BYOD for Employees

3,537 views
3,422 views

Published on

This paper takes an enterprise architecture approach to describe the IT Security Architecture impacts of migrating from an employer supplied “use what you’re told” (UWYT) model to an employee purchased “bring your own device” (BYOD) model. More and more employees and executives demand the option to use their consumer IT devices to do their work. This blend of work and life, combined with flexible work hours also contributes to an atmosphere where people want to be able to work with the tools of their choice.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,537
On SlideShare
0
From Embeds
0
Number of Embeds
63
Actions
Shares
0
Downloads
314
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

BYOD for Employees

  1. 1. IST 725 Final Paper – BYOD for Employees May 1, 2012 Bring Your Own Device for Employees Understanding the IT Security Architecture Impacts Leo de Sousa – IST 725Leo de Sousa Page 1
  2. 2. IST 725 Final Paper – BYOD for Employees May 1, 2012Table of ContentsAbstract ........................................................................................................................................... 3Introduction ..................................................................................................................................... 4EA3 Cube Framework Overview .................................................................................................... 8IT Security Architecture Overview ............................................................................................... 10Current State - UWYT .................................................................................................................. 11Future State - BYOD .................................................................................................................... 15BYOD Management Plan ............................................................................................................. 22Conclusion .................................................................................................................................... 24References ..................................................................................................................................... 26Leo de Sousa Page 2
  3. 3. IST 725 Final Paper – BYOD for Employees May 1, 2012AbstractThis paper takes an enterprise architecture approach to describe the IT Security Architectureimpacts of migrating from an employer supplied “use what you’re told” (UWYT) model to anemployee purchased “bring your own device” (BYOD) model. More and more employees andexecutives demand the option to use their consumer IT devices to do their work. This blend ofwork and life, combined with flexible work hours also contributes to an atmosphere wherepeople want to be able to work with the tools of their choice. “Work is no longer a place you goto, and then leave, but an ongoing activity.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 3)Organizations will have no choice but to address the demands of their employees. ITdepartments in particular, play a key role in articulating the IT security impacts of BYODprograms on their organization. Blount explores the Consumerizaton of IT – SecurityChallenges by describing the challenges, the opportunities and the benefits. “This importanttrend is not just about new devices; it’s about the entire relationship between IT and its userpopulation.” (Blount, 2011, p. 3) BYOD is not just a technology or device specific issue.To better understand the impacts of the BYOD trend on organizations, we need a model todescribe the current state, the future state and develop a management plan to understand thechanges required. Dr. Scott Bernard developed and published the EA3 Cube Framework as“management program and a documentation method”. (Bernard S. A., 2005, p. 33) This paperfollows the EA3 Cube framework to help understand the transformative impacts of BYOD on ITSecurity. Focusing specifically on IT Security Architecture, this paper will use the followinglayers from the Security Architecture Framework to understand and communicate the impacts ofBYOD for organizations: (Bernard & Ho, 2007, p. 10) 1. Information Security Governance 2. Operations Security 3. Personnel Security 4. Information and Data Flow Security 5. Application Development Security 6. Systems Security 7. Infrastructure Security 8. Physical SecurityAfter reading this paper, the reader will have an overview based on an enterprise architectureframework, of the IT Security Architecture impacts implementing an employee BYOD programhas on organizations.Keywords: BYOD, data, devices, enterprise architecture, it security architecture, mobility,policy, risk management, security, UWYTLeo de Sousa Page 3
  4. 4. IST 725 Final Paper – BYOD for Employees May 1, 2012IntroductionMore and more employees and executives demand the option to use their consumer IT devices todo their work – “bring your own device” (BYOD). This blend of work and life, combined withflexible work hours also contributes to an atmosphere where people want to be able to work withthe tools of their choice. “Work is no longer a place you go to, and then leave, but an ongoingactivity.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 3) Organizations will have no choice butto address the demands of their employees. IT departments in particular, have a key role to playin articulating the IT security impacts of BYOD programs on their organization.The predominant endpoint model in organizations is an employer supplied endpoint devices suchas personal computers and phones (UWYT). This dominant model allows organizations totightly control access to corporate digital assets including systems and applications as well ascorporate structured and unstructured information. In this paper, an endpoint is defined as anydevice that allows a user to interact with organizations’ digital assets over a network – “thedevice at the end of a transport layer of a network.” (Wikipedia, 2012)BYOD programs present some difficult questions that require changes to policies, businesspractices, information security, systems and IT infrastructure. • What devices are acceptable for employees to use? • How do employers ensure that the devices employees choose to use have appropriate security and encryption software? • What happens if an employee device is lost containing corporate data? • What amount of control will the employer demand vs. what an employee is willing to grant on personal devices? • What risks do employers run when an employee owned device contains unlicensed or illegal software and content? • What are the risks and impacts of these “gateways” to corporate network as they travel with their owner to their homes, coffee shops and vacations? • What role does identity management and application virtualization play in enabling and securing BYOD approaches? • How to segregate employer supplied applications from employee owned applications?Ensuring that there is central management of the infrastructure running on corporate networksallows organizations to meet the audit requirements of privacy legislation like Freedom ofInformation and Protection of Privacy Acts (FIPPA) and Health Insurance Portability andAccountability Acts (HIPAA). Further, organizations that accept payment for goods andservices via payment cards are subject to compliance with Payment Card Industry Data SecurityStandards (PCI-DSS). Introduction of consumer based, employee owned devices into corporatenetworks increases the complexity of security management systems. There is also an increasedthe risk of non-compliance to information security policies. There are costs that will be incurredto accommodate employees’ having the ability to choose their own endpoints including potentialmore costs as pricing and contractual benefits are lost with individual purchases. (ProfitLine,Leo de Sousa Page 42011, p. 2)
