AlgoBuzz Blog

Everything you ever wanted to know about security policy management, and much more.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt
Search in comments
Filter by Custom Post Type
Posts

Bring Your Own Device/Disaster

by

Anyone following information security over the past 3 years has heard the nasty four letter acronym of BYOD or Bring Your Own Device. This phenomenon has taken shape as the consumerization of IT has made its way to the enterprise. With tablets and smartphones exploding in popularity over the past couple of years it’s no wonder that employees want to start using the hardware (and the apps that run on them).

With a growing workforce of college grads that consider these devices an extension of their being, trying to take a smartphone from them would be like cutting off one of their hands. The two major concerns that security pro’s must deal with are:

  • What can we do to protect our data?
  • How do we protect our network against these personal devices?

The first question on “What can we do to protect our data?” is more complicated than one might think. There are many vendors offering MDM (Mobile Device Management) that really like to pull the wool over your eyes and a few that are downright awesome. There are many features within these systems that allow you to do some pretty fancy things, but from a security point of view I’m really worried about my data. For example, when you’re sent an e-mail and you open on your device (tablet/smartphone) where can you forward that data? If someone has files on their smartphone with confidential company data on it, and I leave the company with that phone, can you really be sure that this person didn’t just walk out with your customers’ credit card numbers, sensitive information regarding mergers and acquisitions, competitive intelligence, etc.? Yup, that just happened.

Sensitive company data is walking around in your employee’s pants… unprotected. Is this data encrypted while it’s on your tablet or is it floating around in sites like dropbox.com waiting to be scooped up, stolen, or accidently released into the wrong hands?

  • Put PINS on the devices and have lock-out thresholds – these are just a few of the default features that should be implemented.
  • In order to securely keep hold of your data there needs to be strict policy on the MDM as to where the data can go and ideally to keep it controlled within the smartphone/tablet so that you can wipe the data or the phone (if needed) to verify that company data is protected.
  • Document the policy and explain to your users what they’re signing up their device with for a BYOD installation. The phone might be theirs, but the data is yours.

Another question you need to ask yourself with MDM is how are you going to protect the organization from these devices? Malware on mobile devices is one of the fastest growing malicious vectors on the internet and bringing these devices into your network could be a threat to your company. Are these devices going to be using your wireless network when they’re in the building? Here are some items for your to-do list:

  • Establish a dedicated wireless network for devices within your BYOD network to segment them from your existing wireless network.
  • Use NGFW’s to baseline user traffic from these networks and monitor what they’re doing. There are many malicious apps that can be installed on mobile devices that you don’t want on your network and being able to detect and isolate this potential malicious traffic is needed.

With the exponential increase in mobile device applications and hardware, the ability to run and perform tasks is growing every year. I don’t trust a device that someone brings from home that their kids had previously been using to download the latest version of Angry Birds on to connect to an enterprise network. It’s simply too risky to have these devices connecting to an internal network! Additionally, setting up policy on the MDM to remove the mobile device software from a device that’s been jailbroken or rooted is a way to protect you from devices that are looking to potentially put themselves into harm’s way.

There are many other ways to protect your company and your data from a BYOD implementation and these ideas just scratch the surface of security implementations and controls that can be put in place when rolling out a BYOD program. Hopefully you don’t Bring Your Own Disaster while allowing users to bring in their personal devices.

Subscribe to Blog

Receive notifications of new posts by email.