Your SlideShare is downloading. ×
vi
IT Risk Introduced by Bring Your Own Device (BYOD)
An Applied Research Project Presented in Partial Fulfillment of the ...
vii
IT Risk introduced by Bring Your Own Device (BYOD)
Robert Shullich
This Applied Research Project has been presented to...
viii
Abstract
The price point of consumer electronics continues to drop while the performance and
capacity of these device...
ix
Table of Contents
Contents
1. Introduction................................................................................
x
2.12 Regulatory Requirements...............................................................................................
xi
1
1. Introduction
BYOD (Bring Your Own Device) is a paradigm shift in the use of technology and
services in Information Te...
2
specialized applications, such as process control. These systems were cheaper than
mainframes, yet still expensive to pu...
3
graphics terminal that had row and column coordinates addressability. This was a
common terminal in use for IBM mainfram...
4
“enterprise features” that were missing from the consumer systems usually included
security controls.
In order to satisf...
5
cleaning supplies sold to the average consumer. A professional Janitor is usually
knowledgeable with the handling of pro...
6
iPads, and 3rd
Generation and later iPod Touch. Data Protection API’s are provided in
iOS V4.0 and later. Organizations ...
7
or no differentiation between what the consumers can buy vs. what the business
procures, now the employee may be bringin...
8
2. BYOD Security Issues within the Enterprise
2.1 Disruptive Technologies
“Disruptive technology is a term coined by Har...
9
of protecting business assets that if not handled properly could expose the organization
to more risk and liability.
2.2...
10
corporate data. Prior to USB flash drives, this same risk was presented in the use of
floppy discs and CDROM media.
Com...
11
protection laws which set minimum requirements on how certain types of data must be
protected.
Another security issue c...
12
use. Another risk mitigation approach was the use of thin clients, such as Terminal
Services and Citrix, where the home...
13
In a 2010 USA study, Ponemon studied 45 data breaches with the most expensive to
resolve being $31 million and the lowe...
14
Examples of cloud storage include file lockers such as Dropbox, Rapidshare,
Megaupload, iCloud, and Skydrive. Users wil...
15
2.5 Bring Your Own Software (BYOS)
Microsoft Windows has approximately a 90% market share for the desktop market.
(NetM...
16
2.6 Device Standardization, Support and Management
Large enterprises that purchase equipment try to standardize on a li...
17
2.8 Ownership
BYOD devices may have hardware and software comingled. As an example, suppose
an employee brings in a per...
18
Internet and making online purchases at work may be allowed by some organizations as
long as productivity is not affect...
19
took his client base with him. The bottom line is that “Phone number transfer and
ownership” creates issues and an orga...
20
personal data? Is privacy maintained for personal data that is on the device when the
device is brought to the IT depar...
21
2.10 Personal Sharing of BYOD Devices
Sharing of personal devices could potentially expose corporate data to unauthoriz...
22
2.11 Application Cohabitation
Mobile devices such as Smartphones and tablets use applications that are acquired and
ins...
23
can vet the software and control the installation of applications, a bad application can
breach the entire contents of ...
24
in the best interests of the owner of the personal device to perform backups. The wipe
operation is a security feature ...
25
the employee has backups of the device data, including the company’s data, then the
remote wipe would not be completely...
26
2.15 The Exit Strategy
Organizations may sometimes enter into business arrangements without taking into
consideration s...
27
data intact. The other option, one that may be easier for the company, is to completely
wipe the device of all data. Th...
28
2.17 Mobile Device Malware
Security Endpoint Protection (e.g. antivirus, antimalware, and antispyware) is still in
catc...
29
introduction of the iPad tablet and the introduction of Android Smartphone and tablets.
“Gartner predicts that by 2014 ...
30
root access to the iOS provides control of the hypervisor, which provides almost
unrestricted access to the virtual mac...
31
Obviously the industry has not learned from its prior mistakes. With the majority of
Microsoft Windows XP workstations ...
32
paper. Keep in mind that BYOD is part of a much bigger issue, and even if BYOD is
not addressed, the underlying problem...
33
“Does your organization have a mobile device security policy?” (nCircle, 2012). This is
an increase since the survey sh...
34
3.2 Contracts and Agreements
Contracts and agreemenst can be an extension of policies but may need to be
individualized...
35
choice – creating middle ground on device selection. When the employee relationship
terminates, the equipment may eithe...
36
Storage of corporate data in a container may be safe while the data is stored, but the
security of the access by the ap...
37
on the device. The data is protected inside the corporate perimeter and the data never
leaves the safe confines of the ...
38
and configuration management tool for mobile handheld devices, such as smartphones
and tablets based on smartphone OSs”...
39
control to the wired or wireless network, and network access control is provided using
NAC.
NAC can control who may, or...
40
4.0 Future Research
The issues provided in this paper do not cover every issue nor does it really go into
depth on each...
41
would connect through the Internet and come in via the firewalls, using Wi-Fi features
of the devices will allow the de...
42
Legal and privacy laws were only touched on, and there is opportunity for research into
the different legal and privacy...
43
BYOD, the reality of multiple devices per user, and growth of cloud-based services, the
era of managing security capabi...
44
the corporate perimeter is vanishing, and a holistic approach to data protection needs to
focus on directly protecting ...
45
network. How the organization saves money may also depend on how expenses are
paid and who will be responsible for expe...
46
Faas, R. (2012, November 7). New trend in BYOD security: contain the data, not the device.
Retrieved from CITEWorld:
ht...
47
McAfee. (2011). Employee Use of Personal Devices - Managing risk by balancing privacy and
security. Retrieved from McAf...
48
Rains, J. (2012, March). Bring Your Own Device (BYOD): Hot or Not? Retrieved from HDI
Research: https://news.citrixonli...
49
Upcoming SlideShare
Loading in...5
×

IT Risk Introduced by Bring Your Own Device (BYOD)

564

Published on

The price point of consumer electronics continues to drop while the performance and capacity of these devices increases. This is creating a market of personal electronic devices that surpass the capabilities of similar devices that are used in the enterprise. In the past there was a clear distinction between electronics used in the home vs. those used in business, but now these two classes of devices are becoming indistinguishable. As electronic devices become more mobile, users want to bring their own personal devices into the enterprise to do their daily work. These are devices that are owned, tailored and customized to that user’s personal preferences. Users are rebelling at having to carry multiple mobile devices, where devices are dedicated individually for personal and business use. Users are looking for one device to do everything. However, the IT organizations in these enterprises are being challenged by the proliferation of these personal devices. This is creating a new paradigm in controlling the privacy and security of data within the enterprise. The new paradigm presents a risk issue where the organization’s digital assets are comingled with the employee’s personal information, and on an employee owned device. This paper will describe the risks and issues that an organization may face in the implementation of a Bring Your Own Device (BYOD) policy, and present policies and solutions that can be used to mitigate those risks.

Published in: Internet, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
564
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "IT Risk Introduced by Bring Your Own Device (BYOD)"

  1. 1. vi IT Risk Introduced by Bring Your Own Device (BYOD) An Applied Research Project Presented in Partial Fulfillment of the Requirements for the Master of Science in Digital Forensics and Cybersecurity John Jay College of Criminal Justice City University of New York Robert Shullich Spring: May 2013
  2. 2. vii IT Risk introduced by Bring Your Own Device (BYOD) Robert Shullich This Applied Research Project has been presented to and accepted by the Office of Graduate Studies of the John Jay College of Criminal Justice of the City University of New York in partial fulfillment of the requirements for the Master of Science in Digital Forensics and Cybersecurity Dr. Ping Ji ______________________________________________________________________ Applied Research Project Advisor Signature Date Dr. Jin Woo Kim ______________________________________________________________________ Second Reader Signature Date Dr. Richard Lovely ______________________________________________________________________ Director, Digital Forensics & Signature Date Cybersecurity Program
  3. 3. viii Abstract The price point of consumer electronics continues to drop while the performance and capacity of these devices increases. This is creating a market of personal electronic devices that surpass the capabilities of similar devices that are used in the enterprise. In the past there was a clear distinction between electronics used in the home vs. those used in business, but now these two classes of devices are becoming indistinguishable. As electronic devices become more mobile, users want to bring their own personal devices into the enterprise to do their daily work. These are devices that are owned, tailored and customized to that user’s personal preferences. Users are rebelling at having to carry multiple mobile devices, where devices are dedicated individually for personal and business use. Users are looking for one device to do everything. However, the IT organizations in these enterprises are being challenged by the proliferation of these personal devices. This is creating a new paradigm in controlling the privacy and security of data within the enterprise. The new paradigm presents a risk issue where the organization’s digital assets are comingled with the employee’s personal information, and on an employee owned device. This paper will describe the risks and issues that an organization may face in the implementation of a Bring Your Own Device (BYOD) policy, and present policies and solutions that can be used to mitigate those risks.