  5. 5. IST 725 Final Paper – BYOD for Employees May 1, 2012Sen published a paper that explores the “Consumerizaton of Information Technology Drivers,Benefits and Challenges for New Zealand Corporates”. Sen suggests the following corporatechallenges need to be understood and addressed: (Sen, 2012, p. 14) • Cost Constraints and Uncertain Cost Boundaries • Security Challenges • Challenges in Support and Control • Challenges around Evolving Relations and Expectations • Changing Policy Needs • Regulatory ObligationsThe “use what you’re told - UWYT” model delivers cost management, security management,centralized support and strong policy enforcement. The challenge with UWYT is it fails todeliver on social engagement or facilitate the blending of personal and work as defined byWallin, “keep employees happy”. (Wallin, 2011, p. 1) Two key groups are driving BYODinitiatives – “senior managers at the board level asking IT to sync their personal devices withwork and the number of younger employees … with high expectations of using their personaldevices with work applications.” (Ranger, 2012) Wallin confirms this “often, ‘bring your own’starts on the executive floor” (Wallin, 2011, p. 1) Employee recruitment and retention ispositively impacted by implementing new working practices like BYOD. (6dg, 2012) Employeesatisfaction and motivation are very relevant topics as organizations look to increase productivityin a globally competitive business environment by having a motivated workforce. Sen’s papercites the following corporate benefits: (Sen, 2012, p. 13) • Accelerates Business Growth • Productivity through Employees bringing in New Technology • Employee Productivity through Trust • Cost BenefitsEmployees expect to work with tools that are of equivalent capability as those they purchase forpersonal use. This is a significant challenge especially from a cost impact as most organizationscannot keep up with the rapid developments in consumer IT and fall behind. “Employees expectto be able to use all the innovative new devices and tools at their disposal, both to do their jobsand to maintain their always-connected lifestyles while being able to work whenever andwherever they need to.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 1)Leif-Olof Wallin from Gartner provides four conflicting goals that need to be considered whenconsidering moving from UWYT to BYOD. 1. Social – keep employees happy 2. Business – keep processes running effectively 3. Financial – manage costs 4. Risk Management – stop bad things from happening (Wallin, 2011, p. 1)Leo de Sousa Page 5
  6. 6. IST 725 Final Paper – BYOD for Employees May 1, 2012A whitepaper presented by ProfitLine introduces the concept of liability to describe models ofdeploying services. The concept of liability helps categorize the risks that IT SecurityArchitecture addresses. “Corporate Liable” is defined as “devices/services paid by employer andcontracts are signed by enterprise representative.” (ProfitLine, 2011, p. 2) This describes thetraditional approach of employer supplied and controlled endpoints (UWYT). The contrastingmodel is “Individual Liable”: “devices/services purchasing purchased by employee, who is thenreimbursed via expense report or stipend for minutes spent on business calls or emails.”(ProfitLine, 2011, p. 2) Individual Liable describes the BYOD model for user endpoints inorganizations. Actually, a hybrid of Corporate and Individual liability is the most practicalapproach for organizations.The whitepaper also suggests key risk factors that need consideration: (ProfitLine, 2011, p. 2) • Sourcing and Contractual Issues – major pricing and contractual benefits are lost when moving to an Individual Liable model – example for 7000 user profile resulted in a significant cost increase due to individual purchases over bulk corporate purchases • IT Support and User Experience – hidden IT support costs and potential user experience issues – example employees will still call the central IT service desk and the IT department will have significant difficulty keeping up with the variety of endpoints and their particular support needs. Also user experience can suffer as they would have to go to the place they purchased their device for support • Security – increased security risks and policy ramifications – example security policies and safeguards must be put in place to protect corporate assets. Creating a user signed off policy to address issues like controls on personal devices is criticalOrans and Pescatore from Gartner present a model to help understand risk and security pressureson the value to the business from BYOD. They describe 4 strategies organized in a twodimensional quadrant with the horizontal axis being “Security Pressure” referring to securitydemands from internal and external forces and the vertical axis being “Value to Business”referring to the value that the user delivers to the business through the use of consumertechnology. They recommend that most organizations begin with the Contain strategy and useNetwork Access Control (NAC) to “isolate personally owned mobile devices in a limited accesszone, where they may access a subset of applications and data.” (Orans & Pescatore, 2011, p. 1)Network Access Control in combination with Mobile Device Management (MDM) and HostedVirtual Desktops (HVD) allows organizations to manage all four strategies of Block, Disregard,Contain and Embrace for BYOD in organizations.The quadrant diagram below maps the security responses to risk and business value.Leo de Sousa Page 6
  7. 7. IST 725 Final Paper – BYOD for Employees May 1, 2012High Embrace ContainValue toBusiness Disregard BlockLow Low Security Pressure High (Orans & Pescatore, 2011, p. 3)Category Definitions (Orans & Pescatore, 2011, p. 7) • Block – (or ban) the use of consumer-grade products or services by explicitly prohibiting their use in an appropriate policy; then enforce the policy by scanning for use or blocking port numbers of device drivers – example block peer to peer file sharing services • Contain – actively accepts and facilitates use in well-defined situations and in some cases implements controls to present the use of the consumer technology – example SSL VPN • Disregard – essentially means pretending that the consumeration trend doesn’t affect you or at least not actively looking to see where consumer technologies are in use – example technology that has no business impact like an mp3 player • Embrace – refers to the IT organization incorporating consumer-grade technology or enterprise versions of consumer products/services) and promoting, delivering and supporting it just like any other IT-delivered product or service – example corporate use of iPads for employeesLeo de Sousa Page 7
