Bring your own device (BYOD) is an accepted convention, most commonly for mobile devices, in corporate environments. Even company-owned devices are treated by employees as personal devices and are often incorporated into the environment in the same way that employee-owned devices are. Our job in information security is to ensure that the business initiatives like BYOD can continue while ensuring a low-risk scenario. The strategies around how a foreign device is implemented have to be carefully planned and thought out in order to reduce the risk for the organization and be an incubator for innovation and creativity.
It is important to establish what all of these terms mean. Mobile Device Management (MDM), sometimes referred to as Enterprise Mobility Management (EMM), typically gives the ability to manage a mobile device and ensure certain policies can be managed and maintained. For security professionals, this is often a desirable approach because the entire device can be managed, and a level of protection can be established. Mobile Application Management (MAM) protects specific mobile applications rather than the entire device. In a MAM model, stringent security controls are placed only on the applications themselves. BYOD refers to the ability to bring in any device you want, regardless of technology, and utilize it in a manner that allows you to perform business functions on a personal or non-standard device.
Each of these strategies for implementation of outside devices has its merits and faults, which must be considered in kind to establish the strongest security posture for a company’s individual situation.
Mobile Device Management (MDM)
MDM typically touts full protection of the device and places restrictions on any device that has the software installed. In most cases, companies will allow employees to sync up things like email, VPN, and other technologies if the specific piece of MDM software has been installed and configured properly. In an MDM scenario, the software is pushed to the device and policies are pushed and enforced to ensure a base level of security. Although MDM does provide some compliance monitoring of the device, some organizations might also choose to incorporate Endpoint Detection and Response (EDR), which is a mostly automated system that collects activity data and monitors devices for threat patterns.
- MDM ensures proper protection around the entire device and compliance with the set policies.
- MDM allows central management of all mobile devices and the ability to check the status and compliance of each device.
- MDM is extremely intrusive on the management of the device.
- Due to the volume of devices that are continuously being pushed into the market, there are significant issues with MDM locking down entire devices.
- User experience is degraded and troubleshooting requirements are added for the support team.
- Discovery of information for Electronic Discovery (e-Discovery) becomes non-existent or extremely difficult.
- MDM presents an inability to separate personal data from company data.
MDM software is common—it is often easy to implement and can ensure devices are kept updated and secure. However, from a litigation and legal standpoint, there is no realistic way to separate corporate data from personal data. In most cases, legal teams have a significant problem with allowing personal devices to obtain sensitive information if that clear distinction is not in play. However, MDM software is evolving into Unified Endpoint Management (UEM) models that encompass MDM, but also include management of other tools like printers, Internet of Things (IoT), wearables, and desktop machines. In a world where many organizations have transitioned to working from home and are considering making that a long-term change to their workforce, MDM software might fall away and upgrade to UEM. However, some of the same issues persist.
Mobile Application Management (MAM)
MAM, in most cases, provides containers that store sensitive information, password protected, along with the policies that you want to enforce within that bubble. Sensitive information is stored within a container in one location on the device and is not allowed to cross over into the personal data side of the house.
- Legal teams can clearly distinguish between corporate or sensitive data and personal information on the device.
- Policies are pushed only to the container; user experience is not impacted for the entire phone.
- The phone itself has a clear distinction of personal and corporate protections.
- MAM offers the ability to protect a smaller landscape and supporting more devices becomes a realization.
- MAM can develop applications to support the ability for single sign-on and other components within the self-contained encrypted volume.
- MAM results in the loss of native apps and the ‘look and feel’ of what the user is typically accustomed to.
MAM may see a major push in the future. Security cannot continue down the road of locking down entire organizations. Rather, security needs to focus on keeping things simple for the end-user, and if devices are intruded upon in ways that hinder employees’ ability to use them, the program and initiative are dead. End-users either love or hate the MAM experience, but it is less intrusive than its MDM counterpart. For most, having to type in a PIN to get into a protected container may be a different experience then they are used to, but it is a relatively small adjustment.
Bring Your Own Device
BYOD is an extremely popular choice for a wide scope of organizations. However, it can be a challenge to protect a wide range of devices that are coming from home, have little to no security, are possibly years out of date, and have an unknown number of rootkit and backdoors installed. These are all valid concerns that present a major risk for organizations.
- Promotes a culture of openness and a relaxed technology stance.
- Offers possible cost savings down the road, depending on management technique and volume of devices
- Allows an organization to become technology agnostic and support multiple platforms.
- Increased threat landscape for devices.
- Lack of specific controls on the connecting device.
It is important to note that this type of movement can be good for an organization without being too arduous for the IT and security teams. The minimal ROI on a large BYOD strategy is a tough one to swallow. To correctly implement BYOD, a business will need to invest in building an infrastructure that can allows users to access and perform work while ensuring that the risk toward the organization is low.
When a user brings a cell phone or other mobile device into an infrastructure, there should be extremely limited access to the overall network. It is important to take the necessary steps to mitigate the risk that BYOD creates.
A common approach is allowing BYOD only on the wireless infrastructure because it is easier to restrict access to the network and implement things like 802.1x authentication. Implementing some form of network access control (NAC) on the network side that isolates and quarantines the devices into their own VLAN is another good mitigation. Often, an organization can utilize the Guest wireless network with proper segmentation.Remove the ability to contact the Internet from the individual segment except for heavily filtered and protected HTTP/HTTPS traffic, as egress connections are the primary way an attacker establishes a connection for further instructions. Organizations should ensure extremely tight outbound traffic and that massive proxies and filters are in place.
Additionally, a security team might want to implement something similar to clean access, in which a user plugs into the network—guest, wireless, or wired—and an integrity check is performed to ensure proper protection and patching of the devices. While anti-virus is a dying beast, it still provides a base level of assurance against common viruses found in the wild.
Investing in a virtual desktop infrastructure (VDI) that virtualizes and centralizes all of the virtual machines into a location where information cannot be removed from the company is a good step as well. In a VDI environment, users essentially remote into a machine that has all necessary applications on it. Specific applications can be published based on user permissions and identity and sensitive data can be self-contained within these systems. In the network segment, ensure that users can only hit these systems.
Lastly, it is vital to update the acceptable use policy to reflect that the company does not support the ability to save sensitive information on computers and include a legal disclaimer about the right to monitor the activity on systems while plugged into the corporate network.
These steps can help establish a working BYOD strategy that minimizes the paths to compromising sensitive data while balancing the needs of the end-user. In this environment, the user should still be able to use the device in a relatively normal way and still perform the functions of business.
Wrapping Things Up:
Organizations should be cautious about which technology is selected as the corporate standard. It is extremely rare to see a successful, long-term MDM program because of its inability to remain unobtrusive to the user population. It often works best in environments where the company provides the phones, and full protection of the device is expected. MAM, on the other hand, can segment and protect sensitive corporate data without monitoring the whole device and remains much less invasive for employees.
BYOD can work, but it needs to be carefully thought out from both security and ROI perspectives to figure out which strategy that best suits the business. This is an issue many organizations face and the security industry is constantly innovating on to best solve these issues as technology progresses.