  4. 4. ix Table of Contents Contents 1. Introduction................................................................................................................................................1 1.1 Early days of computers...............................................................................................................1 1.2 Computers in the 1980’s ..............................................................................................................2 1.3 Computers in the 1990’s ..............................................................................................................3 1.4 Consumer vs. Enterprise Devices..............................................................................................3 1.5 Convergence of Consumer & Enterprise Devices................................................................5 1.6 Scope of this Paper.........................................................................................................................7 2. BYOD Security Issues within the Enterprise..................................................................................8 2.1 Disruptive Technologies ..............................................................................................................8 2.2 Early Use of Personal Devices...................................................................................................9 2.3 Company Owned Portable Devices.......................................................................................12 2.4 Cloud Computing and Services...............................................................................................13 2.5 Bring Your Own Software (BYOS) ......................................................................................15 2.6 Device Standardization, Support and Management..........................................................16 2.7 Adapting the Enterprise to Issues of Mobile Devices and Cloud Services...............16 2.8 Ownership......................................................................................................................................17 2.9 Employee Privacy........................................................................................................................19 2.10 Personal Sharing of BYOD Devices .....................................................................................21 2.11 Application Cohabitation..........................................................................................................22
  5. 5. x 2.12 Regulatory Requirements..........................................................................................................23 2.13 Device Backup .............................................................................................................................23 2.14 e-Discovery & Forensics...........................................................................................................25 2.15 The Exit Strategy.........................................................................................................................26 2.16 Lost and Stolen Devices............................................................................................................27 2.17 Mobile Device Malware............................................................................................................28 2.18 Jailbreaking ...................................................................................................................................29 2.19 Insecure Application Coding and Configuration...............................................................30 3. Recommendations.................................................................................................................................31 3.1 Establish Policies for BYOD...................................................................................................32 3.2 Contracts and Agreements........................................................................................................34 3.3 Offer CYOD instead of BYOD...............................................................................................34 3.4 Secure Containers........................................................................................................................35 3.5 Remote Access Terminal Solutions.......................................................................................36 3.6 Mobile Application Management (MAM)..........................................................................37 3.7 Mobile Device Management (MDM) ...................................................................................37 3.8 Network Access Control (NAC).............................................................................................38 3.9 Data Self Protection....................................................................................................................39 3.10 Device Behavior ..........................................................................................................................39 4.0 Future Research........................................................................................................................................40 5.0 Summary ....................................................................................................................................................42 6.0 References..................................................................................................................................................45
  6. 6. xi
  7. 7. 1 1. Introduction BYOD (Bring Your Own Device) is a paradigm shift in the use of technology and services in Information Technology (IT). A short review of the history leading up to the use of consumer devices in IT is presented here to help the reader to understand this shift and the subsequent consequences that it may create. Other names used in the paradigm include BYOS (Bring Your Own Services) and BYOT (Bring Your Own Technology). For the purposes of this paper, all three are similar in nature, and will just be called by the one term: BYOD. 1.1 Early days of computers Up through the 1970’s and into the 1980’s computers used in business by large corporations were primarily mainframe computers. These computers evolved from stand-a-lone “one job at a time systems” to batch multiprocessing systems, which could handle multiple simultaneous users and jobs concurrently executing within a single system. Mainframes were expensive and could cost from hundreds of thousands of dollars into the millions of dollars. At that time they could also get physically large, where the computer systems and their peripherals would require one or more large computer rooms to hold these systems. Also, in this time period, smaller systems known as minicomputers and microcomputers also existed. Digital Electronic Corporation (DEC) manufactured a line of minicomputers known as the PDP line, which later became the VAX line of computers. These systems were smaller, yet powerful and in many cases were used for
  8. 8. 2 specialized applications, such as process control. These systems were cheaper than mainframes, yet still expensive to purchase and operate. 1.2 Computers in the 1980’s Prior to the 1980’s, microcomputers were already in use. Computers such as Atari 400 & 800, Commodore PET, TRS-80 and the Apple II, had existed and were being marketed (Computer History, 2013). These microcomputer systems were used more for games and by hobbyists. A significant change in the 1980’s, starting in 1981, was the introduction of the IBM Personal Computer (PC) line. This was largely accepted and became very successful. IBM competitors were copying IBM and producing PC clones that would run the IBM operating system and provide physical connections to the same external devices, such as printers and modems. During the evolution of computers in the 1980’s a significant enhancement for the personal computer was interconnectivity. Modems, which were in use before the introduction of the PC and used to connect dumb terminals to mainframes, were used to connect the PC to other computer systems. These systems included mainframes and even other PC computers. Another form of connectivity was the creation of Local Area Networks (LANs) which allowed PCs to communicate with each other, to use shared resources such as printers and file servers, and to even provide local connection between the PC and the mainframe. IBM mainframes used terminals such as the IBM 3270 which was a
  9. 9. 3 graphics terminal that had row and column coordinates addressability. This was a common terminal in use for IBM mainframes at the time, and through the use of PC software, the PC could emulate the IBM 3270 using a software emulator or sometimes an emulator card. 1.3 Computers in the 1990’s In 1995 began a major change in the use of communications: the commercialization of the Internet. Through the remainder of the 1990’s and into the 2000’s the Internet grew and computer systems that connected to the Internet grew as well. PCs continued to improve in speed and capability. This included software improvements, larger and faster computer processors, memory and disk, and communications bandwidth also increased and transmission quality improved as well. LAN speeds using Ethernet increased from 10 Mbps to 100Mbps, and today we have gigabit Ethernet and faster. Cable modems for cable TV and FIOS also provide high speeds for Internet connectivity in the 20 Mbps and higher range. 1.4 Consumer vs. Enterprise Devices Computer components such as memory, CPU, and disk storage, which are used to build computers, were expensive. The overall processing power and configurations of such systems might need to be increased in order to handle business workloads. But use of a computer system by a home user might not require as much computing power or functionality as the business applications demanded. Extra functionality and features were required for systems that were used in a business setting, and some of these
  10. 10. 4 “enterprise features” that were missing from the consumer systems usually included security controls. In order to satisfy both the business and home users, “one size fits all” did not work as a sales approach, and needed to be balanced with a “price performance” approach. This created dual markets, a market targeted for the business and a market targeted for the consumer. Systems, and in some cases software, would be advertised for the business or home. One example was the Microsoft Windows XP operating system, which came in an XP Professional version for business and an XP Home Edition for use in the home. XP Home had less features, and was sold at a cheaper price. When targeting the consumer, one of the marketing objectives is “quick to market” i.e.: to be first and get to the market before a competitor. In doing so, enterprise features (e.g. the security of the product) are usually not initially considered (except in some cases for product safety) so consumer computer products and services don’t always get security “baked into” the product. An example is the Apple iPhone which will be explained in the next section. Bifurcation of the target market is not a new concept. Having a business model or version of an item, and selling it for more, or restricting the audience, is done for different reasons. In some cases it is price. What a business is willing to pay for a computer may be more than the average household can afford, but if the computer manufacturer wants to penetrate the average household, it needs a way to make it affordable. Training and knowledge is another factor. The cleaning supplies that a janitor may purchase for professional cleaning may be stronger and more toxic than
  11. 11. 5 cleaning supplies sold to the average consumer. A professional Janitor is usually knowledgeable with the handling of professional cleaning supplies and tools that are not normally made available to the general public, although with stores like Lowes and Home Depot the availability aspect has changed. However, janitors probably won‘t be shopping for their professional cleaning supplies in the local supermarket which targets the average consumer. So, grades can be divided into non-consumer and would include professional, business or commercial grades and then there would be consumer grades. 1.5 Convergence of Consumer & Enterprise Devices The Blackberry Smartphone is still popular within the enterprise. But RIM (Research in Motion) has also penetrated the consumer market. Although there are different models produced by RIM, any consumer can purchase the same model Blackberry as used in the enterprise environment. Apple’s initial market penetration with the iPhone was consumer based. Many organizations panned the iPhone because the early versions did not have the security features that were expected by corporate IT (Information Technology) to secure the device. RIM provided encrypted communications and the entire device storage could be encrypted, the equivalent of laptop full disk encryption. Encryption of the storage of earlier iOS devices required a 3rd party vendor solution to be purchased and installed. In answer to claims that Apple was being lax with security, they provided their “Data Protection Feature” which provides APIs for encryption on devices that offer hardware encryption (Apple Inc., 2011). This feature is available on iPhone 3GS and later, all
  12. 12. 6 iPads, and 3rd Generation and later iPod Touch. Data Protection API’s are provided in iOS V4.0 and later. Organizations are adopting iPhones and iPads in the business using either native encryption or 3rd party software add-ons. Laptop computers that can be purchased by the consumer are as powerful as those purchased by enterprises. Convergence is where the consumer devices and the enterprise devices reach a point where the difference can no longer be distinguished. Blackberry has reached that point where consumer and enterprises can purchase and use the same devices. Apple does not market a consumer version or an enterprise version of its iOS devices. Originally the iOS devices were consumer based, and now the push is to get IT in the enterprises to adopt consumer based technology for use in a non-consumer environment. Enterprise IT usually has limited budgets and IT equipment is expected to last within a set lifetime. These lifetimes are determined by the organization, and are part of the hardware standardization process. “According to a recent survey that research firm Gartner conducted with 177 large businesses, the average life span of a desktop PC is 43 months, and only 36 months for mobile PCs” (Dunn, 2005). When working with personal devices, and the owner is paying for the device, the time between devices may be much shorter. With service contracts requiring signed 1 or 2 year commitments, it is possible that personal devices coming into the enterprise may be newer and more powerful than the devices that are being provisioned by the company. This creates a situation that not only are personal devices becoming more adaptable to the user than a company provided device, but personal devices may be superior and more powerful as well. Before the enterprise had the better, newer and more powerful toys, but with little
  13. 13. 7 or no differentiation between what the consumers can buy vs. what the business procures, now the employee may be bringing in newer and more powerful tools. 1.6 Scope of this Paper To implement a policy allowing BYOD within the enterprise, if not handled properly, may lead to operational and security problems. This paper will focus on potential security issues and addressing the risk posed by BYOD. BYOD can produce both risks and rewards. The objective is to reap those rewards while minimizing risk to the organization. Addressing risk begins with the inherent risk, i.e. risk without controls, and through a reiterative and recursive set of processes, hopefully leads to a residual risk that is acceptable to the enterprise. Five sets of processes are defined in risk management: Avoidance, Acceptance, Transfer, Sharing and Mitigation (NIST, 2001). The business may drive a low residual risk by avoidance, i.e. ban the use of personal devices in the enterprise. This may work for a while, but it might be only delaying the inevitable. A Forester study shows that 53% of employees are already using personal devices at work, and within the next 3 years the use of personal devices at work will be both a standard and requirement (King, 2012). It is assumed in this paper that the organization will move towards the adoption of BYOD. It is not the objective here to encourage or promote the use of BYOD, but to help the organization make such adoption of BYOD safer, i.e. with less risk.