  8. 8. IST 725 Final Paper – BYOD for Employees May 1, 2012EA3 Cube Framework OverviewThe EA3 Cube Documentation Framework (Bernard S. A., 2005, p. 38) provides an excellentstarting point to understand the risks and impacts of implementing an employee BYOD model.The documentation framework structures the layers of an organization so that we can mapchanges and their impacts to them.Enterprise Architecture (EA) is described by the formula (Bernard S. A., 2005, p. 32):Enterprise Architecture = Strategy + Business + TechnologyThe EA3 Cube framework describes an Enterprise Architecture by documenting the current stateof an enterprise and then documenting the future state with the changes implemented. Thedocumentation approach has six basic elements. (Bernard S. A., 2005, p. 37) 1. EA documentation framework – levels, segments and artifacts 2. EA components 3. Current State view 4. Future State view 5. EA Management Plan 6. Planning Threads – IT security, IT standards and IT workforceHere are images of the EA3 Cube Documentation Framework: (Bernard S. A., 2005, p. 38)Leo de Sousa Page 8
  9. 9. IST 725 Final Paper – BYOD for Employees May 1, 2012Implementing BYOD will touch all the components in the EA3 Cube framework particularly theSecurity/Standards/Workforce planning thread. There will be changes required to thearchitecture layers of data and information, systems and applications and networks andinfrastructure. There should be a special focus on access and protection of data and informationas digital information is growing exponentially in their enterprises. Enabling access to digitalinformation on personally owned devices like laptops, tablets and mobile phones requires addedsecurity measures to protect against data breaches. Meeting employee demands forpersonalization must be balanced with the organizations’ need to meet legislation compliance.Looking at the EA3 Cube framework, we can see how each component interacts to enable securesharing of data and information to BYOD devices. Enterprise Security Architecture (ESA) isone of the planning threads in the EA3 Cube framework. Enterprise Security Architecture helpsidentify issues and the risks that could impact a company and its employees when implementinga BYOD program. ESA also provides a framework for planning and implementing securebusiness practices.Leo de Sousa Page 9
  10. 10. IST 725 Final Paper – BYOD for Employees May 1, 2012IT Security Architecture OverviewEnterprise Security Architecture is a vertical planning thread in the EA3 Cube framework as ittouches all the layers in the model. Bernard and Ho present a Security Architecture Framework(SAF) that has eight layers: (Bernard & Ho, 2007, p. 10) 1. Information security governance 2. Operations security 3. Personnel security 4. Information and data flow security 5. Application development security 6. Systems security 7. Infrastructure security 8. Physical securityThese eight layers are important to consider when shifting from employer supplied “use whatyou’re told” (UWYT) to an employee purchased “bring your own device” (BYOD) model. Hereis an image that represents the Security Architecture Framework with the EA3 Cube layers on theright: (Bernard & Ho, 2007, p. 11)Leo de Sousa Page 10
  11. 11. IST 725 Final Paper – BYOD for Employees May 1, 2012Current State - UWYTCurrent State (EA3 and SAF) Fully Managed Endpoints - UWYTThe predominant organizational model of IT managed endpoints is employer supplied endpoints.Think of this as the “use what you’re told – UWYT” model. (Lomas, 2011) This has been thepredominant model for IT departments supplying endpoints to their businesses for the decades.“UWYT treats the user as just another socket to be plugged into the network – a plug specificallyselected to fit the needs of the IT department, not the socket.” (Lomas, 2011) The Block and/orDisregard models are used for UWYT environments. (Orans & Pescatore, 2011)This section characterizes the information security attributes for UWYT so that we can comparethis to the future state implementing BYOD. One of the key aspects of the UWYT model is thatit limits the scope and costs of implementing IT security practices and policies by restricting thechoices for endpoints used by employees. This is a Corporate Liable model for risk.Information Security Governance“The purpose of the ‘IS Governance’ layer in the SAF is to define security strategies, policies,standards and guidelines for the enterprise from an organizational viewpoint.” (Bernard & Ho,2007, p. 11)The centralized nature of this model relies on IT being the only source for endpoint technology.This is the Corporate Liable model for managing endpoints. IT departments have a mandate bytheir organization to protect the company by standardizing and implementing policies thatenforce the Block and/or Disregard model. (Orans & Pescatore, 2011) Some companies employthe Contain model for email and calendar access on BYOD devices, but they have not created aformal BYOD policy. This introduces risks of data leakage from not being able to manage lostor stolen devices. Most senior executives are unaware of this corporate risk. Manyorganizations do not have an information security policy and rely on human resources policiesthat align to a UWYT model. There is no question that the employer has all the control in thismodel. This layer focuses on policy, policy formation, evaluation, and standards (includinglegislative compliance – HIPPA and FIPPA).Operations Security“The purpose of the Operations Security Layer is to define the enterprise’s intra-organizationaland operational needs as they interact with and require access to the enterprise IT services, inorder to identify and address security needs at the enterprise’s organizational level.” (Bernard &Ho, 2007, p. 12)With the centralized UWYT model, organizations can limit the scope of operations security tothe assets deployed for use to employees. This has a lesser ongoing cost for the followingactivities: risk assessment, vulnerability assessment, contingency planning, incident handlingteam, disaster recovery planning, business continuity planning and security operations center.Leo de Sousa Page 11
  12. 12. IST 725 Final Paper – BYOD for Employees May 1, 2012Personnel Security“The purpose of the Personnel Security layer is to ensure that enterprise personnel are accessingand utilizing its information and technology services safely, securely and in accordance withtheir predefined roles and responsibilities of their job functions, through proper access controlplans and detection of employee anomalous behavior.” (Bernard & Ho, 2007, p. 14)The UWYT model allows for security taps and monitoring into a known (centrally provisioned)IT architecture. Monitoring of endpoints requires installation of security software on the device.This security practice is much easier to implement when configuration and disbursement ofdevices come from a central source. Two key activities in this security layer are “DueDiligence” practices and security awareness training. These two activities are easier forcompanies to implement with a Corporate Liable UWYT model. Limiting the device typesallows for the creation of standard training materials and instructions for employees.Information and Data Flow Security“The purpose of the Information & Data Flow Security layer is to identify and classifyinformation and data as it moves through the enterprise – in order to justify adequate securitycontrols.” (Bernard & Ho, 2007, p. 16)The UWYT model facilitates