Bring Your Own Device (BYOD) is
the latest trend in many companies. Business requirements for Working from
Home, accessing E-mail 24*7, instant customer support etc are increasing and
future trend looks like this is continue to be increasing.
In early 2010, most companies
were using BlackBerry as company provided mobile phone device. Few months later
smartphone took over all most entire market of BlackBerry. Smartphone has made
life easy, user friendly and cost effective. Companies realized going cost of BlackBerry
server, user license, device cost and Service cost. From a security
perspective, BlackBerry is reasonably secured due to lots of security policy
options available on BlackBerry Server but too costly as compared to smartphone.
Further it is also a headache for
IT team to manage inventory of such mobile devices. There are other issues as
well e.g. finance to maintain book value, depreciation in device is lost or
stolen, IT team to maintain Asset Allocation Form, repair in case device is
faulty, coordination with vendor, follow purchase procedure etc. After all of these
headache and spending lots of money, business users are not satisfied due to
quality of company phone, restriction and controls over company provided phone.
Just to avoid these many hurdles
and cost saving, many companies have started allowing users to use their smartphone
device. However I have seen many
companies implemented BYOD policy without even thinking of “Information
Security Risk”.
Risk Assessment (Without implementing any BYOD Security Solution)
Threat
|
Vulnerability
|
Business Risk
|
Information Leakage through
BYOD
|
No segregation between
“Corporate Information” and “Personal Information”
|
There
is risk of Information sharing (Intentional or Unintentional) with unauthorized person or competitor due to absent of security controls over BYOD mobile; this may lead to
loss of business / reputation.
|
User can download any
attachments on BYOD phone memory card.
|
||
In case of user separation, IT
Team cannot delete files stored on personal memory card.
|
||
Single user can configure
company’s E-mail account on multiple mobile phone devices without IT/Security
Team’s knowledge.
|
I hope above table is enough to
alert business stakeholders on information security assurance. No Firewall can
help to prevent Information Leakage if this is not taken care.
So many security companies have
developed BYOD security solution. It is important for the company’s security
officer to choose right solution to protect information. When we think of allowing
user owned device for official purpose, Follow MUST be taken care:
- Ensure company's information is protected on user owned device
- Ensure user’s privacy. At the end, its user’s device, company has no rights to monitor what’s store on use’s mobile phone.
Most recognized BYOD Security
Solutions are providing THE MOST IMPORTANT SECURITY FEATURE CALL – SECURE
CONTAINER.
Such tool creates “Corporate
Space” within phone memory to segregate the company’s information and personal
information. User can access “Corporate Space” through BYOD client installed on
their device. The magic of this control is: “User cannot copy and paste any
information from “Corporate Space” to “Personal Space”.
Following are TOP 10 security controls MUST be considered on your BYOD
security solution
Sr
|
Control
|
Description
|
1
|
Secure Container
|
As mentioned above. Please
don’t even do POC if solution does not provide secure container feature. All business E-mail attachments to store on corporate space only and not on personal space. Copy and paste should not be allowed from corporate space to personal space.
|
2
|
Restrict screenshot
|
No screenshot on corporate
space
|
3
|
Integrate with company’s
central authentication control
|
BYOD security solution should
be able to integrate with company’ AD to access E-mails. This feature reduce
IT team’s headache to maintain separate user management system.
|
4
|
Remote wipe-out
|
In case of theft of stolen,
company’s IT team should be able to wipe out device remotely without
anybody’s intervention.
|
5
|
Selective wipe-out
|
There should be option of
“Selective Wide-out” to wide only “Corporate Space”. No personal data should
be wiped out.
|
6
|
Password Policy
|
Few BYOD Security solutions do
ask for “Password” while accessing corporate emails. This is separate from
phone lock password.
|
7
|
Device Restriction
|
User should be restricted to
configure company’s email account only on ONE device. In case users attempts
to configure another device, BYOD security solutions should prevent and
through alert to security administrator.
|
8
|
Audit Logs
|
Various logs:
Also check of log retention,
access to logs, security of logs etc.
|
9
|
Compatibility
|
Does your solution support IOS,
Android, and Windows Phone etc.
|
10
|
User’s Private data
|
BYOD solutions should not
access user’s private space. Solution should respect user’s privacy
|
Security checklist can be further
enhanced along with BYOD security solution vendor and security officer based on
need. Once solution is implemented, organization’s HR team rollout BYOD policy
with eligibility criteria, does and don’ts etc.
There are lots of BYOD security
solutions in market; generally CISO function should lead BYOD security solution
assessment.
Hope this would be useful…..
No comments:
Post a Comment