  14. 14. 8 2. BYOD Security Issues within the Enterprise 2.1 Disruptive Technologies “Disruptive technology is a term coined by Harvard Business School professor Clayton M. Christensen to describe a new technology that unexpectedly displaces an established technology.” (TechTarget, 2013). Four related disruptive technologies faced by the enterprise are Social Media, Cloud Computing, Mobile Technology and BYOD. These are not new problems but businesses are still struggling to address these technologies and attempting to make them secure. Two of these technologies, Social Media and Cloud Computing were identified by Gartner in 2008 as being in a list of the 10 most disruptive technologies for 2008-2012. (Gartner, 2008). Williams (Williams, 2012) identifies Technology Trends for 2013 to include BYOD, Consumerization of IT, Mobility, Social Collaboration and Cloud. Each technology in its own right is powerful and creates challenges within the organization, but combining them creates a perfect storm that some businesses are not able to handle. Williams calls this interoperability “The Hyper Convergence Effect”. KPMG predicts that these disruptive technologies, with Big Data, will drive technology spending in 2013 (KPMG, 2013). For example, BYOD is related to mobility in that many devices that an employee would bring to work would be mobile devices such as Phones and Tablets, butalso include laptops. The enterprise is already faced with a full plate of issues by just addressing the mobile devices that are owned by the business. Integrating non-business owned devices, software and services into the environment increases the risk and complexity
  15. 15. 9 of protecting business assets that if not handled properly could expose the organization to more risk and liability. 2.2 Early Use of Personal Devices One of the early uses of personal devices for processing of enterprise data was conducting remote computing – work at home – solutions. In this scenario an employee could take work home and use their personal home computer to get work done. A more common scenario is remote computing, where the employee would dial in on a modem and connect to the company’s computer system or timeshare services. This was being done even before the PC era, using dumb terminals to connect to mainframes to perform remote work. Today, with the Internet and high speed connections, remote computing is usually performed over the Internet using a VPN (Virtual Private Network) connection. Personal services were sometimes used by workers to be able to work at home. Without having a remote computing connection, users would send the documents and data to a personal e-mail service, such as Hotmail. This would leave sensitive data in a minimally protected environment, and the organization would not even be aware of these unauthorized copies of company data that were floating around. With cloud storage and services, data could be moved to file lockers (e.g. Dropbox, MegaUpload, RapidShare, Skydrive, etc.) and stored in the cloud, or to a cloud collaboration service such as Google Apps, also leaving copies of data in the cloud. Personal USB flash drives have been used to copy and transport corporate data between the office and home, creating a risk should the flash drive be lost while it contained sensitive
  16. 16. 10 corporate data. Prior to USB flash drives, this same risk was presented in the use of floppy discs and CDROM media. Companies realized the security risks that remote computing created. Use of personal equipment took enterprise data outside the organization’s hardened perimeter, and once outside – control of that data was lost. Control of that data might not have been a priority a long time ago, but in 2002 California started to raise the bar for data protection with its breach notification law (Calif Office of Privacy Protection, 2012). Prior to the notification laws, organizations were expected to protect personal information, but if they failed (i.e. the information was breached), they would quietly fix the problem and keep it secret. Prior to this law a data breach would not normally be publicized, and if it could be avoided, not even reported to law enforcement. If news got out about a breach, there could be negative effects including loss of business revenue, a negative hit on the stock price, and the brand reputational damage. In the United States forty-six states, the District of Columbia, and some of the territories have enacted breach notification laws. (NCSL, 2012). Different laws impose additional requirements on the privacy and integrity of business and personal data, and include Sarbanes-Oxley Act of 2002 (SOX), Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley of 1999 (GLBA), and Heath Information Portability and Accounting Act of 1996 (HIPAA). An industry regulation for cardholder data of credit cards is controlled by Payment Card Industry (PCI) council. Banking and other finance organizations in the USA may be under control of regulations of the Financial Industry Regulatory Authority (FINRA). In addition to breach notification laws, there are data
  17. 17. 11 protection laws which set minimum requirements on how certain types of data must be protected. Another security issue caused by remote computing is the opening of an attack vector. In information security, the old school approach was perimeter protection. This meant putting a wall around the data center using firewalls, intrusion detection, and hardening the perimeter to keep the bad guys out. But at least two security technologies break the perimeter – security technologies that break security. The first is the remote access method itself, such as modems and VPNs. Remote access just punches a hole in the perimeter and almost negates (by bypassing) many of the protections provided by the firewall. And then encryption was added. Encryption provides confidentiality – it protects the data stream so unauthorized parties can’t see the data. But, in a proverbial case of shooting one’s self in the foot, it prevents firewalls and intrusion detection from being able to evaluate the payloads. When the bad guys use encryption against the organization, data can be exfiltrated without being seen, and malware can be introduced and attacks carried out without detection. In order to provide a way for employees to gain access to the corporate network so they can work remotely, a door was also opened for the bad guys to come in as well. The risk mitigation for remote computing included controls such as multi-factor authentication, endpoint protection, and in some extreme cases, to only allow company owned devices to be used to remotely connect to the organization’s network. In this extreme case, if a user was to work remotely, including telecommuting, a company owned and configured device would be assigned for the employee to take home and
  18. 18. 12 use. Another risk mitigation approach was the use of thin clients, such as Terminal Services and Citrix, where the home access only provided a window to the corporate data, no data was transmitted or processed on the personal device. In this scenario, corporate data never really leaves the perimeter and is stored on the remote device. 2.3 Company Owned Portable Devices Early portable devices were the laptop computers. They provided information on the go, and could also be used for remote computing. To keep overall costs down, an employee might have been assigned a laptop which would be used in the office instead of a desktop. The use of port replicators and docking stations allowed the laptop to easily fit in as a desktop. Being a company owned device, these devices were also supported and managed by the IT department, with standardized company owned software and the configuration locked down to provide security. Some larger companies might have issued both a desktop and laptop to a single employee in some cases. The portability of a laptop, being a mobile device, does have drawbacks. They get lost. Besides the cost of the lost hardware (and in some cases the lost of the software licenses that were on the device), there is the cost of the data that was stored on the device. If the data on the lost device was Intellectual Property (IP) that was a trade secret, the loss could result in millions of dollars of lost competitive advantage or expenditures in R&D. If it was personal data, such as customer data that was subject to data breach laws, those losses could also result in millions of dollars in fixing the problem.
  19. 19. 13 In a 2010 USA study, Ponemon studied 45 data breaches with the most expensive to resolve being $31 million and the lowest at $750,000, with the average cost per customer record lost exceeding $200 (Ponemon, 2010). In a 2008 Ponemon study (Ponemon, 2008), one of the key findings was that “Business travelers lose more than 12,000 laptops per week in U.S. airports.” In an InfoGraphic provided by Kensington (Kensington, 2011) “1 Laptop is stolen every 53 seconds, 70 million Smartphones are lost each year with only 7% being recovered, and 57% of those lost Smartphones were not protected with enabling security features”. These statistics for mobile devices are mobile devices in general, i.e. there is no breakdown or analysis of business owned vs. personal devices. However, Kensington in the InfoGraphic did indicate that “4.3% of Smartphones issued to employees are lost or stolen each year.” When addressing the mobile device issue alone – even before factoring in BYOD – data is leaving the enterprise on portable devices and many of those devices are disappearing with the data. The problem is going to get worse as more enterprises deploy mobile devices. By the end of 2013, 78% of enterprises are expected to have deployed tablets. (Kensington, 2011). 2.4 Cloud Computing and Services Cloud storage creates many challenges for the business. These include data security and privacy, regulatory compliance, data integrity and availability, and forensics. When corporate data is moved onto a cloud provider that has not been vetted by the enterprise, the data may be at risk.