information and data flow security by standardizing controls tomanage the risks of data loss and data protection on endpoints. Using information classificationtechniques protects the confidentiality and sensitivity of corporate information. The appropriateaccess controls, authorization, encryption and backup techniques across all devices and users inthe organization can be determined based on information classification methods. Key activitiesin this security layer are information classification, security models, risk controls, riskmanagement and risk analysis. All of these activities require a commitment of resources andtime. The implementation and management costs are less when the number of models/types ofendpoints that access corporate data is limited.Application Development Security“The purpose of the Application Development Security layer is to design the authentication,authorization and accounting (AAA) components into the applications used in the enterprise; toenforce the application process follow throughout the enterprise; and to ingrain security in theSDLC.” (Bernard & Ho, 2007, p. 18)The UWYT model encompasses the entire infrastructure needed to run the enterpriseapplications used by employees to do their work. There typically are limitations on the hardware(Intel PC), operating system (usually Windows) and browser (usually Internet Explorer) to allowfor standard configurations of applications. By controlling the hardware, the workstation orlaptop, applications central application security management is possible. One other attribute ofthis layer in the UWYT model is the applications developed, purchased and installed arepredetermined for employees. Key activities in this security layer are common applicationvulnerabilities, software development lifecycle and best practices. Standardizing the applicationLeo de Sousa Page 12
  13. 13. IST 725 Final Paper – BYOD for Employees May 1, 2012development platforms reduces the number of vulnerabilities that need application securityactivities.Systems Security“The purpose of the Systems Security layer is to protect sensitive applications and providegranularity of access controls to sensitive resources.” (Bernard & Ho, 2007, p. 20)The key activities in this security layer are platform hardening, authentication and authorization,database security, PKI enabled applications, single sign-on and host based intrusion detection.The UWYT model facilitates these security activities because installation of system securityoccurs at hardware configuration and before end user provisioning. Many organizations use theBlackberry Enterprise Server (BES) to control access to email and calendars on Blackberrymobile devices. The BES server also enforces policies like device encryption and mandatorypasswords. It also has the capability to “wipe” the device if it is stolen or lost.IT departments are recognizing the importance of Identity and Access Management (IAM)systems. These systems facilitate the provisioning of accounts, role management, authenticationand authorization to applications, systems and information. Many IAM systems rely on humanresource business processes to timely update employee records so that the appropriate access isgranted and removed as the person’s role changes.Infrastructure Security“The purpose of the Infrastructure Security layer is to develop a secure infrastructure that meetsall the security requirements of the enterprise and can safeguard against future attacks against theenterprise.” (Bernard & Ho, 2007, p. 22)This security layer is critical in protecting organizations. The UWYT model provides layers ofprotection at the network level to limit threats from external attacks using network partitioningand firewall security. It also provides protection from internal attacks by using networkpartitioning, internal firewalls and virtual private networks (VPN). Some of the key activities inthis security layer are network partitioning, firewall security, network security testing, network-based intrusion detection system (NIDS), broadband security, PKI risks, PKI issues and virtualprivate networks.Physical Security“The purpose of the Physical Security layer is to construct a secure perimeter physical defensesystem that safeguards the facility and physical resources for the enterprise.” (Bernard & Ho,2007, p. 25)Most organizations that use the UWYT model rely on keeping computer endpoints behind theprotection of physical security including building and facility security and physical assesscontrols. Taking UWYT devices out of the physical locations of organizations compromises anyphysical security practices that are in place.Leo de Sousa Page 13
  14. 14. IST 725 Final Paper – BYOD for Employees May 1, 2012Current State SummaryThe predominant model of IT managed endpoints in most organizations is employer suppliedendpoints – “use what you’re told” (UWYT). This method of endpoint management has manybenefits such as restricting complexity, managing enterprise risk due to data leakage, limitingcosts and providing strong IT security. This model assumes a Corporate Liable approach, where“devices/services paid by employer, and contracts are signed by enterprise representative”.(ProfitLine, 2011, p. 2)The main attributes of this environment are centralized policies, standards, implementation andusage. IT departments have a mandate by their organization to protect the company bystandardizing and implementing policies that enforce the Block and/or Disregard model. (Orans& Pescatore, 2011) The UWYT model limits employee choice and potentially runs the risk ofbeing uncompetitive when seeking out talented employees. It is a “tightly coupled” model formanaging endpoints for an organization.Leo de Sousa Page 14
  15. 15. IST 725 Final Paper – BYOD for Employees May 1, 2012Future State - BYODFuture State (EA3 and SAF) Endpoint Independence - BYODMany organizations are struggling to develop an approach to meet their employees’ demands forusing the devices of their choice. Employees expect to work with tools that are of equivalentcapability as those they purchase for personal use. Most organizations cannot keep up with therapid developments in consumer IT and fall behind particularly with new functionality.“Employees expect to be able to use all the innovative new devices and tools at their disposal,both to do their jobs and to maintain their always-connected lifestyles while being able to workwhenever and wherever they need to.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 1)Every organization is facing a conflict between corporate and consumer IT spaces. This trend isdriven by employees who want to use the consumer based technology that they are familiar with.With the market leadership of Apple consumer devices like the iPhone and iPad, companies arestruggling to keep up with the functionality and features in their corporate fleet of technologyendpoints. This is not just a staff level pressure but touches all levels of organizations as boardmembers bringing tablets to their executive meetings. Some of the categories this trend impacts:mobile phones, storage, innovative services, dynamic content creation, update cycles and styleand customization. (Bernnat, Acker, Bieber, & Johnson, 2010, p. 3)Corporate vs. Consumer IT (Bernnat, Acker, Bieber, & Johnson, 2010, p. 3)Corporate Space Consumer SpaceDevices with functionality Mobile Phones Smart phones offering tens oflimited to phone calls and email, thousands of useful apps,typically Blackberry typically iPhone or Google PhoneRestricted storage for files and Storage Providers such as Google andemail Yahoo offering virtually unlimited storageStatic employee directories and Innovative Services Social networks such ascumbersome proprietary Facebook and LinkedIn used forplatforms both socializing and workingOutdated static content within Dynamic Content Options Blogging, wiki, socialcorporate intranet – centralized networking and content servicesmaintenance and control allowing consumers to create, customize, and manage the content they wantLong replacement cycles – up to Update Cycles Very rapid updated hardware –four years for hardware and eight immediate download of new appsyears for software and servicesHighly standardized, inflexible Style and Customization High variety of consumerand often restricted environment devices, systems, applications(“beige box”) and “skins”Leo de Sousa Page 15
