With hands on practical experience, author in this article has shared some valuable suggestions and has addressed policy related issues also.
With the exponential growth of mobile smartphones, it is almost certain that an employee in an enterprise will have a smartphone in his pocket for sure when he or she enters the office. Can I assume that most cannot live without downloading their emails on their phone? Add a Facebook and a WhatsApp for sure and for few (especially the big guys) add in the LinkedIn and the Twitter!! Can I assume that in most enterprises with concrete walled enclosure and giventhat we have pathetic 3G (4G – What?) connections, most like to connect their phones to the office Wi-Fi? Not surprisingly whether the IT likes or not, people (I am talking about employees with valid User name and password) have figured out a way to clutch onto the Corporate Wi-Fi. Before the IT says a Vehement No, let’s look at the stats, whooping 68% of employees are already on the corporate Wi-Fi using their personal smartphones while IT believes that it is 34% (IT, Guess I proved you wrong). Let’s keep this on the side for the time being.
Confronting the Truth
Let’s understand the facts on the dark side. Malware apps are growing exponentially – 600% growth, quarter on quarter. The platform which allows spread of malware is mainly the Jailbreaks (for iOS) and Rooting (for Android) of the OS and that is also on a rise – about 22 million devices gets jailbroken a quarter. Worse there are ways such as Reverse SSH tunnel or Parallel bridge (won’t go in detail here but you can Google for them or can visit this YouTube video http://youtu.be/kLB8p8hyyyQ) that can completely bypass your amazing perimeter security – remember phones can do two connections – one via Wi-Fi and another via 3G and that too concurrently!!PWC came out and said that most cyber attacks points of compromise are linked to mobile devices, such as laptops, tablets and smartphones even in large enterprises – although this is, as yet, seldom reported in public. Recent report suggested that about 68% enterprises have suffered a mobile security breach in 2014 alone.
Today keeping the smartphones (& tablets) away from work is almost impossible. Let’s accept the fact that there is a huge productivity-collaboration-satisfaction gain because of these gadgets. It is better to accept the reality than living in an artificial perceived world. Accept, protect and move on.
Finding Way Out
Considering all, this throws us another challenge on how to manage security now? How to create a BYOD (bring your own device) policy that really doesn’t kill the emerging BYOD phenomenon itself? How to manage a way that all stakeholders feel happy and confortable?
There are broadly FOUR things you (CIO or Head of IT) need to worry when implementing a BYOD policy at your enterprise:
- First & foremost, accept the fact that there are already BYODs in your network. Now try and think what can you do to protect your data and network.
- Assuming you agree with me on (1), how to protect sensitive data that is resident on the device
- Again assuming you agree with me on (1), how to ensure that rogue devices (& Apps) won’t attack or breach your network
- In the name of BYOD, don’t lock down the device completely (unless it is corporate given but we are talking about BYOD here) – respect employee’s choice of device, apps (i.e. their User Experience) and most importantly Their Privacy!!
If you successfully tackle the above 34, guess what you have protected your enterprise form the mobile attacks successfully and you will be labeled as one of the top progressive companies!
I know you are saying “Easier said than Done” but let me help you here on how to design a policy and help also in getting the right tools to make sure the policy gets implemented.
After talking to umpteen companies ranging from fortune 500 to across-the-road SMBs with less than 25 employees and all across US and India, this is what I suggest to consider while designing a real BYOD policy:
(a) If you feel data on the device is very critical and you don’t like to lose control over it, you must have a MDM (mobile device management) agent on them. There are various vendors and today it is commoditized but I have few tricks up my sleeve 🙂 Assume all you care is password enforcement on these devices, remote locking as well as remote wipe-out, all you need is your Microsoft Exchange or your Google Corporate Email (needs to be tweaked a bit to achieve this but no big deal) or if you are really scared about all possible ways data can be lost, you can lock down the device to its bone but I strongly recommend Not to do it unless it is a corporate device else it will kill the user experience and the privacy and the whole BYOD phenomenon will be a flop and people will start looking for alternate means to get onto network (& believe me it’s not that hard either – we have done all of it in our labs). Nevertheless there are many commercial MDMs available in the market and you can get one easily.
(b) Assume you go with one of these commercial MDMs, you have to install an agent on the employee’s personal devices which some people might feel intrusion into their privacy and also some might feel unnecessary locking down their own device. In such cases you need to have a gatekeeper at the entry to the corporate Wi-Fi which determines which devices have MDMs and which don’t and then provide full access to MDM devices and provide differential access to non-MDM devices and that way you are on-boarding all of them while keeping the security intact. Just mark all servers which are sensitive and which are not and deny access to sensitive servers to non-MDM devices. (Any NGFW or an existing NAC can be converted to act like a gatekeeper).
(c) Assuming that data-on-the-device is taken care of, we need to worry on the “rogue devices-apps attacking-breaching the network” issue and that is where you need another tool at the gatekeeper level which understands the security of the devices/apps that are trying to enter the network and security score them based on how vulnerable the OS, the browser and the apps are, based on what all activities they have done and score them what is called Device Risk Score and Device Reputation Score and deny those devices which you perceive (based on your risk appetite) are risky to your enterprise. That’s it and you pretty much firewalled your enterprise from rogue devices and apps. This is a new territory and very few tools are there and are sure many more will come up. We are also into this. The trick is again the tool should not have an agent (should be agentless) so that again the privacy or the user experience will not be affected but still the work gets done. You can Google around for such tools.
That’s all you need when it comes to policy as well as tools and you are done 🙂 I know it is more confusing than what we project here but I have helped design BYOD policies as well as tools to many companies across and will be happy to help you out!!
By: Manjunath M Gowda. He is the CEO, i7 Networks, “Agentless, Enterprise BYOD Secured”.
© CIO AXIS. BitStream Mediaworks Pvt Ltd.