  20. 20. 14 Examples of cloud storage include file lockers such as Dropbox, Rapidshare, Megaupload, iCloud, and Skydrive. Users will use cloud storage for data backup, but may also use these facilities as an intermediary for transferring corporate data to either another corporation or for home access. If inadequate security controls are implemented, cloud services may be breached by hackers and data stolen. If an employee leaves the organization, the existence of these extra copies may be unknown to the organization which lacks knowledge and control of rogue copies of its data. The ex-employee would then have access to this data and the breach can be harmful to the business. It is common for these services to be used by an employee who wishes to work with the data at home and uses these services to bypass security controls put in place by the organization for the purpose of preventing the data from leaving. The employee had good intentions and just wanted to get their work done but they find the security restrictions inhibiting and so find a way to circumvent the controls. Another use of cloud services is in the Social Media space. Although Social Networking is part of Social Media, Social Media includes tools such as instant messenger, chat, streaming presentations (e.g. WebEx) and collaboration tools (e.g. Google Docs, Office 365). These tools provide a method of exfiltrating corporate data. For example, a user may wish to use Google Docs for creation and editing of documents because they prefer using that tool over the current corporate standard or they are technically familiar with it. .
  21. 21. 15 2.5 Bring Your Own Software (BYOS) Microsoft Windows has approximately a 90% market share for the desktop market. (NetMarketShare, 2013). The remainder includes Mac OS and Linux. There are many other choices in Information Technology (IT) such as browsers (e.g. Internet Explorer, Firefox, and Chrome), Search Engines (Google, Bing), Computer Languages (C, C++, C#, Basic, COBOL), and E-Mail Clients (Outlook, Lotus Notes). BYOS is about a choice by the user to use what they may already know and what they are most comfortable with. Instead of learning new tools (the corporate standard) they use and implement the tools with which they are most familiar. Then there is the choice of using software or tools to which the organization may have blocked access. This may include tools, as mentioned above, in the cloud services. However, the user may also wish to use social networking software or sites such as Twitter, Facebook, and Youtube. These sites may be part of the employee’s personal life and there is no current business requirement for the software or services. If a user has a personal device, then these services and tools may already be installed on the personal device. An organization can block installation and access on corporate owned devices but how will personal devices be handled and managed? BYOD devices and services – which occur on personal devices – will require a policy and management strategy to address how these devices and services will be used (or not used) with corporate data and applications.
  22. 22. 16 2.6 Device Standardization, Support and Management Large enterprises that purchase equipment try to standardize on a limited amount of suppliers, vendors, models, software and configurations. This minimizes the variables that need to be evaluated in performing root cause analysis when resolving hardware and software failures. If a support issue arises, the probability of the current help desk staff at successfully resolving the problem is higher. If the organization standardizes on Microsoft Windows and does not provide support for MAC OS then a user with a MAC may receive limited support from inside the organization due to a lack of expertise. In a BYOD scenario, the support center (help desk) could be faced with resolving user problems on a variety of hardware and software, because without standards – anything could show up. Some organizations that allow BYOD provide limited help desk support for personal devices, in other words: “you are on your own”. In a Corner study, “For each type of device, over 40 percent of companies that allow employees to supply their own devices require the employees to contact the vendor directly.” (Rains, 2012). A possible solution for the organization may be to outsource the helpdesk function for support of personal devices. 2.7 Adapting the Enterprise to Issues of Mobile Devices and Cloud Services The enterprise is most likely faced with addressing mobile and cloud technologies by themselves. BYOD only adds another layer of complexity to the overall problem. Regardless of whether a mobile device is company owned or personally owned, these devices are prone to being lost or stolen.
  23. 23. 17 2.8 Ownership BYOD devices may have hardware and software comingled. As an example, suppose an employee brings in a personal device to be used for business use. As a piece of hardware, ownership of the personal device may be simple, the hardware belongs to the employee because the device is personally owned. What happens if the personal device is not adequate, and requires an upgrade? Common examples are increases in memory, increases in storage, and increases in processing power (e.g. add an additional CPU). If the employee pays for the upgrade out of pocket, then the device is still most likely a “personal” device. What happens when the organization pays for the upgrades? Now there is a comingling of company owned parts imbedded into the employee’s personal device. If the organization reimburses the employee for upgrading the device (i.e. allow the employee to expense the cost) who owns the upgrade since it is company paid? What if the cost of the entire device is reimbursed? Software may be a more common example. If the personal device requires additional software for the employee to perform their job, who will buy and pay for the software? If the organization pays for the license, will the organization be able to reclaim the license when the personal device is no longer used (e.g. employee is terminated)? Comingling business assets with an employee’s personal assets may make it difficult to determine who owns the assets. Some enterprises have strict policies that forbid personal use of business assets. Other organizations may allow the reasonable personal use of business assets. An example is the telephone where the employee may be allowed to make limited personal phone calls during business hours. Surfing the
  24. 24. 18 Internet and making online purchases at work may be allowed by some organizations as long as productivity is not affected (e.g. during lunch hour) and the activity does not affect other users. Employees may use their business e-mail to conduct personal business. This is actually not rare as in the early days of e-mail, many employees did not have personal e-mail accounts and relied on being able to use their business e-mail addresses. This comingling of business and personal e-mail can create issues for the organization. Sometimes separation between business and personal use must be maintained, and in the case of mobile devices there are users that carry two or three cell phones to maintain that separation. (Rice, 2012) There would be personal phones with personal phone numbers and business phones with business phone numbers. What happens in a BYOD environment where a single personal mobile device (e.g. Cell Phone) is used for both personal and business usage? Who owns the phone number? With the current technology phone numbers for personal devices are carried from job to job, and now even from home to home – we take the number with us. If a salesperson uses a personal mobile device to manage clients, and that salesperson moves on to another job (different company), how does the business prevent its customers from calling the salesperson at the salesperson’s new job? The customers know the salesperson’s phone number, and that may be the phone number they call not knowing that the salesperson is now working for someone else. This issue has already occurred in social media, specifically with AOL Instant Messenger (AIM). Salespersons from one company were communicating with their clients over AIM, one of the salespersons became employed by a competitor, and by taking the AIM account with him, the salesman effectively
  25. 25. 19 took his client base with him. The bottom line is that “Phone number transfer and ownership” creates issues and an organization needs to determine up front how it wants to address the phone number ownership, otherwise a sales rep could walk off with sales leads. (Harris, 2012). 2.9 Employee Privacy If an organization becomes involved in litigation the contents of personal devices used for business may be subject to discovery. (Garlati, 2012). Because personal data may be comingled with the company’s data, personal data such as browser history, chat logs, personal e-mails, photos, financial account numbers, and private documents stored on the phone may be exposed. Personal data and privacy become collateral damage to a discovery request. There has been recent legal activity regarding an employee’s “expectation of privacy” when using company issued devices for personal reasons. (Navetta, The Security, Privacy and Legal Implications of BYOD (Bring Your Own Device), 2012). Switching it around (company data on personal devices) will be just as complicated, if not worse. If an organization provides for the backup of the personal device, there are three likely scenarios that may occur: 1) Only the company’s data is backed up, 2) the company’s data and some of the personal data is backed up, and 3) the entire device is backed up. In the latter two scenarios personal data is being stored somewhere, and a copy of that data is taken out of the possession and control of the owner. Is that data being protected? Can other employees, who may have a need to know for the business data that was on that personal device, also have the ability to see and view the employee’s
  26. 26. 20 personal data? Is privacy maintained for personal data that is on the device when the device is brought to the IT department for support? Mobile devices, such as phones and tablets may have GPS capabilities, and can be used as personal trackers. Can the organization track the employee’s location, where they are and where they were? What are the consequences for the employee if this information is voluntarily handed over to law enforcement? One of the data protection controls used to mitigate the exposure of lost devices is a wipe capability. In a remote wipe, a signal is sent to the device, and the device erases itself and destroys all of the data on the device. A device wipe can also be initiated locally by actions on the device itself, such as entering the wrong password into the device a successive number of times. In some devices this number is fixed, in other devices this number can be configured. In an Apple device that runs current releases of IOS (e.g. iPhone, iPad and iPod Touch) the device can be configured to automatically wipe itself after 10 successive failed passcode attempts. (Apple Inc., 2012). Wiping a device can backfire on the organization and result in legal issues. (Lui, 2012) (Narisi, 2012). A software company wiped a former employee’s personal device and was successfully sued by the employee for damages. “In Germany it is illegal for companies to wipe personal data from an employee-owned device.” (Guerra, 2012). Wiping a device destroys the data and in a discovery case could result in spoliation. (McAfee, 2011)
  27. 27. 21 2.10 Personal Sharing of BYOD Devices Sharing of personal devices could potentially expose corporate data to unauthorized persons. When a device is a business issued device, the boundaries are usually clear as to who may use the device. In a situation where personal information and corporate information are comingled, the boundaries may not be as clear, and could be very vague. A cross exposure of confidential information may occur, exposure in either direction. For example, confidential business information, which may include personal data of customers, could be exposed to other family members who do not have a “need to know” of that data. What if the data on the personal device is customer medical or financial data? Does access by a family member represent a breach of that data? It is definitely unauthorized disclosure. Exposure in the other direction may occur as well. Suppose personal family data was stored on a personal device that is used in BYOD, but also shared by family members. If the device is subject to a discovery proceeding then the personal data could be exposed. This is a reiteration of the employee privacy concern mentioned above. But now it is not just the employee’s privacy, it is the employee’s family’s privacy being exposed as well. If the employee’s spouse uses the device for their personal e-mails, then if the device is handed over for discovery or forensics, then the employee’s spouse’s personal contents (e.g. e-mails) are exposed. The sharing issue is not a new problem. Prior to BYOD, the use of personal devices for remote tele-working access produced some of the same risks. Usually those personal devices were the family computer system that was shared by the other family members.
