September 19, 2012 BRING YOUR OWN DEVICE (BYOD), IT SECURITY

BYOD: Yea or Nay? Part 2

We last talked about the pros and cons of implementing a BYOD policy in your organization.  This concluding part expands upon how companies can aid in mitigating those risks, either by making changes to their BYOD policy or to other policies within the organization.

Now, if I were to choose, I’d allow smart phones and tablets, while maintaining an exceedingly cautious stance where “bring your own laptop” is concerned.   In any case, nothing should connect to the company network without protections of every possible kind; encryption; VPNs; proper AV.  No matter what you do, never allow a connection without first ensuring that all these protections are up-to-date and in place.

Data at rest should be encrypted as much as when it is in motion.  For instance, if a device is lost and the data on it cannot be read, all the better for your security.

Hundreds of thousands of these devices are lost each year.  I highly doubt you’d want the headache of changing all relevant certificates should your smartphone be lost so, identify how these certificates can be managed in such a way that losing a phone will not prove catastrophic.

I also cannot emphasize strongly enough how imperative it is for employees to sign a document from the onset, acknowledging your right as an employer, to remotely wipe their devices should they be lost or stolen.  Yes, even if this means deleting all their children’s photos ~ in the event this becomes necessary.  Once a device is used for business, security must take priority over the preservation of personal data.

At this point, you’re very likely wondering about the types of infrastructure or software solutions a company could, or, I’d say, should invest in, to adequately support a BYOD policy.

This truly depends on the size of the company and how many such devices you will have.  You need software to successfully control what is installed on these devices – personal or not, you can’t allow random software that could compromise your security; you need AV; you need encryption and VPN.  You also need a software which ~ if possible ~ can control where the devices are, to ensure they are with their legitimate owner (should one of them end up thousands of miles from where it’s supposed to be, you immediately know you may very well have a problem on your hands).

You could ultimately end up needing an in-house infrastructure mimicking that of what Apple built for iTunes – something from which to download company apps.  That said, this is a costly exercise, and while this makes sense for large corporations, it is impractical if you only have 20 devices.  In which case, you could conduct a personal device check to ensure they’re installed according to security policies.

When connected into your network, these devices should be on a subnet of their own; wireless, protected, and with a special firewall ~ routing and scanning rules must be implemented to ensure they’re controlled, with any compromised device immediately spotted and isolated.

NAC is all the more important for these devices.

As to whether there are situations wherein a BYOD policy should simply not be instituted, or if there are specific companies which may not be a fit for BYOD, I would say this really depends on the level of confidentiality of your data, and how much control you want to retain over it; over the devices handling it.

The unfortunate issue here is that the people who, I firmly believe, should have it the least (C level executives, for instance), are, most likely, the ones to end up having it simply because they will demand it.  These are the ones, without even realizing it, predisposed towards bypassing every security and IT policy.  This is, undoubtedly, something which puts the company at risk, particularly because of the level of confidentiality of the data they typically handle.

In closing, if I had to summarize everything into two, maybe three, tips related to BOYD which companies should follow in order to implement the best possible policy, I think we can refer to what has been expanded upon above.

One, here’s a big no to using plain text and unprotected connections.  Two, use VPNs and encrypt the disk.  And three, ensure that not only are you using an AV, it must be kept up to date.