Bring your own Device
(BYOD) is a growing trend and a winning solution. However, it is still a risky preposition. There are many risks
while adopting this approach but it is gaining popularity with the benefits it
gives.
The first step is to
understand perceived risks and evaluate them against organization security posture.
Below are few BYOD risks to consider:
Too
Many Permission
Mobile application
makers have to request permission to access device resources such as camera
& contact. These restrictions are provided by mobile OS vendors which is
good to have. The bad part is that most users almost grant permission during
mobile application install process and didn’t give much importance to fine
print. Data leakage is a possible result for the application with too many
permission because that could expose contacts, email ids & device location
data to unscrupulous people.
Spyware/Adware
The device owner data
is being collected by many freely available mobile applications in an effort to
sell data to advertising networks. A mobile application collecting data without
requesting owner’s permission is considered as adware or spyware. Few
applications also install aggressive ad-driven search engines on the device to
send users to specific advertiser websites
Rooted
& Jailbreak Devices
There are possibilities
of jailbreak & root device firmware. Tools have helped automate the
process, getting the job done with a few mouse clicks. Restrictions designed to
improve device security which are imposed by the device maker can be removed by
Jailbreaking. Rooting gives the device owner administrator-level permissions,
enabling them to install and run apps that could be potentially malicious in
nature.
Software,
Devices loop holes
Corporate data can be
exposed if an employee failed to apply software security updated on their
devices & more complications could be software update process for few
devices. The third party applications software coding errors on employee
devices are difficult to be controlled by organization.
Cloud
Storage Services
Cloud storage services
like dropbox offered on mobile platforms could be a concern for data leakage.
These storage services could be used by employees to store company data if
organizations are missing required restrictions on sensitive data or have not
enforced restrictions to use mobile cloud storage app. However, based on
organization requirement, it is good to have approved storage solution at
organizational level so employees won’t try to bypass security controls.
Stolen
or lost Devices
This is one of the
biggest risks to organization where employees lost their device connected to
corporate network. Few organizations have implemented ways to remotely wipe any
corporate data, such as email and contacts, from a lost device. Pushback from
employees who don't want to give their employer unfettered access to their
device has prompted companies to take a closer look at containerization. By
containerizing business data on the device, IT security teams can have the
ability to selectively wipe corporate data if the device is stolen or lost.
Wireless
Access Points Exposure (WAP)
Few employee devices connect
to internet using any open wireless access. These open wireless networks like
some hotels or public area can put device owners at man-in-the-middle attacks
risk and other threats. To mitigate this threat, organizations can take
advantage of technology designed to force wireless users to use a VPN when
accessing corporate resources.
Rising
Android Malware
Recently mobile malware
trends have seen a steady increase in mobile malware targeting Android devices.
The bulk of the threat is made up of SMS text messaging Trojans targeted at
consumers, but enterprises are not immune. F-Secure detected Zeus and SpyEye
banking Trojans that attempt to take advantage of a victim's mobile device.
Kaspersky Lab recently identified Red October, a targeted attack campaign that
had a mobile malware component.
After looking at these
risks, there are few suggestions/tips to have good security policies and controls
to mitigate risks and those are widely depends on organizational needs. Few
examples of good security policies:
-
Enforce two-factor authentication for
remote company server access. This includes something you know (e.g. PIN) and
something you have (e.g. security token).
-
Only those types of devices should be
used that allow remote location and data deletion. Majority of brands have this
feature or support applications which provide this function.
-
Limit access to corporate information
based on the type of device and employee need. For example, allow employees to
access only email via their smartphone. If certain employees require
remote access to the company server, allow such access only through a secure
VPN connection.
-
Ensure that corporate files can only be
saved to the company server, not downloaded to the remote device used to access
such files if employees have access to company database.
-
Each employee enrolled for BOYD should
sign EUA (end-user agreement) or part of employment letter which clearly
identifies employee’s obligations, grants the company certain rights with
respect to the device so that data can be removed if necessary, addresses
reimbursement for data charges, and specifies how to handle data loss.
Conclusion
BYOD is an approach
which many organizations are adopting because of its benefits. As with any
other technology there are risks involved even with BYOD and can be mitigated
by implementing a strong policy incorporating some or all of the technical,
legal and administrative safeguards.