  28. 28. 22 2.11 Application Cohabitation Mobile devices such as Smartphones and tablets use applications that are acquired and installed differently than software installs for Desktop systems. Apple created its iTunes store for APP delivery. Blackberry has its APP World for its applications, and Google Play is an APP store for the Android market. Apple in January 2013 had 775,000 applications and claimed 40 billion downloads, and an estimated growth of 641 new applications per day. (Rowinski, 2013). Google Play which distributes Android apps is close to Apple’s growth, but is approaching at a faster rate and will soon pass Apple’s figures. At 600+ applications per day, which exceeds 19,000 applications per month, is anyone going to evaluate and vet each application for bugs and malicious code? Apple supposedly does a good job at this, but some rogue applications still get through. In 2012 Google Play (the official app store of android apps) introduced a service called Google Bouncer which is an automatic scanning tool that scans submitted apps and tries to determine if they may be malicious. The scanning includes runtime behavior analysis to determine if the application is acting in a malicious manner. (Hou, 2012). Security researchers have already analyzed the behavior of Bouncer and were able to get malicious applications past Bouncer. Sensitive corporate data can be put at risk if unregulated 3rd party applications are stored on the mobile device. (Phneah, 2013). The user of the device usually assumes that the application is safe to install and use, and does not realize the security implications inherent in these applications (Phneah, 2012). The malicious code in these applications makes many of them a completely packaged Trojan. Unless the enterprise
  29. 29. 23 can vet the software and control the installation of applications, a bad application can breach the entire contents of the device, including the corporate data stored and processed on that device. To complicate matters, Websense predicts for 2013 that the problem will get worse. In their 2013 Predictions, “Legitimate mobile app Stores will host more malware in 2013”, and predict “Malicious apps will increasingly slip through validation processes. They will continue to pose risks to organizations enabling bring your own device (BYOD) policies. We will see an increased volume of malware hosted in legitimate mobile app stores. In addition, jail-broken/rooted devices and non-sanctioned app stores will pose significant risk to enterprises as more allow BYOD” (Websense, 2012). 2.12 Regulatory Requirements Most regulatory requirements, including government (e.g. HIPAA, GLBA, FCRA) and industry (e.g. PCI) address the privacy of the data. Privacy involves data access (Who, When, Where, Why and How) and the controls put in place to control access. One of those controls is data encryption, and may include full disk encryption technologies. In the case of mobile devices, either the device or the container holding the data may need to be encrypted. Protection of the data may be required for both “at rest” and “in motion” states. 2.13 Device Backup If the mobile device is wiped out, the data may need to be recovered. It is in the best interest of the business to backup the data to prevent permanent data loss, but it is also
  30. 30. 24 in the best interests of the owner of the personal device to perform backups. The wipe operation is a security feature that must be enabled and configured manually, and when activated the entire contents of the mobile device are made unreadable. Activation is usually initiated by a remote command to the device (remote wipe) but can be triggered in other ways. One of those other methods is when multiple successive invalid passcode attempts are made. For example, an Apple iPad can be configured to have a passcode, and if there are 10 invalid attempts to enter the passcode, the device can be configured to self-wipe. In BYOD, this is a personal device, and if one of the employee’s young children takes the device because they want to play Angry Birds and can’t figure out the passcode, they could end up causing the device to self-wipe. In any case, a wipe destroys all the data, and then what does the employee and business do – since they both have data on that device that may be needed? Recovery of that lost data can be minimized by backups. But who is responsible for taking the backup? What about the backup image itself? iTunes can be used for Apple devices to take a backup of the device during synchronization of the device and the backup can be stored on the workstation or in the cloud (iCloud). If the entire device is backed up, then both personal and corporate data will be stored in the backup file. In these scenarios additional copies of corporate data are created outside of the mobile device. If these backups are not encrypted then the backup file is vulnerable to data loss if they are compromised. The backups are probably not within the scope of a remote wipe that may be initiated at employee termination. If an employee is terminated, the organization may decide that continued possession of the data by the (now ex-) employee is a major risk and issues the remote wipe command to destroy the data. If
  31. 31. 25 the employee has backups of the device data, including the company’s data, then the remote wipe would not be completely effective. 2.14 e-Discovery & Forensics If an employee is arrested, the mobile device in that employee’s possession may be subject to search. (Rasch, 2011). In United States 4th Amendment case law, this exception to the warrant requirement is called a “search incidental to an arrest”. If this occurs, with a device that contains business data, then there is a potential that the data may be disclosed. This is not just a BYOD issue; it is also a risk even with corporate owned devices. As previously mentioned, information on the devices can be discoverable, and a business may be required to provide the contents of the device as part of a discovery request. This could cause the personal information of the employee to be disclosed depending on degree of separation on the device of business vs. personal data. If the discovery request is not complied with due to lost, damaged or destroyed data (spoliation) the failing party could be sanctioned for not providing the requested data. The judge can assume that the destruction was intentional. An organization may need to establish a “Right to Seize” of personal devices if those personal devices may contain corporate data and those devices need to be imaged and analyzed for a corporate investigation. Without initially establishing this right in advance could inhibit acquiring the device from the employee. Otherwise the employee could just refuse to turn over the device and the organization may have limited recourse.
  32. 32. 26 2.15 The Exit Strategy Organizations may sometimes enter into business arrangements without taking into consideration steps to be taken when that relationship terminates. This also includes contingency planning when the service is unavailable. Evaluation of these arrangements may lack the performance of due diligence before the execution of a contract. But an exit strategy should be designed and be put into place before the engagement begins and should provide for an orderly departure should termination of the contract occur. As an example, couples will get married but most don’t plan on a divorce because they expect the marriage to work out and last forever. Yet there are a few who plan, just in case a divorce does happen, and one exit strategy may include a prenuptial agreement. When the employee’s relationship with the company is terminated, there are usually a standard set of requirements that make up the exit strategy for the company. These include the return of corporate assets and reaffirmation of confidentiality and non- competition agreements. However, in the case of BYOD, the device is the employee’s and does not belong to the corporation. Some of the data on that device does belong to the corporation, and may even include software purchased and owned by the corporation and installed on the personal device. A Forester study states: “Thirty percent thought there wasn’t enough separation between consumer and corporate data on mobile devices” (PC World, 2010). This information, and software, is comingled on the personal device and leaves the employer with two options: Divest the data and software, i.e. figure out which is corporate data and corporate assets (e.g. software) and remove it – leaving the personal
  33. 33. 27 data intact. The other option, one that may be easier for the company, is to completely wipe the device of all data. These options assume that the data and assets are comingled, but if the data is distinctly separated via some method of partitioning, then wiping corporate data may be easier. Part of the exit strategy will be solving the problem of how to keep corporate data separate from personal data on the personal device allowing an automatic selective wipe of corporate data. 2.16 Lost and Stolen Devices Losing a mobile device can be a nightmare for an enterprise. If sensitive corporate data is on the device at the time the device is lost, the expense of addressing a data breach of the device’s contents will far outweigh the costs of the physical asset. In a 2011 Ponemon Cost of a Data Breach Study found: “Nearly 40% of organizations in the study had a data breach resulting from a lost or stolen mobile device, including tablet computers, Smartphones and USB drives that contained confidential or sensitive data” (Walker, 2012) . Mobile devices may be protected by remote wipe and self destruct failsafe mechanisms, but that assumes proper configuration and handling. Yet the same study also found that 39% of data breaches in the U.S. involved employee negligence. This might indicate that proper configuration and handling was not occurring. Configuration of the device assumes that protection mechanisms are available, either by the manufacturer or an add-on that provides security features for the device.
