Here's a disconcerting risk figure: Only 27 percent of information technology (IT) executives believe that their organization's current approach to mobile security would hold up to the scrutiny of an independent audit. Disconcerting statistics regarding mobile and bring your own device (BYOD) risks have been on the upswing recently thanks to the ubiquity of smart phones and also a growing desire by employees to use a single device to manage work and life communications and data.
How should risk managers approach mobile risks? Brian Rapp, senior director of sourcing solutions for Xchanging Procurement Services, reports that there are several ways to cope. One way is to COPE, an acronym that stands for "corporately owned, personally enabled." COPE, Rapp explains, allows the IT department to control the security and cost of smart devices while giving employees greater latitude to personalize their devices, content and service.
In this risk chat, Rapp provides other coping mechanisms while going "beyond the numbers."
How large is the BYOD data security problem? What are some key considerations beyond the scary numbers?
Brian Rapp: A recent survey of IT executives found that only 27 percent of respondents believed their current mobile device security would pass an independent audit. That said, and beyond scary security numbers, IT and business stakeholders should focus on three other key considerations surrounding BYOD: hidden costs, policy liability and productivity.
First, hidden costs are sneaky in any BYOD environment. They stem from areas like potential increases to application licenses and support, help-desk staffing, infrastructure, and mobile device integration.
Second, BYOD policy/governance is a critical decision point when considering a BYOD environment. For example: determining employee encryption methods and training; how and when is information backed up and where is it stored; and how does personal privacy vs. corporate privacy intersect—who owns what data in a BYOD environment?
Third, and quite simply, productivity will see gains and losses. To illustrate, BYOD gains will be shown through things like more seamless telecommuting capabilities, a nearer to real-time collaboration on work outputs, and broader access to the organization's employee base instead of only certain levels (e.g., directors and above). BYOD losses are equally lurking. These losses would include downloads and time spent on gaming or social network applications; international complications due to plan and service issues; and employees who are non-IT professionals troubleshooting their own device issues.
What should risk, compliance and internal audit executives know about IT tools and methods that are commonly used to address this threat?
Rapp: Mobile device management (MDM) tools are common software solutions but may serve as a liability due to the fact that it controls an employee's entire device, making it difficult for them to access personal applications and data. Containerization is a maturing solution that is complimentary to MDM software and limits the liability of limiting access to personal applications and data by creating a discrete, encrypted zone on the employee's device for corporate applications and data. However, this does not reduce the risk of an employee's personal data being lost in the case of a data wipe; as a result, employees may require IT support to back up personal information on their mobile devices.
Virtualization is another critical component of a corporation's BYOD strategy, but IT leaders should understand that while it shields data access and leakage risks, it should not be relied on as a security checkpoint to gain access into the corporate network. This is where MDM authentication solutions come in. A key element of a successful BYOD security strategy is the ability for a corporation to distinguish a corporate-owned versus an employee-owned device. Firewall solutions are being developed that will assign roles to devices based on its ability to pass through two separate authentications: machine and user. If a device can pass through both; it is assigned as a corporate device. If it can only pass through the user authentication; it is assigned as an employee device and will be configured to a separate firewall policy that has fewer access permissions.
Device fingerprinting is a common solution used to identify and differentiate devices, even when cookies are turned off, but it should not be the only identification solution used as it will fail if the same types of devices appear on the employee and corporate registers.
Finally, organizations should understand that as a BYOD model will shift IT support from desktop and device support to application-hosting responsibilities, their IT professionals will be required to learn new skills, support mechanisms, and be privy to security issues unique to different mobile device operating systems.
What are some common pitfalls or weaknesses of current, conventional BYOD risk management approaches?
Rapp: Many organizations use PSKs (pre-shared keys) to help secure wireless communications because they do not have the infrastructure to support the most popular, and very secure, 802.1x network access controls. However, organizations using PSKs should be cognizant of the fact that PSKs are permanently stored and provide opportunities for unauthorized access in the event a device is lost or stolen.
A major pitfall to common policies giving organizations the right to wipe all data in the event of a lost or stolen device or policies allowing the organization to confiscate devices and capture all data is employee perception and dissatisfaction. Employees may become disgruntled should they be forced to lose all personal data or not have access to their personal assets in the event of a temporary confiscation.
What are some emerging best or leading practices in managing this growing risk?
Rapp: An emerging best practice is COPE (Corporately Owned – Personally Enabled), which is a device strategy platform that seems ripe to take over the BYOD trend over the next few years. COPE allows the IT organization to still control security, devices and costs, but allows the employee to personalize their device and content. For example, organizations can negotiate with the carrier(s) of their choice and opt for plans (i.e., messaging, data, voice, etc.) and certain devices (i.e., Android, iPhone, Blackberry) that support current software and hardware platforms without increasing back-end costs. At the same time employees can have free reign to choose applications, load personal e-mail and pictures, and surf the web for personal content while minimal security risk. At the end of the day, COPE strategy will allow corporate policy makers and IT leaders much more control and flexibility while still enabling employees a broad range of personalization on their mobile devices.
Another leading practice in BYOD focuses on time-specific and role-based firewalls as a practical and solid starting point to protect corporate data during a BYOD implementation. Access points to the corporate network are especially critical in a BYOD environment to monitor and manage as it is usually the first line of defense for IT security administrators. Typically, organizations use device/machine authentication to identify the device "hitting" the network as a best practice. However, in a mobile BYOD environment with constantly changing device hardware and new device cycle times at roughly 3-4 months, utilizing device/machine authentication may expose greater risk to corporate data. IT leaders can still utilize device/machine authentication, but should incorporate the following as well:
Role-based data access: Provides organizational IT security leaders an opportunity to assign access to corporate data across all employee-owned and corporate-owned devices. This also allows backend monitoring and enforcement to access restricted data by job function.
Time-specific access: Leveraged with role-base data BYOD requirements can further secure data in a BYOD environment and is a best practice. For example, time-specific access can limit/restrict employee-owned devices to data by time-of-day or day of the week.