Are there security risks to BYOD?

BYOD can be a nightmare for senior IT management for a variety of reasons including high on the list issues around device support and system security. There is no guarantee any employee provided device, once connected to your corporate network, is going to behave in a predictable and secure manner. The issues range from OS level network disturbances through information theft (knowingly or unknowingly.)

BYOD if managed properly can actually be a good thing and, in many instances, has reduced maintenance and support issues. The key is, as always, a good set of policies, exceptional end user (employee) training and certain enforcement.

There are two primary components of risk here.

First, BYOD devices are, by their very nature, unmanaged and often unmanageable. This means that these devices cannot be examined and configured for security and functionality.

Next, when an organization permits the use of BYOD, sensitive data is being allowed to leave the custody of organization-owned devices and reside on devices not owned or controlled by the organization. This presents legal issues regarding the control of intellectual property and sensitive information.

With the spread of sensitive information to BYOD devices, electronic discovery gets a lot more complicated. It will be much more difficult for an organization to collect information from devices it does not manage or own.

VMware is currently working on a pretty slick solution to manage mobile devices. This allows the user to have their own personal phone with a #, personal applications, contacts, ect... Then they have a virtualized environment on the phone with their business #, apps, contacts, ect... that can be locked down per policies put in place. Best of both worlds but of course they have to ensure the security is in place between the 2 environments so if 1 was compromised, it would not affect the other. Good thing VMware has some experience in this field ;)

http://www.youtube.com/watch?v=44IlWIyG4hE

I think my colleagues above have stated it well - BYOD has a tremendous potential for security risks. Not only because you're having to try to support and secure a WIDE variety of devices, many of which may already be compromised or infected when they come in your door, but also because BYOD is also TYOD (Take Your Own Device). Those devices are likely to go back home into the hands of teenaged children or over-eager "brother-in-laws" who want to "fix" the computer.

Security requires some measure of control and there is far less control over BYOD than over company-supplied devices.

There is also the issue of ensuring company data is removed if the employee subsequently leaves the company and takes their devices with them.

Either Citrix XenDesktop (who has receivers for just about any device) or VMware View (using an add-on technology from Ericomm which allows access from any HTML5 browser) will let pretty much any device run a hosted Windows desktop in a browser. Data stored on a CIFS or NFS server remains in the data center.) It is only when you enable file synchronization to the native device that you start running risks. You can even disable print screens in a typical VDI scenario. The back-end costs are, granted, capital intensive, but ignore BYOD at your own peril. Users will find ways, and as the economy improves, employees will have more flexibility to select employers who accommodate the "Consumerization" of IT.

The two biggest risks to BYOD security are access control and data leakage and an organization's exposure may be greater from not allowing BYOD than from creating an organized and managed BYOD program. Users now have so many choices of devices and studies have shown that an average employee accesses corporate data from 3 separate devices. With the power and simplicity of these devices and the plethora of apps, most organizations can't stop the use of smartphones, tablets and other devices so we recommend embracing the technology with a managed and controlled solution.

As a DaaS (Desktop as a Service) provider, we find many organizations benefit from the use of virtual desktops to manage access control to corporate resources while forcing the data to be securely stored on network storage and prevented from local storage or copies of data. This answers the two biggest security issues for BYOD and also provides a consistent end user desktop experience actually increasing productivity while minimizing support. A win-win for most situations delivering secure approach to BYOD from any device.

History has shown us that managing 1000’s of devices (PC’s & Phones) is a never ending challenge and one that is expensive to manage. Since many of the devices in the BYOD category are typically referred to as individual liable (meaning the consumer pays the bill not the corporation) you might want to consider a different approach.

Many large corporations are creating a secure Internet portal that will be connecting employees to an intranet system from any device regardless of who owns it thus allowing an expanded mobile work environment

Over the years, managing CL (corporate Liable) devices & computers has been a formidable task and opinions vary on just how well we are able to perform the function. Based on what history has taught us, along with the speed that new personal computing devices are being introduced into the market place I don’t believe an MDM (mobile device management) strategy will be able to keep pace.

So my strategy is a change in mindset from one where we trust devices and attempt to manage them, to one where we trust people based on authentication and rights management.

Why am I taking this approach?
1) I don’t want to be responsible for managing any application on a user’s personal device
2) I am expanding support beyond mobile devices to include IL non approved devices like tablets/imacs and personal laptops etc
3) I am applying Enhanced security access control with Risk Based Behavior dual authentication software.
4) The ability to make all internal applications available through one web interface portal for employees

Benefits:
o Providing the functionality employees need while ensuring corporate security
o Support and expand culture of mobility
o Flexibility for employees
o Enable the experience of what we sell

Welcome to the New Age of Malware: As I have mentioned in other articles, [http://exm.nr/x8dv4p] malware is not going away. If anything it is going to explode in the coming years due to the continued erosion of IT standards in the workplace.

Technologies such as cloud computing, social media and memes such as BYOD (Bring Your Own Device [to the workplace]) are compromising enterprise security by:

1. Allowing devices that cannot be managed or secured into the workplace environment and allowing users to store company data on those devices. Such devices can easily be lost, stolen and the information vulnerable due to a lack of viable security measures or even the ability to be wiped remotely.