  34. 34. 28 2.17 Mobile Device Malware Security Endpoint Protection (e.g. antivirus, antimalware, and antispyware) is still in catch-up mode. Mobile device malware may be more profitable to the attacker than desktop infections when considering the number of mobile devices that are now online. In the earlier days of Smartphone usage, enterprises used devices from Research in Motion (RIM) which carried the Blackberry brand. Blackberry devices came out in 2002, and were the first Smartphone’s that were optimized for wireless e-mail use (The National Cyber-Security Advisory Council (CNCCS), 2011). These devices were accepted by corporate IT departments and were considered secure, and RIM became the standard for corporate Smartphones. Even in a 2012 nCircle survey, when asked “Which mobile devices carry the greatest security risks?” the response was: 36% Android, 24% Apple iOS, 10% RIM, and 18% Windows (nCircle, 2012). This indicates that the IT security professionals responding to the survey still consider Blackberry to be a safer bet than Android or Apple, or even Windows phones. RIM also provided software to be used for the security management of the Blackberries, called Blackberry Enterprise Server (BES). With BES, device configurations for the blackberries could be automatically pushed to the devices. Although malware attacks for mobile devices were seen as early as 2004, endpoint protection focused on desktop systems. Endpoint protection, such as antivirus, was rarely seen for a Smartphone. With the proliferation of the iPhone, with its popularity and quick gain of market share in the Smartphone arena, the attackers now have a new attack vector worth exploiting. The mobile device market continued to grow with the
  35. 35. 29 introduction of the iPad tablet and the introduction of Android Smartphone and tablets. “Gartner predicts that by 2014 Android will be the most popular platform and Smartphones will outsell PCs by 2013” (The National Cyber-Security Advisory Council (CNCCS), 2011). Malware protection for these devices now exists, although in some cases still considered immature, and is not in widespread use. This provides a ripe target for cybercriminals because the gates to the devices are wide open and no one is guarding these gates. 2.18 Jailbreaking Jailbreaking an Apple iOS device (e.g. iPhone, iTouch, iPad) is a process of gaining root access to the underlying device operating system and removing controls and limitations of the device (Wikipedia, 2013). When an iOS device has been jailbroken it can be used to shop for non-sanctioned apps in non-sanctioned app stores (Websense, 2012). These unsanctioned “Mobile Marketplaces” are repositories for pirated applications that are infected with malware and pose a significant risk to the user and the organization if the infected app is installed and allowed access to corporate data. Since Jailbreaking provides the user total control over the device, i.e. root access, any application installed on the device can be compromised, including controls added to the device to protect data. Configuration applications such as MDM and MAM may be bypassed or overridden, and virtualization container solutions can be compromised. Any lockdown of the device would be difficult, if not impossible, if the user of the device held root access to the device (or in the case of a Microsoft Windows device – Administrative rights). In the case of a virtualization solution that sits on the device,
  36. 36. 30 root access to the iOS provides control of the hypervisor, which provides almost unrestricted access to the virtual machine guests. 2.19 Insecure Application Coding and Configuration No one can code a bug-free application. And there are no testing tools that can detect all possible defects in program code. If there were such a testing tool, then it would contradict Alan Turing’s “Halting Problem”. While these theories hold, there will always be risk within an application that the code can be exploited and compromised, i.e. all applications will never be 100% secure. This is where risk management enters the mix, since we can’t be 100% secure, what would we consider “secure enough”, and is it realistic to achieve a residual risk which is “secure enough” and acceptable to the business? Can a PC, workstation, server, or mobile device be configured securely? Organizations expend great amounts of resources to try to figure out what the optimum mix of security and operational settings should be. This is hard to achieve because “one size does not fit all”. If it did, then the manufacturer of the software would set the options at the factory and that would be it. But there is a triangle of three variables that organizations attempt to balance: Security, Performance and Cost. It takes a lot to achieve the balance, and sometimes within a single organization this balance may vary depending on the usage and location of the equipment. If an organization has to expend all these resources to figure out how a device should be configured, then an individual user will probably not get involved with setting security configurations, most users will just use the device out of the box “as is”.
  37. 37. 31 Obviously the industry has not learned from its prior mistakes. With the majority of Microsoft Windows XP workstations on the Internet, in an always on/always connected mode, these machines became the choice of cyber criminals to attack, infect, and turn into zombies or bots. It was becoming so bad that Microsoft attempted to reduce the attack surface of Windows XP systems in Windows SP2 (Service Pack 2) by turning on the Windows built-in firewall by default. Since one size does not fit all, turning on this feature did break some applications, but it was considered an improvement that reduced many attacks that were being launched against those systems. Now with mobile devices, we are faced with these same issues again for as mobile devices are not configured secure out of the box, they are not “secure by default”. A problem with so-called Secure Application Coding is education/training. It is not until recently that programming classes in the university and vendor training classes included application security. Students learned how to program – how to write code but security was not usually taught as part of programming and, thus, was never considered or it was expected that the student would pick that skill up somewhere else. In some curriculums, application security is provided by separate security courses, which if not taken, will still leave the student lacking security knowledge. This is a bolt-on approach, and not really integrated. The result will be application coders that continue to write insecure code because they lack the methodology of secure coding practices. 3. Recommendations The recommendations made here are not meant to be complete, exhaustive, or mutually exclusive. They attempt to address some of the issues shown in Section Two of this
  38. 38. 32 paper. Keep in mind that BYOD is part of a much bigger issue, and even if BYOD is not addressed, the underlying problem of mobile devices will most likely need to be addressed. Many of the issues mentioned above exist in mobile devices that are owned by the enterprise. BYOD suffers from the same problems and issues as business owned mobile devices. The “mobile device” problem itself requires a solution and is the bigger problem to be considered regardless of who owns and manages the device. 3.1 Establish Policies for BYOD The content of actual policies is beyond the scope of this paper and would be left for further research. But policies for mobile devices are required and needed. BYOD policies need to be developed and put into place regardless of whether BYOD is adopted or banned by the organization. Policies are needed even if BYOD is not adopted as a contingency in handling incidents where personal devices manage to slip in. Something as simple as a USB flash drive can cause havoc unless policies are in place. Policies are usually administrative in nature, but can be enforced using the three main security control types: Administrative, Technical and Physical. Policies must be backed up with training to inform the users of the policie’s existence and contents. This is usually accomplished via security awareness training. In some organizations the employee is required to sign an acknowledgement form indicating that the employee has read and understands the policies. Having a policy and putting it out there is not enough. In a survey of 547 IT Professionals performed in 2nd Quarter 2012, 71% answered “Yes” to the question:
  39. 39. 33 “Does your organization have a mobile device security policy?” (nCircle, 2012). This is an increase since the survey showed that 58% answered “Yes” back in 2010. In the same survey a question was asked whether the organization enforced that policy, with 85% responding “Yes” in 2012 (up from 65% in 2010). 85% is a high number, but policies are not always effective unless they are enforced. Policies should be implemented and they should be enforced. Overall security policy enforcement, according to the survey is lower, where the question was: “Does your organization adequately enforce adherence to its internal security policy?” which was answered “YES” by 68% in 2012, down from 71% in 2010. A properly written and enforced policy is an organizations first line of defense. Policies must communicate how devices will be managed by the IT department, and the access required by the business to their devices in order to protect corporate data and assets (Apperian, 2011). Citrix recommends these areas to be covered in a BYOD policy (Citrix, 2012): • Eligibility • Allowed Devices • Service Availability • Rollout • Cost Sharing • Security • Acceptable Use • Support and Maintenance
  40. 40. 34 3.2 Contracts and Agreements Contracts and agreemenst can be an extension of policies but may need to be individualized. Although an organization may do this through a policy, there may be advantages of having an employee explicitly agree to certain terms of mobile device usage, especially when the device is owned by the employee. Two examples are seizure and wiping. In the case of seizure, if data belonging to the enterprise is stored on the employee’s device, the organization may need to retain the right to seize the device from the employee for eDiscovery and forensics investigation purposes. In the case of wiping, the organization may retain the right to wipe the device without liability due to the loss of personal information on the device. Wiping may be required when the device is lost/stolen or at employee termination. “Employees must also understand the consequences of conditions that might dictate the need for a complete wipe of a device” (Apperian, 2011) . Just in these two examples there may be global implications of what may be allowed with and without an agreement, and the contents of agreements and policies should be worked out with legal counsel. 3.3 Offer CYOD instead of BYOD An organization may retain better control of mobile devices with a “Choose Your Own Device” strategy instead of “Bring Your Own Device”. In CYOD, the organization will continue to purchase and own the device, but the employee chooses the device. If the employee prefers an Apple iPhone instead of a RIM Blackberry phone, the employee can pick the iPhone and the company will purchase, configure, and support the device. In this scenario, the device is not completely forced onto the employee, there is some
  41. 41. 35 choice – creating middle ground on device selection. When the employee relationship terminates, the equipment may either be returned or some companies will provide a buyback program where the employee can buy the device from the company. 3.4 Secure Containers “Containerization refers to a solution that creates an encrypted data store or container on a device” (Faas, 2012). This concept may also be called a “secure bubble”. The encryption and authentication to the container is independent of the device settings. The entire device might not be encrypted and the device might not have a passcode, but the container is a secure repository in itself. All the corporate data can be stored in one place and segregated from personal data. This dividing line can prevent or limit the comingling of corporate and personal data and should make it easier for the corporate data to be wiped at a later time without destruction of personal data. At some point in time the data obtained from the container will need to be unencrypted into clear text so that the application can use and process the data. Attacks on the communications channel between the container and the application could be vulnerable to eavesdropping or main-in-the-middle attacks so this channel needs to be secure. The application that processes the data in clear text form could be vulnerable to an attack, such as a man-in-the-middle application, where the clear text form of the data is extracted from the application’s working data store, such as stacks and registers. Modification of the executable could be made in a way that adds rogue program code to store or transfer corporate data off the device.