  16. 16. IST 725 Final Paper – BYOD for Employees May 1, 2012Blount explores the “Consumerizaton of IT – Security Challenges” by describing the challenges,the opportunities and the benefits. “This important trend is not just about new devices; it’s aboutthe entire relationship between IT and its user population.” (Blount, 2011, p. 3) BYOD is notjust a technology issue. “In particular, enterprises can only leverage these benefits if they caneffectively control access to their critical systems, applications and information, from bothapproved IT endpoints and from these new consumer devices.” (Blount, 2011, p. 3) The twomain types of controls for BYOD will be: controls on the device and controls relating to accessand use of IT systems, applications and information. (Blount, 2011, p. 9)This section characterizes the information security attributes for BYOD so that we can comparethis to the current state using UWYT. Using Orans and Pescatore’s model, the future statemoves BYOD adoption from Block and Disregard to Contain and Embrace. BYOD impacts alllevels of the Security Architecture Framework. Each of the following sections will compare theUWYT model to the BYOD model with a focus on the impacts on IT security practices andpolicies. This approach creates a hybrid liability model with some Corporate Liable andIndividual Liable components.Information Security Governance“The purpose of the ‘IS Governance’ layer in the SAF is to define security strategies, policies,standards and guidelines for the enterprise from an organizational viewpoint.” (Bernard & Ho,2007, p. 11)The decentralized nature of the BYOD model relies on IT departments to protect the corporatenetwork from unintended risks. This introduces Individual Liability into the Corporate Liabilitymanagement of endpoints in an organization. (ProfitLine, 2011) IT departments must also retainresponsibility to ensure secure access to systems, applications and information. BYOD allowsIT departments to reduce their focus on being the source for endpoints. To adapt to the BYODdemands from executives and employees, IT departments need to shift from their “tightlycoupled” approach to a more “loosely coupled” approach. (Blount, 2011, p. 3) This meansbuilding a management plan to move from the Block and/or Disregard model to a Contain and/orEmbrace model. (Orans & Pescatore, 2011) Some companies employ the Contain model foremail and calendar access on BYOD devices, but they have not created a formal BYOD policy.This security layer focuses on policy, policy formation, evaluation, and standards (includinglegislative compliance – HIPPA and FIPPA). One of the first key action items is to develop aBYOD policy. “Developing formal BYOD policies is critical, because personally owned devicespresent risks to the network in the form of unintended denial of service and other threats tonetwork stability, such as the spread of malware.” (Orans & Pescatore, 2011, p. 2)The policy will need to address the requirements of general IT security and specificallyinformation security and endpoint usage. Employees will need to sign-off on the BYOD policy,which specifies adhering to established security practices including allowing the employer tohave some level of access on their personal device. Clearly defining who has control of thevarious components of the endpoint is important for the policy to be effective.Leo de Sousa Page 16
  17. 17. IST 725 Final Paper – BYOD for Employees May 1, 2012“Some people believe that consumerization of IT means only supporting new, smarter consumerdevices. But, although that was the first symptom, this trend is actually far more important andimpactful than that. It’s not just about devices – it’s about control.” (Blount, 2011, p. 5)Operations Security“The purpose of the Operations Security Layer is to define the enterprise’s intra-organizationaland operational needs as they interact with and require access to the enterprise IT services, inorder to identify and address security needs at the enterprise’s organizational level.” (Bernard &Ho, 2007, p. 12)BYOD significantly expands the scope of the operations security practices that need to be inplace. Expanding the number and types of endpoints will require addition investment in thefollowing activities: risk assessment, vulnerability assessment, contingency planning, incidenthandling team, disaster recovery planning, business continuity planning and security operationscenter. Support costs will increase for helpdesk and technical staff who will need to support amultitude of endpoint devices.“Paradoxically, this trend is likely to both expand the scope and reduce the control of IT. Thescope of responsibility for IT will be expanded because its role now doesn’t stop at the firewall –the corporate network now extends out to the user and their unique access devices.” (Blount,2011, p. 7)Personnel Security“The purpose of the Personnel Security layer is to ensure that enterprise personnel are accessingand utilizing its information and technology services safely, securely and in accordance withtheir predefined roles and responsibilities of their job functions, through proper access controlplans and detection of employee anomalous behavior.” (Bernard & Ho, 2007, p. 14)The BYOD model requires an investment in security training programs for employees. Manyusers of consumer IT devices fail to keep their security software updated or implement devicestorage encryption or even set a device password. This poses a significant risk to organizationswhen personal devices contain corporate information and applications. Employers shouldestablish an organizational change management program to educate employees who use personaldevices to access IT systems, applications and information. Employees will be less inclined toimplement security best practices on their devices unless they understand the risks of notcomplying. This is very much a culture issue and if not addressed introduces significant risk toorganizations from data leakages of corporate sensitive information.Monitoring of BYOD endpoints requires installation of security software on the device. Again,this will be a culture change issue for employees. The employee will need to allow the employeraccess to their personal device to protect corporate information. Employers will implementmobile device management software to secure and monitor endpoints accessing and storingcorporate data.Leo de Sousa Page 17
