BYOD (bring your own device) seems to be the buzz word at the moment. It’s almost impossible to pick up an IT magazine and not have an article in there on BYOD.
The general consensus is that BYOD is great for organisations from a cost saving and productivity perspective, and provides the ability to attract Gen Y employees who prefer their own IT equipment as opposed to using ones provided by their employer.
However, with reward comes risk and the security is one of them. With an unmanaged device comes the risk of malware walking into your network. Compromised machines can act as an avenue for attackers to circumvent your traditional security controls and gain unauthorised access to your network. Machines connected to your network left unattended in all sorts of places are an invitation for a hacker to use this as an attack vector into your network.
But hang on a minute, haven’t we been doing this for a while? Many of us have had contractors come in with their machines and plugging into our networks without too many issues. The point is that once this is fanned out to the entire user base, the sheer size of the ‘deployment’ becomes the issue. But with good policies and security controls a lot of these risks can be mitigated.
Below is a checklist that I believe can significantly reduce the risk associated with BYOD. I have broken this up in three broad categories the first being:
Policies and procedures
Provide the guidance necessary to both IT and users to encourage and enforce appropriate behaviours.
- Appropriate Policies. Ensure that a policy is in place providing guidance on securing internal infrastructure from BYOD threats. This includes providing appropriate guidance to users via the IT Acceptable Use Policy.
- Access/Security Policies and Procedures. Ensure policies and procedures are in place to guide and govern how access to network resources are granted and controlled
- End User Education. Teach end users the basics of security as outlined in the IT Acceptable Use Policy.
- Disaster Recovery Strategy. Have a disaster recovery plan in place to ensure timely recover from a network outage (just in case).
This is critical is the endpoints which are largely unmanaged can present an excellent attack vector. Points to consider here are:
- Enforce encryption of all corporate message transmissions (e.g. Outlook Mobile Access over HTTPS).
- Ensure all Internet browsing from BYOD devices passes through the Corporate Web Proxy.
- Require users to enable BYOD device firewall if available.
- Require users to implement anti-malware protection if available.
- Require users to enable device PINs and enforce complexity requirements.
- Require users to enable screensaver timeout/device lock.
- Require users to enforce encryption on BYOD devices and removable media used in BYOD devices.
- Require users to utilise the most secure available operating system for BYOD devices and to patch the devices monthly.
- Require users to use encrypted (VPN) communication to the BYOD devices if possible. For wireless communications use appropriate 802.11i wireless networking security standards as defined by the Wi-Fi Alliance such as WPA2.
- Use of appropriate 802.1X authentication methods for wireless communication to the BYOD devices.
- Implement the ability to remote wipe lost devices (if you are brave enough).
Try and implement as many of the above controls as possible. The use of a Mobile Device Management platform may help. The important decision to be made here is to strike a balance between keeping corporate information secure and at the same time not fully managing or taking ownership of users’ devices! This is a corporate decision that will largely depend on the organisation’s risk appetite.
The idea here is to isolate your data and servers into a secure environment of their own and protect them. Approach the user endpoints as untrusted devices (since they actually are) and protect your core information assets. Things to consider here are:
- Network Access Control (NAC). Deploy NAC technology to restrict and control the admission of BYOD devices to the network to ensure breached / infected devices do not connect to the internal network.
- Network Segmentation and Firewalling. Separate logical IT assets into security zones reflecting the value of the information being protected as determined by the business. Separate user networks from server networks to ensure that an infection into one zone does not automatically propagate into the next.
- Strong authentication. Deploy strong authentication using password, token and/or biometric authentication mechanisms to provide more secure means of sign on. Since BYOD devices can be easily stolen or misplaced, having two-factor authentication can help prevent easy access to the internal network using these devices.
- Least privilege authentication. Do not allow any more access rights than required. Since BYOD devices are untrusted, all access granted to users must be strictly controlled to ensure that any unauthorised access provides limited exposure. Grant access based on ‘need to know’ only.
- Secure Wireless. Securing wireless deployments. With BYOD, there is a greater likelihood of wireless deployments. These need to be secured in line with corporate policy and best practice.
- Secure Remote Access. Ensuring controlled remote access to the organisation’s IT resources. This must include remote access using VPN technology and two-factor authentication. BYOD devices are likely to drive greater adoption of remote access which must be secured.
- Directory Access and Security. Looks at the security and access control mechanisms in place within the organisation’s directory (e.g. Active Directory, eDirectory, etc.) that governs access to organisational IT resources. Since the risk of breaches increase with BYOD devices, the internal directory must be as secure as possible.
- Network Intrusion Detection and Prevention. Enabling detection and prevention measures for network based intrusions. Due to the possible increase in vulnerabilities brought about by BYOD devices, appropriate network IPS technology must be deployed to detect any threats.
- Proactive Detection and Response. Ensure that event management and incident response is performed consistently 24x7 so that intrusions can be appropriately managed.
- Data Leakage Prevent. Implementing tools that can prevent confidential corporate data being taken out of the organisation either maliciously or accidently. Consider protecting data at rest (storage, SANS, etc.), transit (network and gateways) or in process (server equipment).
As stated earlier, the number of controls you deploy will depend on your risk appetite and user population. With careful planning and deployment, BYOD can allow an organisation to exploit its benefits of cost savings, greater productivity and the ability to attract Gen Y employees without exposing the organisation to undue risks.