  42. 42. 36 Storage of corporate data in a container may be safe while the data is stored, but the security of the access by the application to the data will depend on how well the application is protected. The segregation can make the exit strategy easier because it can reduce or solve the comingling problem. Containerization may also be called sandboxing and virtualization. The concept of a hypervisor may exist within the firmware (bare metal) or run under the mobile device’s operating system like VMWare (Cocking, 2012). Apple provides sandboxing for 3rd party applications installed on iOS devices (Apple Inc., 2012). These 3rd party apps are isolated from the other apps and the operating system, and can only communicate via supplied APIs. 3rd party iOS applications are those installed from the APP store, but Apple’s preloaded applications are stored in the root folder and are not subject to the same restrictions of a sandboxed application (Zdziarski, 2012). If the iOS device is jailbroken then pirated applications could be installed outside of the sandbox and into the root folder, allowing the application to run commands that would otherwise have been restricted. 3.5 Remote Access Terminal Solutions Citrix’s approach is desktop virtualization which is accessed via a secure SSL connection (Citrix, 2012). In this scenario, the applications and the data reside on a virtualized desktop, and the mobile device runs either an application or a web browser to remotely access the desktop. Remote access is accomplished via a “thin client” running on the mobile device with the intent of keeping a small footprint on the device. This provides device independence because the customized application is not running
  43. 43. 37 on the device. The data is protected inside the corporate perimeter and the data never leaves the safe confines of the data center. This concept could use any desktop virtualization solution, such as VDI (Virtual Desktop Infrastructure) as provided by VMWare View. In a remote access solution the mobile device acts as a remote terminal and all the heavy lifting is done at the remote desktop. This solution assumes that the device is connected to a network and the remote desktop is available. Offline processing may be impossible if the remote connection is not operational. Because all the data is in the data center, the risk of a lost device is minimized. No data is on the device. If the employment relationship is terminated, there is no data on the device. In either of these cases the employee’s credentials that access the remote desktop must be disabled to prevent remote access after device loss or employee termination, but once disabled then the data should be safe. 3.6 Mobile Application Management (MAM) “Mobile application management is the delivery and administration of enterprise software to end users’ corporate and personal smartphones and tablets” (TechTarget, 2013). MAM focuses on application delivery while MDM focuses on device provisioning. 3.7 Mobile Device Management (MDM) In Gartner’s Magic Quadrant for Mobile Device Management Software, MDM is defined as: “Enterprise mobile device management (MDM) software is primarily a policy
  44. 44. 38 and configuration management tool for mobile handheld devices, such as smartphones and tablets based on smartphone OSs” (Basso, Girard, & Redman, 2012). One of the objectives of MDM is to manage security settings over a heterogeneous span of mobile devices making the settings device independent. Through security settings the IT department can distribute policy and configuration to the devices and enforce security policy. One set of configuration settings may force the activation of a password (or passcode) to be used on the mobile device, and set a minimum password length, with complexity and aging requirements for the password. The MDM should be able to set and modify any configuration setting on the device that a user can set, and the MDM may be able to prevent the user from disabling or changing that setting back. The Jailbreaking process could interfere with the MDM’s processes and result in a insecure device in violation of the organization’s security policy. The Blackberry Enterprise Server (BES) has the features of a MDM, but is mainly homogeneous and usually applies to RIM devices. However RIM is moving forward with a commercially available MDM platform called Mobile Fusion. 3.8 Network Access Control (NAC) Controlling and monitoring access to corporate networks will require access control. In a report by Dell it was reported that BYOD will drive the need for NAC to accomplish this (Dell Sonicwall, 2013). Mobile devices connected directly to the corporate network will usually be via a Wi-Fi network (wireless LAN). The three A’s (AAA) of security (Authentication, Authorization and Accounting) are provided and enforced via access
  45. 45. 39 control to the wired or wireless network, and network access control is provided using NAC. NAC can control who may, or may not, connect to a network and can be configured to force the device to comply with security standards before allowing access. For example, NAC can be configured to prevent connection of a device if the device has security vulnerabilities such as lack of patching or endpoint protection software. 3.9 Data Self Protection Data may be protected by using a self-protection mechanism such as information rights management (IRM) or sometimes called digital rights management (DRM). The data, usually in the form of a document, has built-in access control that works with encryption technology to control access to the document. This is also called MCM (Mobile Content Management), and the idea is to focus on protecting the data while disregarding perimeter protection. (e.g. The Philosophy of the Jericho Forum). 3.10 Device Behavior Many of the mobile devices contain location awareness, especially devices that have built in GPS capabilities. The behavior of the mobile device could be tied into the location of the device when the data is being accessed. This is called geo-fencing where data access is restricted to a specific location, and the data may be removed or made inaccessible when the device leaves the location.
  46. 46. 40 4.0 Future Research The issues provided in this paper do not cover every issue nor does it really go into depth on each issue. Issues discussed can be further researched with the researcher going into a more detailed deep dive of the issue. The scope and focus has been on risk and security, but BYOD and mobile have implications in the area of operational issues and return on investment (ROI). There are different opinions by the experts as to whether BYOD really saves the organization money. Mobile device malware, and anti-malware solutions, are topics of future research. Endpoint protection may be required, but there is also some thought that an individual mobile device doesn’t hold that much data and the risk might not be that great. If the mobile device is connected to the corporate network, it becomes a threat as it provides an attack vector past the perimeter. The connection of the device to the network requires an integrated suite of software providing MDM on the device working hand in hand with network access control (NAC) and the objective is to provide and enforce Authentication, Authorization and Accounting (AAA) protection. Configuration of a mobile device is important, and can be automated via a MDM solution. But the question that needs to be answered is what should the settings be? One size does not fit all, but a recommendation on what settings should be configurable, and the pros and cons of each setting would be a separate piece of valuable research. Support of mobile devices may require beefing up the wireless infrastructure, including bandwidth increases. 802.11(ac) is a standard in draft state that may provide Gigabit Wi-Fi in 2013 (Cox, 2013). Although cellular enabled devices (e.g. 3G, 4G, 4G LTE)
  47. 47. 41 would connect through the Internet and come in via the firewalls, using Wi-Fi features of the devices will allow the devices to connect to the corporate WLAN (Wireless LAN). Near Field Communications (NFC) is a feature that can be enabled in the phone, and one of the uses is for wallet applications for electronic credit card payment. But research is in progress to use the NFC feature for a new kind of proximity access card such as a employee ID badge used to open security doors. Today, employees in the enterprise may have an electronic ID card with either a magnetic stripe, a bar code, or a proximity radio signal. When the employee relationship terminates, the ID card is deactivated and usually collected from the employee. If the NFC of a personal phone is used as an ID badge, will de-provisioning of the device be handled differently? This feature and how it is used should be evaluated and considered. Research can be done on the question of who pays for the device and other compensation. Some organizations have taken the position that the employee pays for the device and the services (tel-co charges). Some organizations will pick up the entire tab, while there are some that will split the cost. There are different reimbursement models and implications of each, which could be made part of the ROI examination. File sharing presents an issue to be examined. The mobile devices are used for collaboration and when an employee is using 3 or more devices – they want the data to be up to date and in sync with each of those devices. This requires a way to share the files across different mobile and desktop devices and may require replication and synchronization services.
  48. 48. 42 Legal and privacy laws were only touched on, and there is opportunity for research into the different legal and privacy regulations, especially on an international level. Regulatory compliance, with its international and cultural differences needs to be examined. 5.0 Summary BYOD is a current trend that is moving fast. In a business strategy survey of 1,000 TechRepublic and ZDNet members, 44% currently allow BYOD and another 18% expect to move to BYOD by the end of 2013 (TechRepublic, 2013). In 2012 Forrester published a report that showed 53% are using their own technology for work purposes (King, 2012). Organizations are faced with supporting BYOD, and it is a technology that continues to grow. Combining BYOD with other disruptive technologies such as Cloud Computing, Social Media and Mobile devices are creating a perfect storm that is sweeping the enterprise. Given companies are challenged to support mobile by itself, BYOD just adds another layer of complexity on top of mobile device support. A challenge with mobile devices, regardless of the owner of the device, is that a single user may have multiple devices and each device represents an endpoint with its own IP address. Originally the IT department had to support one endpoint per user, usually the user’s desktop. Then this expanded when laptop was added for select employees. This may have been manageable in the past; however, today a single employee could be easily equipped with four or more devices when adding a phone and a tablet. Most of those devices would be capable of connecting to the corporate network infrastructure, with the potential to access sensitive corporate data. “With the rapid adoption of
