Safeguard your company and prepare for the BYOD phenomenon.
Allowing users to bring their own devices onto the corporate network can be both a great benefit and concern for management. When employees can use their own laptops, smartphones and tablets to do their work, it leads to increased productivity, increased morale and lowered expenses. However, employee-owned devices are untrustworthy. Without additional security controls and policies in place, using them can result in the compromise of company resources and data. This has prompted a growing concern relative to data security, and many companies are implementing a BYOD (Bring Your Own Device) policy.
The first thing you need to consider is what level of integration you want for BYOD devices. Many companies provide employees, contractors and guests with Internet access for their personal devices using a Wi-Fi network. This is a very low level of integration and can be implemented with very few security controls and usually just a simple acceptable use policy. On the other hand, allowing personal devices to connect to the company network and access shared resources, along with company data, is a much more complex implementation requiring detailed policies and technical controls designed specifically to handle these devices.
Once the level of integration has been decided, a BYOD security policy needs to be created. In addition to standard security requirements such as acceptable use and compliance considerations, you will need to consider BYOD-specific concerns. For example, because the company doesn’t own these devices, the policy needs to contain a user participation agreement allowing the company IT personnel to implement technical controls and/or install software on the employee-owned devices. Here is a list of important BYOD-specific considerations for security policy:
- User participation agreement
- Type and level of company data allowed to be stored or accessed from a personal device
- List of approved device types (e.g. iPhones, Android smartphones, iPads, Android tablets, Windows/Apple laptops, etc.)
- Required technical controls
- Device clean-up procedures following employee separation
- Reporting and response procedures for lost or stolen personal devices.
After the security policy has been created, technical controls need to be determined and implemented. Again, the complexity and number of controls necessary will depend greatly on the level of integration. Fundamentally, the goal of the technical controls is to achieve three objectives. The first is to register, track and control which personal devices are accessing company resources and data. The second is to control what software is installed on the devices. Finally, and most importantly, is to manage what kind of company data is allowed to be stored or accessed on the device.
There are a number of commercial solutions that can accommodate all three of these objectives. If you are planning to support a lot of different devices and fully integrate them into the company network, then using a commercial BYOD solution would be best. Commercial BYOD solutions, such as Aruba ClearPass or Symantec Mobile Management, give your company’s IT personnel the ability to manage the software, security settings and data flow to BYOD devices. These solutions also support self-registration of personal devices, so employees can connect their devices to the company network without having to go through IT support, which lessens the workload of IT personnel.
If you decide not to use a commercial BYOD solution, there are still a number of controls that can be implemented using existing IT systems. For example, Windows Active Directory can be configured to manage and apply security controls on Linux, Apple Mac and non-company-owned Windows laptops. In addition, many Cisco network devices support various methods for registering and tracking BYOD devices. If your company does not already have a data loss prevention solution, installing one as part of a BYOD solution is advisable. Consult with your IT support and security staff to determine how your existing IT infrastructure can best be utilized to implement BYOD. Depending on the scope of the implementation, you may also want to consider bringing in a third party consultant to advise on the project.
As mobile Internet technology becomes more integrated into our everyday lives, the pressure to allow BYOD—and the incentives to do so—will only increase. BYOD programs are rapidly becoming the new paradigm in successful companies of all sizes. As long as BYOD is implemented with appropriate security policies and controls in place, personal devices can be used without increasing the risk to company resources and data. iBi
John Allison, CISSP, CEH, GPEN, GCIH, GCFA is a network security analyst at CIAN, Inc.