sensitive data when a device is either not on the premises or connected to a secure, known and trusted network.
- VMware AirWatch
- Mobile Iron
- IBM MaaS 360
- Citrix Xen Mobile
- Landesk Mobility Suite
- Blackberry EMM / Good Secure EMM Suite
- Microsoft Enterprise Mobility Suite