  49. 49. 43 BYOD, the reality of multiple devices per user, and growth of cloud-based services, the era of managing security capabilities on each endpoint is over“(Cisco, 2013). A driver for BYOD is the young, future workers. These “millennial” workers, who have grown up with the technology, come to work with their own personal devices, and expect the organization to accept and support those devices. Security is not their concern, they expect the company to enable using their devices without putting the enterprise at risk, and all they want is anytime/anywhere access in order to be able to get their work done (Cisco, 2011). Organizations are embracing the BYO (Bring Your Own) phenomenon in hopes of reducing cost. It allows the organization to get out of the ownership game, and convert CapEx (Capital Expenditure) to OpEx (Operational Expenditure). Forrester discusses an approach scenario as “own nothing, control everything” by using a zero-trust model where all endpoints are treated as hostile (Jaquith, 2010). While there are claims of BYOD providing a good return, there are also claims that the “control” part consumes most of the cost savings. The ROI of using BYOD were not addressed in this paper and left for future research. BYO includes devices, software and services. It involves access to both corporate and personal assets that include hardware, software, and data. One major issue is caused by the comingling of corporate and personal assets, and presents challenges of how to provide protection to those assets. The “exit strategy” is required to determine how to recover corporate assets from a personal device when the employment relationship is terminated. The numbers of endpoints per user that require protection are increasing,
  50. 50. 44 the corporate perimeter is vanishing, and a holistic approach to data protection needs to focus on directly protecting the data. The concept of de-perimeterization was introduced by the Jericho Forum. Before the BYOD issues can be resolved the enterprise must fix the mobile device problem. If it is a corporate issued device, then the employee will probably put personal data on the device, (e.g. use corporate e-mail for personal mail, perform personal web surfing on the mobile device). Many organizations allowed the employee to do this in the past with corporate desktops that were not locked down while the risks were not well known at the time. If a personal device is used, then the employee will probably put corporate data on that device. One of the largest risks in mobile device technology is the loss of a device that has sensitive corporate data on it. It doesn’t matter who owns the device, the issue is what is on the device. The organization should come up with a strategy, and then develop policies for use of mobile and BYOD in the enterprise. This strategy may be dictated or affected by the corporate culture. The objective should be worker enablement while corporate assets are protected within the risk appetite of the enterprise. The strategy and policies should be planned as a complete lifecycle that includes provisioning of the device, software and services and carried through to the de-provisioning process. This includes having an exit strategy for asset recovery at the end of the relationship. The use of mobile devices will impact other parts of the infrastructure. The use of mobile devices within the organization may require an expansion of the wireless
  51. 51. 45 network. How the organization saves money may also depend on how expenses are paid and who will be responsible for expenses. 6.0 References Apperian. (2011). Protecting Corporate Data in the "BYOD" environment. Apperian. Apple Inc. (2011, October 28). iOS: Understanding data protection. Retrieved from Apple Support: http://support.apple.com/kb/ht4175 Apple Inc. (2012, May). IOS Security. Retrieved from http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf Basso, M., Girard, J., & Redman, P. (2012). Magic Quadrant for Mobile Device Management Software. Gartner. Calif Office of Privacy Protection. (2012, January). Recommended Practices on Notice of Security Breach Involving Personal Information. Retrieved from http://www.privacy.ca.gov/business/recom_breach_prac.pdf Cisco. (2011). 2011 Cisco Annual Security Report. San Jose: Cisco. Cisco. (2013). 2013 Cisco Annual Security Report. San Jose: Cisco. Citrix. (2012). Best practices to make BYOD simple and secure - A guide to selecting technologies and developing policies for BYOD programs. Citrix. Cocking, L. (2012, May 11). Mobile Device Sandboxing 101. Retrieved from Fixmo: http://fixmo.com/blog/2012/05/11/mobile-device-sandboxing-101 Computer History. (2013, March 12). 1979 - Computers. Retrieved from Computer History Museum: http://www.computerhistory.org/timeline/?year=1979 Cox, J. (2013, January 2). Technologies to watch 2013: Gigabit Wi-Fi . Retrieved from Network World: http://www.networkworld.com/news/2013/010312-outlook- gigabit-wifi-265254.html Dell Sonicwall. (2013). IT security trends in 2013. Dell. Dunn, D. (2005, June 20). The PC Replacement Decision. Retrieved from InformationWeek: http://www.informationweek.com/the-pc-replacement-decision/164900387
  52. 52. 46 Faas, R. (2012, November 7). New trend in BYOD security: contain the data, not the device. Retrieved from CITEWorld: http://www.citeworld.com/mobile/21036/mobileiron-and-good-break-new- ground-secure-enterprise-containers-mobile-devices?page=0 Garlati, C. (2012, January 31). The Dark Side of BYOD – Privacy, Personal Data Loss and Device Seizure. Retrieved from Trend Micro: http://consumerization.trendmicro.com/consumerization-byod-privacy- personal-data-loss-and-device-seizure/ Gartner. (2008, May 28). Gartnew Newsroom. Retrieved from Gartner Newsroom: http://www.gartner.com/newsroom/id/681107 Guerra, D. (2012, December 3). Bring your own device, but who owns your data? Retrieved from Exact Trak: http://www.exacttrak.com/bring-your-own-device-but-who- owns-your-data/ Harris, R. L. (2012, February 27). Lessons Learned from a Bring Your Own Device Project. Retrieved from Avena: http://www.avema.com/mobile_device_management_blog/byod/lessons- learned-from-a-bring-your-own-device-project/ Hou, O. (2012, July 20). A Look at Google Bouncer. Retrieved from TrendLabs: http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-google- bouncer/ Jaquith, A. (2010, January 22). Own nothing – control everything: five patterns for securing data on devices you don’t own. Retrieved from ComputerWeekly.com: http://www.computerweekly.com/feature/Own-nothing-control-everything-five- patterns-for-securing-data-on-devices-you-dont-own Kensington. (2011). Cost of Stolen or Lost Laptops, Tablets & Smart Phones. Retrieved from http://blog.kensington.com/wp-content/ktg/docs/m1_iphone_theft_banner.pdf King, R. (2012, June 13). Forrester: 53% of employees use their own devices for work. Retrieved from ZDNet: http://www.zdnet.com/blog/btl/forrester-53-of- employees-use-their-own-devices-for-work/79886 KPMG. (2013, February). Special Edition: 2013 IT Spending Predictions Consensus. Retrieved from KPMG: http://www.kpmg.com/TR/tr/Issues-And- Insights/ArticlesPublications/Documents/2013-IT-Predictions-Consensus.pdf Lui, S. (2012, December 6). BYOD can put companies in legal bind: analyst. Retrieved from ZDNet: http://www.zdnet.com/au/byod-can-put-companies-in-legal-bind- analyst-7000008396/
  53. 53. 47 McAfee. (2011). Employee Use of Personal Devices - Managing risk by balancing privacy and security. Retrieved from McAfee: http://www.mcafee.com/us/resources/solution- briefs/sb-employee-use-of-personal-devices.pdf Narisi, S. (2012, July 18). 7 ways BYOD could get you sued. Retrieved from IT Manager Daily: http://www.itmanagerdaily.com/byod-policy-legal-issues/ Navetta, D. (2012, March 28). The Security, Privacy and Legal Implications of BYOD (Bring Your Own Device). Retrieved from Information Law Group: http://www.infolawgroup.com/2012/03/articles/byod/the-security-privacy- and-legal-implications-of-byod-bring-your-own-device/ nCircle. (2012). nCircle 2012 BYOD Security Trend Survey. nCircle. NCSL. (2012, August 20). State Security Breach Notification Laws. Retrieved from National Conference of State Legislatures: http://www.ncsl.org/issues- research/telecom/security-breach-notification-laws.aspx NetMarketShare. (2013, January 01). Desktop Operating System Market Share. Retrieved from NetMarketShare: http://www.netmarketshare.com/operating-system- market-share.aspx?qprid=10&qpcustomd=0 NIST. (2001, September). SP800-30 Rev 1: Guide for Conducting Risk Assessments. Retrieved from NIST: http://csrc.nist.gov/publications/drafts/800-30- rev1/SP800-30-Rev1-ipd.pdf PC World. (2010, May 27). Forrester report finds most data breaches are caused by employees. Retrieved from PC World: http://www.pcworld.com/article/2010527/forrester-report-finds-most-data- breaches-are-caused-by-employees.html Phneah, E. (2012, August 3). Mobile apps pose biggest threat. Retrieved from ZDNet: http://www.zdnet.com/mobile-apps-pose-biggest-threat-7000002093/ Phneah, E. (2013, February 04). Five security risks of moving data in BYOD era. Retrieved from ZDNet: http://www.zdnet.com/five-security-risks-of-moving-data-in-byod- era-7000010665/ Ponemon. (2010, January 25). Ponemon Study Shows the Cost of a Data Breach Continues to Increase. Retrieved from Ponemon Institute: http://www.ponemon.org/news- 2/23 Ponemon, L. (2008, June 30). Airport Insecurity: The Case of Missing and Lost Laptops. Retrieved from Dell: http://www.dell.com/downloads/global/services/dell_lost_laptop_study.pdf
  54. 54. 48 Rains, J. (2012, March). Bring Your Own Device (BYOD): Hot or Not? Retrieved from HDI Research: https://news.citrixonline.com/wp-content/uploads/2012/04/BYOD- Hot-or-Not.pdf Rasch, M. (2011, October 31). People vs. Diaz Fails to Consider Enterprise Data on Mobile Devices. Retrieved from CSC News: http://executiveviews.wordpress.com/2011/10/31/people-vs-diaz-fails-to- consider-enterprise-data-on-mobile-devices/ Rice, J. (2012, May 29). Bring Your Own Device to Work – The IT Dilemma. Retrieved from The Business Cloud Blog: http://blog.intermedia.net/2012/05/29/bring-your- own-device-to-work-the-it-dilemma/ Rowinski, D. (2013, January 8). Google Play Will Beat Apple App Store To 1,000,000 Apps. Retrieved from ReadWrite.com: http://readwrite.com/2013/01/08/google-play- to-hit-1-million-apps-before-apple-app-store TechRepublic. (2013). The Executive’s Guide to BYOD and the Consumerization of IT. TechRepublic. TechTarget. (2013, February 04). Definition: Disruptive Technology. Retrieved from What- is.com: http://whatis.techtarget.com/definition/disruptive-technology TechTarget. (2013, February 21). Definition: Mobile Application Management (MAM). Retrieved from SearchConsumerization: http://searchconsumerization.techtarget.com/definition/mobile-application- management The National Cyber-Security Advisory Council (CNCCS). (2011). SmartPhone Malware. Spain: Panda Security. Walker, R. W. (2012, March 27). Negligent Employees Cause Most Data Breaches; Mobile Is Key Factor. Retrieved from AOL Government: http://gov.aol.com/2012/03/22/negligent-employees-cause-most-data- breaches-mobile-is-key-fact/ Websense. (2012). 2013 Security Predictions. Websense Security Labs. Wikipedia. (2013, February 19). iOS Jailbreaking. Retrieved from Wikipedia: http://en.wikipedia.org/wiki/IOS_jailbreaking Williams, G. (2012, December 11). 2013 Tech Trends: The Hyper-Convergence Effect. Retrieved from Avanade Blog: http://www.avanade.com/blog/business-of- technology/2013-tech-trends-the-hyper-convergence-effect/ Zdziarski, J. (2012). Hacking and Securing iOS Applications. Sebastopol: O'Reilly Media Inc.
  55. 55. 49

×