David Abbou

Freedom in the enterprise: It’s the way of the future, and it is here to stay. But freedom without structure equals chaos. For most organizations, adapting to the BYOD world and finding this balance has proven to be a work in progress, and for some the road has been a rocky one.

A recent study by research firm Ovum found that 62 percent of BYOD employees are doing so with no policy in place. But despite that, employees are going ahead with BYOD – with or without their company’s approval. It’s time to accept and embrace BYOD for what it is – the future. But in order to make BYOD work for your organization, you need a well-researched and defined policy that is tailored to who needs access to corporate data, what apps and programs they need to be productive, which devices and operating systems (OSs) will need support and how to best secure this data in scalable and sustainable way not just for the short-term, but well into the future. Asking the right questions will help you define the requirements for successful enterprise mobility and how to keep it secure.

It’s important not to forget that implementing BYOD in your organization is meant to enhance your business in ways that greatly exceed the security adjustments needed to realize this vision. Effective BYOD is not a one-size-fits-all solution for every organization or industry, so it’s vital at the very beginning to obtain valuable and actionable feedback from your security team as well as management and staff at different levels who are the BYOD end-users. That way you can create policies that are driven by their needs and your organization’s strategic objectives, while aligning with regulatory and compliance requirements.

Here’s an overview of the steps you should take to create a BYOD policy. Covering these bases will help your company strike the balance between BYOD freedom and security.

BYOD POLICY CHECKLIST
Step 1: Define your BYOD Policy Team
Which Personnel (i.e. IT, HR, Finance, etc.) can form your policy team be channels
to obtain accurate feedback on the BYOD needs of your employees?Example: Have Communications prepare a survey distribute via your BYOD policy team to gather feedback.
checkList_ic
Step 2: Define your BYOD Objectives
What tasks do your employees need to perform by using BYOD?
For example:

  • Email (Compose, Respond, Open Send attachments)
  • Create share documents
  • Use corporate apps. (e.g. CRM ERP databases)
  • Use consumer business apps from Apple Google stores with corporate data?
checkList_ic
What are the main strategic benefits you expect to see from your BYOD program? For example:

  • Efficiency:
    • Save costs on hardware or software?
    • Save time IT resources on addressing device security issues threats?
  • Productivity:
    • Better collaboration workflow?
    • Quicker response times?
  • Flexibility: Anytime, Anywhere access
checkList_ic
Step 3: Define BYOD apps data
What data must employees access to achieve the BYOD objectives? Engage departments business units to define the functions roles who need to access corporate information on mobile devices. checkList_ic
What data in your company is highly proprietary/sensitive? Separate data into categories of sensitivity. Example:

  • High: CRM
  • Medium: Emails
  • Low: Contact list, Calendar
checkList_ic
Which apps are most in-demand by employees in your organization why? List apps by department function. Sales – CRM to generate quote documents Admin. – Time tracking, expense reporting apps etc. checkList_ic
What are the UX requirements that work best for your employees?
Example:

  • Native touch interface
  • Works with HTML
checkList_ic
Step 4: Define the BYOD Users
Who in your organization needs to access work email business apps away from the office? List the departments functions that apply. checkList_ic
Which employees require special permission for mobile access to information that is highly sensitive (Proprietary/Confidential)?
Example:
CFO – financial data
checkList_ic
Which employees require mobile access to lower levels of data sensitivity?
Example: Customer Service reps – access to emails calendar.
checkList_ic
Step 5: Identify Security Threats Vulnerabilities
Which mobile devices OSs are being used by your defined BYOD users?
Example:

  • 60% use iPhone 4s – iPhone 6
  • 95% of iPhone users use iOS 8
  • 20% use Samsung Galaxy 4 up
  • 20% use other Android phones (e.g. Nexus, LG)
  • 10% use iPads (all versions)
checkList_ic
Which types OSs devices cannot be supported for BYOD by IT Why?
Example:

  • Android devices version 2.2 or lower (Unsecured incompatible with majority of apps)
  • Devices with a screen size of 3 inches or lower (Apps unable to run smoothly on screens this small)
checkList_ic
Which device vulnerabilities must be excluded from your BYOD Program
Example: Jailbroken Rooted Devices
checkList_ic

Once you’ve gathered all of the information and determined your BYOD policy congratulate your team! This is the first major step towards a successful BYOD program. The next step is implementation of your BYOD policy. In Part II of this series, we’ll break down the different considerations you should make in determining the security approach that will best fit your organization. Stay tuned!

David Abbou

Regardless of whether you work in the IT field or not, technology has likely changed the way you work in recent years and consequently bombarding you with a seemingly endless combination of alphabet soup and tech mumbo jumbo that might overwhelm and cloud (pun intended) all you really need to know about handling the freedom and responsibilities that come with the Bring Your Own Device phenomenon. With that in mind, this cheat sheet will help you or your less tech savvy colleagues understand the phenomenon and industry behind it.