  18. 18. IST 725 Final Paper – BYOD for Employees May 1, 2012Information and Data Flow Security“The purpose of the Information & Data Flow Security layer is to identify and classifyinformation and data as it moves through the enterprise – in order to justify adequate securitycontrols.” (Bernard & Ho, 2007, p. 16)BYOD will be able to leverage the same information and data flow security as UWYT. Usinginformation classification techniques protects the confidentiality and sensitivity of corporateinformation. Information use on personal devices is an important consideration in mitigating therisks of data leakage. “… many organizations believe that their own employees pose a moreserious data security threat, via either inadvertent or malicious behavior, than do outsiders.”(Blount, 2011, p. 15) The appropriate access controls, authorization, encryption and backuptechniques across all devices and users in the organization can be determined based oninformation classification methods. Key activities in this security layer are informationclassification, security models, risk controls, risk management and risk analysis. All of theseactivities require a commitment of resources and time. The implementation and managementcosts are less when the number is limited of models/types of endpoints that access corporate data.There are information control technologies to manage information protection available to helpprovide a layer of security. Technologies that limit the ability to copy data, print data or emaildata are known as “digital rights management”. IT departments need to assess whether thedigital rights management protection will “travel” with the data as it moves from the corporatenetwork to a BYOD device. The success or failure of this approach would be a guide tosuggesting to which endpoints should be purchased by employees. Another approach would beto adopt virtualization strategies that contain corporate information in the data center and onlysend screen changes to the BYOD endpoint. This is a more secure approach as the data neverleaves the corporate data center, keeping it protected while allowing the employee to work.Application Development Security“The purpose of the Application Development Security layer is to design the authentication,authorization and accounting (AAA) components into the applications used in the enterprise; toenforce the application process follow throughout the enterprise; and to ingrain security in theSDLC.” (Bernard & Ho, 2007, p. 18)The UWYT model contains the entire infrastructure to run the enterprise applications needed byemployees to do their work. Moving to a BYOD model introduces consumer based, personalendpoints and a multitude of personal applications. These environments are not the typicalhardware (Intel PC), operating system (usually Windows) and browser (usually InternetExplorer) used in UWYT models. Application development needs to move to use open, webstandards that can be deployed on any endpoint device. Consideration for the multitude ofapplications available from the various endpoint vendors’ “App Stores” is important. Employeeswill be downloading free and purchased applications onto their end devices. IT departments willhave no way to vet these applications for security flaws. At this point, there are no simple waysto verify the security on employee purchased/downloaded applications. There are potentialsecurity risks if the downloaded applications access corporate data on the endpoint device andLeo de Sousa Page 18
  19. 19. IST 725 Final Paper – BYOD for Employees May 1, 2012propagate the data back out to the internet. Application and desktop virtualization strategiesshould be implemented to segregate personal applications from enterprise applications.BYOD introduces some challenges to organizations that use more of a “buy vs. build” approach.When procuring new software and applications, the ability to run on multiple platforms becomesa key requirement. In addition, consideration for the ability to virtualize the software applicationwill help secure running them on BYOD endpoints. If the application can be deployed to anybrowser on any operating system and device, then risks and costs can be managed effectively.Control of the application would move from physical infrastructure to virtual applications andvirtual desktop management. One other attribute of this layer in the UWYT model is theapplications developed, purchased and installed are predetermined for employees. Standardizingthe application development platforms on open standards reduces the number of vulnerabilitiesthat need application security activities.Systems Security“The purpose of the Systems Security layer is to protect sensitive applications and providegranularity of access controls to sensitive resources.” (Bernard & Ho, 2007, p. 20)The key activities in this security layer are platform hardening, authentication and authorization,database security, PKI enabled applications, single sign-on and host based intrusion detection.The BYOD model requires a proactive approach to system security because personal devices arenot controlled and have the potential to introduce significant security risks.BYOD relies on identity management governance processes like role management, accessrequests, authentication and authorization. The reliance on human resource business processes totimely update employee records is more critical with BYOD than UWYT. If an employee leavesthe organization, there needs to be a secure process to remove all corporate assets from theirpersonal endpoint device. Privilege and access rights cleanup become a fundamental ongoingsecurity practice in order to protect corporate data.Infrastructure Security“The purpose of the Infrastructure Security layer is to develop a secure infrastructure that meetsall the security requirements of the enterprise and can safeguard against future attacks against theenterprise.” (Bernard & Ho, 2007, p. 22)This security layer is critical in protecting organizations from internal and external attacks. TheBYOD model introduces a new security layer into the network for wired and wireless networks –Limited Access Zone (LAZ). Network partitioning, firewall security combined with networkaccess control (NAC) will manage the risk of personal devices connecting to the corporatenetwork in the Contain strategy for BYOD. NAC can enforce endpoint protection policies. Ifthe BYOD device does not have adequate malware protection and is not up to an establishedsecurity patch level, it will be blocked from accessing the corporate network. Using the LAZ asa control boundary protects corporate systems, applications and information. The LAZ shouldbe established on both the wireless and the wired networks as more employees choose to useLeo de Sousa Page 19
