Bring your own devices (BYOD), it’s a new trend
of permitting that employees can bring
personally owned mobile devices (smartphones,
tablets and laptops) to the workplace and use
those devices to access, store or create
The rapid rise of mobile devices and the
introduction of them to the workplace bring new
security and operational issues to companies.
More productive employees
24/7 access to the company’s email and information
stored in the company’s servers.
Higher morale among employees because they can
use the technology that they want and not what the
Low or no cost to the company
Hardware is bought and maintained by the employee
Sometimes, carrier calls and internet cost also are
paid by the employees
Advantage of new technology
Software acquisition to manage mobile devices
Develop policies and procedures
Service (Carriers) cost
Not full control of the device
BYOD and Regulations
Protect private data
Encrypt emails and data
On the device
On the transmission
Remote management of devices
Controls to access data and
Malware and threats protection
Explicit approval of authorization to use the
Authentication (two factor authentication)
Comprehensive list of devices (make and
model) and OS (iOS, Android, Windows, RIM)
List of personnel with access to this devices
Labeling of devices with owner information
Transmission security (SSL/TLS, IPsec)
Mobile Devices and personal/confidential data are heavily regulated in some industries.
Not recommended or have a lot of aspirins at hand. A violation of any regulation carried
a fine. (up to 1.5 Millions per violation on HIPAA) (Other Regulations: GLBA, HITECH, SOX)
Lost or stolen devices
The very best advantage of mobile devices is It’s
worst enemy. Mobile devices are small, compact and
…. Yes, MOBILE. Lost or stolen devices are the
pinnacle of BYOD threats.
Rogue apps can extract contact information and
data from mobile devices.
Even if you only allow authorized app, a scan of a QR
code can download an app.
Attackers can connect mobile devices to open
wireless access points and start scanning your
Backtrack (and now KALI) have ARM versions that
can be installed and be used in mobile devices.
Apps should be sandboxed. Only allow authorized
applications on devices with company’s data stored.
Rogue apps are entryways of malware infections.
Jailbrake/ Rooted Devices
People tend to crave for power and control.
One thing they do first with mobile devices is
jailbrake or root it. This open a new window of
threats. Access of rogue applications (and
users!) to the root account could be
dangerous to the company’s data.
A plethora of mobile devices exist with different models, OS’s, that a possible
chaos could erupt at any moment.
List of all devices allowed access to the company and prepare a periodical
Look for unauthorized devices on you network
Mobile Device Management
Mobile expense control (downloads, roaming and international costs)
Remotely locate, lock and wipe lost devices
Security control checks
Automatically wipe company data
Look for solutions that include different os.
Notification to users
SMS before wiping, exceeding data or service plan limit
Personal data segregation
Photos, email, calendar, call logs, voicemail, texts
Protect entryways to Corporation
Firewall rules checked and double checked!
Secure wireless access points
Single recurrent error
Quarantine unauthorized devices
Bulk enrollment or single enrollment
Authentication with Active Directory
Reason for authorization
Devises allowed on company infrastructure
Data services or personal plan (Stipend)
What data the employee can access with the device
Help desk services to personal device
Agreement between employee and company
Education of employees of the risk associated with BYOD
Training of encryption application and communication
Not every “C” level employees knows about encryptions and
First thing first- I'm NOT a Lawyer
Legal issues may arise
If the employee Is a suspect in an internal
investigation, can I take possession of the mobile
device for analysis?
The employee may be accountable for any access
from the mobile device if he/she lost it?
BYOD is here to stay
Prepare an analysis of the pros and cons of the
implementation of BYOD in your company
Regulate the use of BYOD
Training programs for employees
Ángel L. Trinidad