Seventy percent of respondents in a recent survey by Gartner, Inc. said that they have or are planning to have BYOD policies within the next 12 months to allow employees to use personal mobile devices to connect to enterprise applications.
Thirty-three percent of all organizations surveyed currently have BYOD policies in place for mobile devices, such as smartphones and tablets.
“Shifting from an enterprise-owned mobile device fleet to having employees bringing their own devices has a major impact on the way of thinking and acting about mobile security,” said Dionisio Zumerle, principal research analyst at Gartner. “Policies and tools initially put in place to deal with mobile devices offering consumer-grade security must be revised to deal with these devices being under the ultimate control of a private user, rather than the organization.”
Gartner believes that organizations must consider and take action on three major impacts when moving to a BYOD policy:
Impact 1 – The right of users to leverage the capabilities of their personal devices conflicts with enterprise mobile security policies and increases the risk of data leakage and the exploiting of vulnerabilities.
Outside the enterprise’s premises, employees may define their own usage policy for personal devices. Users can, therefore, install apps and visit URLs of their choice, whereas enterprises can limit applications and Web access on enterprise-owned devices. Users can also decide the level of protection for their personally owned devices. When enterprise data is allowed on these devices, the risk of leakage increases for the enterprise, not just because of the rise of mobile malware, but also because legitimate but unsupported apps may inadvertently create security risks for the organization and, most importantly, because of device loss.
Using mobile device management (MDM) software is one way to enforce policy on mobile devices. Users should obtain access to enterprise information only after having accepted an MDM agent on their personal devices, and possibly a URL filtering tool, such as a cloud-based secure Web gateway (SWG) service, to safeguard and enforce enterprise policy on Internet traffic. Enterprises should consider using application whitelisting, blacklisting and containerization, as well as setting up an enterprise app store, or app catalog, for apps that are supported.
Impact 2 – User freedom of choice of device and the proliferation of devices with inadequate security make it difficult to properly secure certain devices, as well as keep track of vulnerabilities and updates.
Allowing users, rather than the IT department, to select operating systems (OS) and versions of mobile devices opens the door to devices that are inadequate from a security standpoint. An essential security baseline should require enhanced password controls, lock timeout period enforcement, lock device after password retry limit, data encryption, remote lock and/or wipe. The enterprise mobility baseline must also express minimum requirements on hardware — OS versions will not be sufficient.
In alignment with the mobile security policy, network access control policies should be used — for example, to deny access to enterprise resources such as email and apps from devices that cannot support the security baseline. Preventive action should be taken to ban noncompliant devices or create an alert for them by using tools such as MDM software.
Nevertheless, excessively limiting the types of allowed devices eliminates the benefits of BYOD for users. There should be no compromise of security for the sake of device variety, but where it is possible to manage and secure a new device model, it should be done. The policies that are enforced will depend on the risk appetite of the organization and the sensitivity of data allowed to reside on the device.
Impact 3 – The user’s ownership of device and data raises privacy concerns and stands in the way of taking corrective action for compromised devices.
Most people consider data on their personal devices as their property, and would strongly object to having it manipulated by the organization without their explicit consent. When shifting from enterprise to user-owned devices, “remote wipe,” which is a fundamental security feature in a mobile security policy, becomes complicated from a legal and cultural point of view. Thus, sufficient attention should be paid to this issue to avoid repercussions. In practice, “selective wipe” is proving to be difficult in ensuring that all business data, and only business data, has been deleted from the device.
In this situation, it is recommended to liaise with the legal department to obtain advice, because there may be legal implications related to device wiping. Problems may arise if the user refuses a remote wipe. Time is of the essence when performing this task, and asking the user for permission after the compromise, when a remote wipe is considered necessary, will be impacted by message exchange delays that can be critical. It is therefore advisable to obtain the explicit, written consent of users to delete their data in case of compromises, or the loss or theft of devices, at the time of the user’s initiation to the BYOD program.