Free @ Last: The BYOD Industry

Enterprise Mobility: The trend towards employees working out of the office and using mobile devices and cloud services to access corporate resources and perform business tasks.

Bring Your Own Device (BYOD): This is the policy to make enterprise mobility happen and can differ greatly from one company to the next. At the heart of this trend is letting employees work on their personally-owned mobile devices such as smartphones, tablets and laptops to connect to corporate network resources and access corporate information.

BYOD Policy: A set of rules designed to effectively govern IT management’s implementation of BYOD. These policies vary depending on the organization’s specific size, budget and security considerations.

Choose Your Own Device (CYOD): Like BYOD, CYOD lets employees use smartphones and tablets to get work done. But the employees must choose a device from a pre-approved list. Some companies have chosen this route to give IT more control and cut down on the security risks posed by different device types. Devices have security software and settings pre-installed.

Mobile Security Threats

Malware: Malicious software appearing to be executable code, scripts and other software that disrupts computer operation, gather sensitive information, or gains access to private computer systems. ’Malware’ is a general term used to refer to a variety of forms of hostile or intrusive software.

Phishing: Scams that use social engineering and computer programming to lure email recipients and web users into visiting fake sites in order to steal private and sensitive information such as credit card numbers, personal identification and account usernames and passwords. No longer bound to email, phishing scams are now using cloned mobile applications to dupe users and acquire their personal and financial data.

Man-in-the-Middle (MITM) attack: Attackers use an MITM to create false connections between two parties relaying fake messages between them. They intercept and record all messages that follow between the two parties and impersonate each party convincingly enough to gain confidential information from one or both of the victims.

Common Vulnerabilities

Vulnerability: A mistake in software that can be directly used by hackers to gain access to a system or network and violate a system security policy. These flaws allow attackers to execute commands as another user, access restricted data, impersonate another entity and cause a denial of service. There are both known and unknown vulnerabilities.

Known vulnerabilities: Once found, vulnerabilities are published and given a unique ID number, or
CVE identifier
. Even after being discovered devices need to patched in order to nullify the threat.

Unknown vulnerabilities: Vulnerabilities that simply haven’t been found yet. These gaps are often exposed so early that there has been no time for developers to patch the flaw before attackers can exploit it. This leaves applications and OSs prone to Zero-day attacks. Once the vulnerability has been found, developers need to work on a patch and distribute across the devices.

Zero-day attack: When unknown vulnerabilities are discovered and systems are attacked because programmers have not had sufficient time to realize and apply a patch. Zero-day attackers often sell information to government agencies for use in cyber warfare.

BYOD Security Solutions

Enterprise Mobility Management (EMM): The management and deployment of technology, processes and policies to manage mobile devices, wireless networks and related services relevant to an organization.

Mobile Application Management (MAM): A security management designed to secure software products, specifically mobile apps on smartphones, tablets and other mobile devices.

Mobile Device Management (MDM): Security software used by an IT department to monitor, manage and secure employees’ mobile devices that are deployed across multiple mobile service providers and mobile operating systems being used in the organization. Often combined with additional security services as part of a complete Enterprise Mobility Management solution.

Mobile Information Management (MIM): MIM describes cloud-based services like Dropbox and Google Drive that sync files and documents across different devices. There are also on-premise enterprise versions of these products available to store corporate data.

Virtual Desktop Infrastructure (VDI): Virtualization architecture that typically runs a Microsoft Windows operating system and reflects corporate apps and data onto desktop computers and laptops using remote display protocol.

Virtual Mobile Infrastructure (VMI): Sometimes referred to as “mobile-based VDI”, VMI is a security technology that runs an Android operating system on a cloud-based remote server or company datacenter and uses a remote display protocol to transfer all corporate data and apps to mobile devices. By using a thin client to display a flat image on devices, no actual corporate data is stored on the devices themselves. VMI was created specifically for enterprise mobility and BYOD organizations.

Dual-Persona: A technology that creates two separate environments on one device; one for IT to manage enterprise data and the other for the user to manage personal files and apps. This requires storing corporate data in a container on the device.

Multi-Persona: A device management platform that separates more than two environments on one device mainly to secure corporate data on the device.

Containerization: A technology used by EMM and MDM solutions to separate data and apps on a device. Corporate apps on the device are stored in a separate area that is password protected and encrypted.

App wrapping: MAM solutions initially used this approach to secure apps for corporate use by applying a management layer to mobile apps. This process allows administrators to add extra security features and modify apps to require connection to the VPN or further authentication using a local passkey.

Virtual Private Network (VPN) Tunnel: EMM products wrap data between the mobile apps and the corporate server inside a VPN connection to improve security and avoid data being captured by external intruders.