  20. 20. IST 725 Final Paper – BYOD for Employees May 1, 2012laptops over desktop PCs. Once the Contain strategy is established, it can be grown out tobecome the Embrace strategy where all endpoints are personal devices.“There is a huge operational and support gap between a Contain strategy (let some peopleBYOD for some things) and an Embrace strategy (allow everyone to BYOD for almosteverything).” (Orans & Pescatore, 2011, p. 4)Physical Security“The purpose of the Physical Security layer is to construct a secure perimeter physical defensesystem that safeguards the facility and physical resources for the enterprise.” (Bernard & Ho,2007, p. 25)Most organizations that rely on keeping computer endpoints behind the protection of physicalsecurity including building and facility security and physical assess controls. As organizationsdeploy more laptops in favor of desktops and begin the Contain strategy of BYOD, they will relymore heavily on other security layer protections. Many employees will take their employersupplied laptops home to do work and even on vacation. BYOD devices ignore the physicalsecurity layer and rely on other security layers: information security governance, personnelsecurity, information and data flow security, application development security, system securityand infrastructure security.Future State SummaryBlount cites four factors that are contributing to the push to adopt consumer technology intoorganizations. The first and most obvious factor is the “continued innovation in personaldevices”. (Blount, 2011, p. 6) As pressure mounts from both executives and employees, ITdepartments will have no choice but to adopt some form of BYOD model. The second factor is“high growth in use of social media and related applications”. (Blount, 2011, p. 6) Employeesare using social media as part of their everyday lives and now integrating social media tools aspart of their work practices. The third factor is the “externalization of the business”. (Blount,2011, p. 6) This is a seen as a cost saving model particularly to reduce IT costs by using cloudbased services and outsourcing or off-shoring non-core functions. The last factor is “the blurringof the line between personal and work life.” (Blount, 2011, p. 6) Like social media making itsway into the workplace, work is making its way into personal lives. In the early days of desktopcomputing, employees could leave their work at work. Now with light weight laptops, tabletsand smartphones, work is coming home. In some cases, this is part of a planned telecommutingstrategy but in most cases it is being enabled by highly functional consumer technology. Thetwo main types of controls for BYOD will be: controls on the device and controls relating toaccess and use of IT systems, applications and information. (Blount, 2011, p. 9)BYOD strategies must be considered by organizations as their executives and employees demandthe ability to use personal devices to access corporate information and systems. Organizationsno longer have a choice and need to move from the Block/Disregard strategies toContain/Embrace for BYOD. (Orans & Pescatore, 2011) This is a “loosely coupled”environment where the make and model of the personal endpoint device becomes irrelevant.Leo de Sousa Page 20
  21. 21. IST 725 Final Paper – BYOD for Employees May 1, 2012This method of endpoint management has many challenges including new policies, culturechange with the blend of personal and work lives, information and system security. The mainattributes of this environment are centralized polices, strong identity management practices,information categorization and access control and network access control. The BYOD modelexpands employee choice and may be a success factor for recruiting employees. It alsointroduces new risks to the organization particularly around data leakage that must be plannedfor. This is a hybrid liability model mixing Corporate Liable and Individual Liable componentsinto the organization’s enterprise architecture.“CIOs must get ahead of the consumerization curve by coming to terms with what is valuableand productive about the influence of consumer IT.” (Bernnat, Acker, Bieber, & Johnson, 2010,p. 4)Leo de Sousa Page 21
  22. 22. IST 725 Final Paper – BYOD for Employees May 1, 2012BYOD Management PlanBernard describes the EA Management Plan as “a plan to move from the current to the futureEA” and “a management program that provided a strategic, integrated approach to resourceplanning.” (Bernard S. A., 2005, p. 34) The following processes are components of themanagement plan: • Resource Alignment; resource planning and standards determination • Standardized Policy: Resource governance and implementation • Decision Support: Financial control and configuration management • Resource Oversight: Lifecycle approach to development/managementBernnat et al suggest two approaches to accommodate using consumer IT by employees. Thefirst option is the “Bring In” approach. This approach “involves opening the corporate ITenvironment to private use and letting employees’ digital lives freely enter their workenvironments.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 6) The second option is the“Reach Out” approach. This approach “reaches out to employees, allowing them to use theirpersonal devices – even PC’s – to do their work.” (Bernnat, Acker, Bieber, & Johnson, 2010, p.6) Each of these approaches has different resource, policy, support and oversight requirements.BYOD Resource Standardized Decision Support ResourceManagement Alignment Policy OversightPlanBring In Use existing Implement Employees have a Employees useApproach resources for Information wide variety of company owned endpoint Security and BYOD employer supplied endpoints and management Policy for private endpoints to choose there continues to because the Web use on be a high degree endpoints are employer owned Enterprise apps are of employer employer owned endpoints pre-installed and control employees can add personal appsReach Out Increase support Implement Employees bring Employees need toApproach resources for Information their own endpoints ensure their endpoint Security and BYOD for use at work endpoints comply management Policy for employee with employer because of the mix endpoints and Access to enterprise standards of employer and private Web use apps are controlled employee owned by virtualization Employers need to endpoints technologies for establish standards apps and desktops and monitor security accessLeo de Sousa Page 22
  23. 23. IST 725 Final Paper – BYOD for Employees May 1, 2012The management plan also addresses Risk Management issues for Employee BYOD programs.Key areas for risk management are: (Bernnat, Acker, Bieber, & Johnson, 2010, pp. 7-8) • Security - specifically network security and data leakage • Productivity - potential lost productivity with web surfing distractions • Legal and Compliance - ensuring compliance to privacy and copyright laws • Reputation - employees making poor judgements when interacting on social media • Support and Maintenance Costs - heterogeneous endpoint environments increase support costs • Risks - employees may not be able to do their work (in a timely manner) when their personal endpoint fails and requires replacementAll of these risks must be considered and planned for either in the creation of policy and thedevelopment of technology/security solutions.Leo de Sousa Page 23
