BYOD and Secure Mobile Computing

madunixCIO
CERTIFIED EXPERT
Cancer doesn’t have to define you. Being positive is the best medicine you can take.
Published:
Edited by: Andrew Leniart
Browse All Articles > BYOD and Secure Mobile Computing
The biggest challenges when it comes to mobile security:  protection, integration and visibility.

Introduction


Mobile computing refers to devices that are transported or moved during normal usage. The mobility makes it more difficult to implement logical and physical access controls. Enterprise Mobility Management Suites (EMMS) are an approach to achieve this goal by providing the capability for managing mobile devices.


The biggest challenges when it comes to mobile security are: Protection (a solution that detects threats and remedies them based on the corporate policy), integration (a solution that integrates with an Endpoint or platforms) and visibility (a solution that shows all affected devices and the types of threats).


Mobility


Mobile devices are used extensively in today's workforce [1]. The advent of bringing your own device (BYOD), where enterprises, encourage staff to use their own mobile devices for company business, adds another layer of complexity when protecting these devices.


Bring your own device (BYOD) is an emerging phenomenon in the office workplace, and one of the most significant trends in the world of mobile computing. Since mobile devices are now so integral in everyday life, it is inevitable that employees will bring their own to supplement the devices provided to them by their employers.


Since an employee's personal property is out of the employer's control, it is difficult to account for every risk, threat, and vulnerability involved with these devices. Some companies have elected to outright ban BYOD to prevent such security incidents; however, for a number of reasons, this isn't always feasible.


With Mobility, you will need to recognize that work done while in the office may leave the office after close of business. This pushes your boundaries farther than you can totally manage. You may be able to enforce the secure handling of sensitive data while employees are in the office, but once they are outside, that data will be at risk. This is because many users do not make the effort to secure their own personal devices, or in some cases, their devices may be inherently insecure.


Concerns


Operational challenges of a BYOD model are governance, compliance, mobile device management and security. You really need to analyze all of the potential issues associated with BYOD prior to implementing it in an enterprise. Below a short list of the many concerns associated with bringing your own device to work:

• Data leakage

• Compliance with regulations

• Inability to control endpoint security

• Device management

• Vulnerability exploits

• Lost or stolen devices

• User awareness

• User privacy protection

• Ensuring security software is up-to-date

• IT technical support required

• Malware infections

• Mobile Application Security

• Managing fragmented tools across devices and app types

• Managing the device Lifecycle and asset tracking

• Maintaining OS patch management and endpoint health

• Cross-platform endpoint management

• Network / Wi-Fi attack defense

• Bluetooth Attacks defense

• Forensic analysis on mobile devices

• Deployment model (on-Prem or cloud)

• Equipment Lifecycle managing and disposing of mobile devices


Threats


There are many areas to consider on mobile devices, such as physical device, application security, and the concerns around BYOD. With more mobile devices in the workplace comes more mobile device security vulnerabilities. The following threats are introduced in a BYOD environment [5]:


• With BYOD work done while in the office may leave the office after close of business. This pushes the boundaries farther than the enterprise can totally manage. Employees who take sensitive data outside of the perimeter and fail to secure their devices will risk that data falling into the wrong hands.


• The mobile devices employees’ use may be difficult to patch or they may be run outdated software, which could leave them more vulnerable to attacks.


• Many mobile devices also lack built-in anti-malware software. Malware, in particular, targets jailbroken devices that remove restrictions, particularly the restriction of only being able to download an application from the official App Store. Not only can malware infect that user's device, but it could likewise spread throughout the network when the device connects.


• The addition of multiple devices may place a strain on the network and cause it to stop functioning at optimum capacity. This may also lead to a DoS, whether intentional or not.


• Forensic complications; because employees own their devices, subjecting them to forensic procedures in response to an incident may prove difficult or even impossible.


• Unencrypted data on mobile devices.


• Not having a data backup for mobile devices.

 

• Wireless attacks, information travels across wireless networks that are often less secure than wired networks.


• Bluetooth attacks.


Policy


A security policy should exist for mobile devices. The enterprise should have a BYOD policy addressing mobile device usage and information handling. BYOD should be approved by executive management and be subject to oversight and monitoring [2]. In addition, An employee BYOD agreement should require the employee to agree with the items on the policy before the device can be used for business purposes. BYOD Policies can be applied at the user level, device or application level management based on several conditions.


The policy [3] should cover key security topics such as (only a few points mentioned):

• Requirements for secure-access and encryption.

• Segregation of corporate and personal data.