2. Devices such as smartphones or other mobile technology often has limited wireless security or protection, making grabbing data from such technology the next logical step from the cracking community. Do you remember Firesheep? A tool that allowed a remote hacker to grab information from Mozilla browsers in unsecure environments such as coffee shops. [http://en.wikipedia.org/wiki/Firesheep]

3. As the rise of BYOD continues and resistance to standardization grows, malware will continue to be a rising threat for Android and iDevices alike, [http://zd.net/w20FMG - Android users hit by scareware scam], for the simple reason that apps created for both devices, while monitored loosely, are not absolutely guaranteed of being without sinister purposes in addition to providing whatever resource information they APPEAR to be providing. So while it may be providing you a map to downtown Boston, it could also be monitoring your credit card or online bank information at different locations as well.

4. Social media has not stopped being both a productivity time sink, costing the nation billions in lost productivity (neither commenting for the good or the bad of this, noting it, nothing more) and a vector for virus transmission, personal information gathering, and credit information hacking. Facebook, Twitter, Sony, Google and Amazon have all experienced theft, leaks, loss or outright sale of personal data in 2010-2011 and this trend show no sign of slowing.

5. While the cloud offers the option of being a means of creating virtual environments that are claimed to be safer than your current environment, it means relying increasing on an internet whose services are either being turned into commodities (allowing their prices to be changed, usually higher, without warning or recourse) or those services will be subject to powerful new government interventions such as SOPA or Protect IP [http://en.wikipedia.org/wiki/Stop_Online_Piracy_Act], which may make working with materials and providers who will be forced to increase the costs of their service to offset their increases caused by having to improve monitoring of their technology for copyright infringement. This cost is always directed at the user of the technology.

6. Nor does SOPA actually ensure you are any safer from hacking, indeed it may simply be another way such activity is lost in the shuffle as hackers are far more agile in their ability to develop their responses to technology than mainstream users. During the transition to SOPA standards, systems will be more vulnerable than ever.

7. It appears IT is losing the battle for standardization as a means of protecting the enterprise. New technologies such as virtualization promise the ability to deliver the PC experience to any device but most of those are also dependent on the Internet as the deliverer of service. This only means one thing. The cost of protecting your enterprise will increase as the vectors -- devices, browsers, clients, cloud, virtualization, continue to proliferate.

In summary: Our enterprise networks have never truly been safe. The threats ranged from:

Inadequate layered defenses against attacks: There are still numerous environments especially in small to medium size businesses that do not have firewalls of any kind, any sort of data protection, backup, or redeployment procedure in case of equipment failure, anti-malware, or anti-virus technology in place.

Social engineering: manipulating users in an environment to release information about the systems they use to make hacking easier

Poor Password Management: Not creating standards for the effective use, configuration or dissemination of difficult to crack passwords

Poor standardization of environments: reducing the number of potential holes in the environment by reducing the number of different versions of operating systems, programs and infrastructure support systems

Poor policy management: The inability of environments to create usable, enforceable policies designed to make repair, replication, storage, service agreements, backup and responsible use of the office technology to protect company assets from theft, loss, or accidental erasure.

There are many other threats, but our environments have been safer than before many of these ideas were enacted, but the truth of the matter has been our virus software is always at least one day behind the release of any new virus, malware or exploit. Indeed, the zero day release of a virus or exploit could allow thousands or even millions of devices to be infected before anyone is aware the problem has occurred.

In days to come, the already existing suite of issues will only be added to with the continued threat of cloud computing downtime, legitimate accessibility as well as unwanted attacks from outside sources, rising costs both in terms of energy use and costs from service providers and the increasing vulnerability BYOD will bring to the enterprise as hackers/crackers begin to exploit the weaknesses of said devices while under-staffed, overworked and under-appreciated IT departments attempt to stem the tide while providing these new and highly desired services and technologies users feel empower them, without understanding the consequences of that empowerment. It empowers the Dark Side as well. [http://www.csoonline.com/article/print/696325]

@ebonstorm - Thaddeus Howze Atreides

Being that we are a Telecom Lifecycle Management organization, Advantix Solutions Group, understands first hand the risks that come with BYOD. In fact, we just completed two parts of our three part webinar series on Mobile Data Security & Applications in the Enterprise. I encourage all to access the recording of the sessions or at least review the session material by visiting www.advantixsolutions.com/webinars

BYOD can be pretty well secured using VDI with appropriate VPN / SSL along with settings and GPOs which prevent unauthorized access to removable media etc. DLP can be much better managed centrally than on a per-device basis in the field.

Is this even the right question to ask? It's not so much the device as the data. Who can access what data from where and what can be done with that data once accessed?

Thanks to everyone who contributed here for your insights! Because this topic seemed to spur so much discussion here, Focus decided to create a virtual event to further discuss BYOD. Be sure to register, tune in, and ask any questions of our panelists next week:

http://www.focus.com/roundtables/big-byod-bring-your-own-device-debate/