  24. 24. IST 725 Final Paper – BYOD for Employees May 1, 2012ConclusionBernard describes four dimensions of security: physical, data, personnel and operations.(Bernard S. A., 2005, p. 329). These were expanded on by Bernard and Ho into a SecurityArchitecture Framework to eight security layers. (Bernard & Ho, 2007) This paper used theeight layers to describe the impacts on IT security architecture when organizations implement aBYOD model. This table summarizes the differences between UWYT endpoints and employeeBYOD using Bernard and Ho’s model: UWYT - Employer BYOD - EmployeeInformation Standardized endpoints with a Block Move to a ‘loosely coupled’ approachSecurity or Disregard policy approach – “tightly to endpoint management. This is not aGovernance coupled” control of all layers of endpoint centric approach – focus on architecture – focus on corporate policy, culture change and controlling control – this is a corporate liable the applications, systems and model information layers – requires a BYOD policy to be in place describing responsibilities of employer and employee – this is a blend of a corporate and individual liable modelOperations Centrally supported data and endpoint Expands the scope of support to hybrid service, standard security, antivirus model – internal for data, external and data protection – requires an vendor for endpoint, distributed acceptable use policy but no mention security, antivirus and data protection of personal endpointsPersonnel Lesser level of employee technical Higher level of employee technical ability due to central support, no tax ability due to hybrid support, stipend implications as these endpoints are model may result in income tax considered equipment, standard user implications; potential confusion for experience and support. Lower costs to users resulting in unsatisfactory service, create and deliver training on standard a BYOD policy must be created. Higher endpoints costs to create and deliver training especially about information securityInformation Centrally provisioned and secured Leverages centrally provisioned andand Data information to meet regulatory and distributed security, need an ability toFlow compliance rules and audits. Access wipe enterprise data but not personal controls limit data leakage based on data, more controls required to meet information classification methods regulatory and compliance rules and audit – digital rights managementApplication Entire application infrastructure Focus on open standards that will run contained to corporate endpoints to on any endpoint; consideration for limit vulnerabilities and data leakage. future applications (buy or build); Provides employees with only the strategies needed to separate personal applications they need and typically apps from enterprise apps due to the with a lesser user experience possibility of inappropriate data accessSystem Centralized control of access to Strong reliance on HR business applications, systems and information processes to timely notify of changes in using IAM and PKI security, IT employee status; IAM is a criticalLeo de Sousa Page 24
  25. 25. IST 725 Final Paper – BYOD for Employees May 1, 2012 controls the access process instead of technology and security strategy and relying on HR business processes needs investment to properly create role based access and remove access in a timely mannerInfrastructure Layered security approach to network Layered security approach for network access that restricts access to the wired access gets augmented by implementing network for accessing enterprise a Limited Access Zone for BYOD applications, systems and information. devices; use Network Access Control to Blocks external endpoints from verify adequate malware and patch accessing the network protections before allowing accessPhysical This is a key security layer for UWYT Physical security is ineffective for as it restricts physical access to key BYOD as most of the endpoints are applications, systems and information. mobile; reliance on the other key This security layer is compromised as security layers is mandatory to reduce soon as an endpoint is taken out of the risk physical protection of the corporate workplace.Some final overall considerations for moving from a Block/Disregard strategy to aContain/Enable strategy for BYOD are (ProfitLine, 2011, p. 2): • The major pricing and contractual benefits that are lost when moving to individual liable • The hidden IT support costs and potential user experience issues • The increased security risk and policy ramificationsEach organization needs to consider the impacts of the endpoints supported, the data on thoseendpoints, identity management, employee on-boarding and off-boarding and providing aendpoint independent platform to deliver data and information.A Proposed Approach to Introduce BYOD for Employees BYOD Contain/Embrace Strategy • most organizations will stay at Implementation based on Contain model for the next 3 to Policy and Research 5 years • only a few organizations (mostly • Pilot Contain Model with small small ones) will go to Embrace Technology Research group model • Grow out Contain Model • Mobile Device Mgmt (MDM) • Embrace Model requires all 4 • Hosted Virtual Desktops (HVD) technologies to be in production Policy Development • Virtual Applications (APPV) • Network Access Control (NAC) • Contract Negotiations • Remuneration Models UWYT • BYOD Policy • Information Security Policy Block/Disregard Strategy • most organizations are here today • there are risks as some employees are connecting to employer networks with not controlsThis proposed approach requires executive leadership and strong project management. Theproject plan should allow for conducting the policy and research activities in parallel.Implementing the Policy and Technology strategies requires budget and resources for successfuldeployment and ongoing support in a BYOD Contain/Embrace strategy.Leo de Sousa Page 25
  26. 26. IST 725 Final Paper – BYOD for Employees May 1, 2012References6dg. (2012). Business Optimisation. Retrieved from 6dg: http://www.6dg.co.uk/solutions/business-optimisation/Bernard, S. A. (2005). An Introduction to Enterprise Architecture 2nd Edition. Bloomington, IL: AuthorHouse.Bernard, S., & Ho, S. M. (2007, Oct 29). Enterprise Architecture as Context and Method for Implementing Information Security and Data Privacy. Washington, DC, USA.Bernnat, R., Acker, O., Bieber, N., & Johnson, M. (2010). Friendly Takeover The Consumerization of Corporate IT. Retrieved from booz&co: http://www.booz.com/media/uploads/Friendly_Takeover.pdfBlount, S. (2011, Aug). the consumerization of IT: security challenges of the new world order. Retrieved from Computer Associates: http://www.ca.com/us/~/media/Files/TechnologyBriefs/Consumerization-of-IT-Tech- Brief.pdfLomas, N. (2011, Oct 23). BYO - bring your own device; Cheat Sheet. Retrieved from TechRepublic: http://www.techrepublic.com/blog/cio-insights/byo-bring-your-own- device-cheat-sheet/39748120?tag=content;siu-containerOrans, L., & Pescatore, J. (2011, Dec 22). NAC Strategies for Supporting BYOD Environments. Retrieved from Gartner: http://www.gartner.comProfitLine. (2011). The Hidden Risks of a "Bring you own Device" (BYOD) Mobility Model. Retrieved from ZDNet: http://i.zdnet.com/whitepapers/Profitline_The_Hidden_Risks_of_a_Bring_your_own_De vice_BYOD_Mobility_Model_1_19_2011.pdfRanger, S. (2012, Apr 19). How the BYOD flood is sweeping away the IT departments priorities. Retrieved from TechRepublic.Sen, P. K. (2012, Feb 24). Consumerization of Information Technology Drivers, Benefits and Challenges for New Zealand Corporates. Retrieved from Victoria University of Wellington: http://researcharchive.vuw.ac.nz/bitstream/handle/10063/2095/thesis.pdf?sequence=1Wallin, L.-O. (2011, Oct 20). Gartners View on Bring Your Own in Client Computing. Retrieved from Gartner: http://www.gartner.comWikipedia. (2012, Jan 31). Endpoint. Retrieved from Wikipedia: http://en.wikipedia.org/wiki/EndpointLeo de Sousa Page 26

×