• Remote data deletion or device reset if lost or stolen.

• Incorporate mobile security into existing data protection processes.

• Determine acceptable use cases for file sharing (Document Control).

• Application policies should be applied to certified OEM devices.

• Remove or blacklist the malware installation or access on any device.

• Stop rooting of devices which are owned by enterprises.

• Application access.

• Data wiping.

• Blacklisted devices.


Critical Decision Points


EMMS can combine device management, application management, information management, identify and access control, unified endpoint management, and BYOD [3]. There are several EMMS available, including Blackberry Dynamics, Citrix XenMobile, Sophos, Cisco Meraki, VMware Air Watch, SOTI, Ivanti, MobileIron and IBM MaaS360.


Enabling mobility within your enterprise isn’t just about BYO devices. There are several use cases such as corporate-owned devices, high regulation industries, line of business endpoints, Internet of Things ( loT  ) devices, and more that require advanced mobile device management policies to ensure that the device is fully configured and secured.


The challenges and concerns regarding securing mobility, the technology choices companies are doing, and how the enterprise is responding to the growing security risks associated with mobility. In these use cases, EMMS is the appropriate solution to give IT the visibility and controls they need.


The below list is not exhaustive, but will provide you with an overview of the top factors to consider:

(1) Ability to secure and manage mobile devices throughout the full device lifecycle, onboarding, configuring, securing, and support:

• Provides comprehensive device lifecycle management.

• Manage and secure devices.

• Enroll devices in the device management platform.

• Device configuration.

• Configure email, apps and content, Wi-Fi, VPN.

• Enforce device restrictions.

• Control device layout.

• Perform a remote lock or wipe.

• Perform a remote troubleshoot and support users and devices.

• Perform malware protection.

• Application risk detection.

• Vulnerability exploits defense.

• Role-based access control.

• Restrict access to device settings to prevent tampering or misuse.


(2) Unifying management of laptops and desktops with mobile devices in a single solution, with full PC lifecycle capabilities such as configuration, OS patch management, client health, and security.

• Ease of deployment.

• Configure and manage the OS out of the box, whether the device is on a domain network or in the cloud.

• Software distribution for the package and deliver any application.

• OS patch management for flexible management of OS updates and patches from the cloud.

• Ability to check client health and security.

• Logging, monitoring, and reporting.

• Manage all devices from one console.

• Integration with other Endpoint Management System.

• Unified platform designed to manage and secure any endpoint-mobile, desktop, and things.


(3) Ability to centrally manage devices being leveraged in lines of business, and provide the flexible management controls required:

• Provides complete separation of corporate and personal data on a device to maintain employee privacy.

• Enable check-in/out mode for devices shared by multiple users.

• Securely connects employees to corporate intranet sites without requiring them to manually connect to a VPN.

• Robust compliance engine, which can enforce restrictions based on blacklisted applications.

• Integrates with leading malware detection software companies, which provides an even higher level of protection.

• Using compliance rules to ensure that user devices are on the latest level of protection.


Conclusion


Here are six things to consider regarding proposed secure mobility management [4] [5] concepts:

• Gain knowledge of risk and controls associated with the use of mobile and wireless devices, including personally owned devices BYOD.

• Gain a better understanding of EMMS and which one could suit your business needs.

• Learn how to develop, manage and enforce a BYOD policy that can protect your enterprise from your workers’ devices.

• Acquire a cost-effective solution with flexible mobility (scale up or down).

• Invest enough in employee training and awareness.

• Continuing to adhere to corporate security policy, industry regulations and best practices.


References


[1] www2.deloitte.com/content/dam/Deloitte/mx/Documents/human-capital/The_digital_workplace.pdf

[2] www.adira.org/wp-content/uploads/2014/04/BYOD_Philippe_Le_Tertre.pptx

[3] nestweaver.com/enterprise-mobility-management/

[4] global.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-uem-the-cios-guide-to-uem.pdf

[5]  Bring-Your-Own-Device (BYOD): An Evaluation of Associated Risks to Corporate Information Security [Vol.04 Issue-08, (August, 2016)] ISSN: 2321-1776


8
1,852 Views
madunixCIO
CERTIFIED EXPERT
Cancer doesn’t have to define you. Being positive is the best medicine you can take.
Ask a related question

Comments (2)

Jake Lees

Commented:
Nice post. Love to read it.
Ahmed Ali Khan

Commented:
Detailed Information on BYOD and Securing Mobile Computing, this article can be used as a reference while laying out any procedures or processes.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.