Securing an IT environment is hard enough when administrators have full control over the hardware on a network, but a BYOD program can exacerbate that challenge. Organizations must devise BYOD security strategies and use the right tools when they allow employees to use their own devices to access critical data and applications.
Bring your own device (BYOD) and bring your own PC (BYOPC) policies can open enterprises to a host of security threats. Personal devices may convey malware to corporate networks. Confidential company information can be downloaded to smartphones that end up lost or stolen. A strategic plan or customer data could be streamed from a server to an executive's tablet over an unsecured connection at some coffee shop.
To realize the benefits of BYOD, such as flexibility and cost savings, you'll have to secure data at rest on employee-owned tablets and smartphones. You'll also have to protect data in transit to and from those devices. But first, you need to clearly define and enforce minimum BYOD security requirements for personal devices used for business activities.
Here are some strategies and tools for managing data security and maintaining regulatory compliance within a BYOD or BYOPC workplace.
Protecting confidentiality, integrity and availability
Data security encompasses three broad types of protection: confidentiality, integrity and availability. When company data is copied to personal devices, it should not sacrifice any of these.
Protecting confidentiality is about preventing data leaks. A BYOD policy should include a data classification scheme that identifies the categories of data that cannot be copied to a personal device or may be copied in limited cases. For example, new product designs or emerging intellectual property might be considered too valuable to risk on any device other than company-controlled hardware.
Similarly, while it may be acceptable to have small amounts of customer, client or patient data on an employee-owned tablet, be sure there is a plausible business justification for copying large numbers of customer records to a personal device.
Users can easily download large amounts of data to personal laptops or desktops with hundreds of gigabytes of storage. In a BYOPC environment, consider using data loss prevention applications to block the transfer of large amounts of confidential information. Keeping smaller amounts of storage on tablets and phones reduces mobile device security risks but does not eliminate those risks.
More on BYOD security
BYOD FAQ: Answers to IT's burning questions about BYOD
BYOPC support: How to troubleshoot before issues emerge
Roles and responsibilities should drive the limits on data. A salesperson has a reasonable need for information about clients in his territory. A marketing analyst will likely need data from numerous customers, but does not need in-depth data about every customer.
BYOD security practices should also address physical security. Personal devices storing company data should be secured to prevent theft when not in use. Data devices, such as USB thumb drives, that contain company information should not be used for nonbusiness purposes or shared with others.
Lost or stolen devices are a top concern. Require that screens be locked with passwords or another authentication mechanism. Use mobile device management systems that support remote wiping of lost or stolen devices. Personal laptops and mobile devices should use encryption to mitigate the risk of a data leak if they are lost or stolen.
Protect data integrity by reducing the chance of tampering. Screen locking is just the first step in this effort. Smartphones and laptops should be password protected. Employees should not store passwords to business applications in browsers on personal devices, especially if the devices could be shared with someone else.
When a laptop or desktop is shared among multiple users, each user should have his own account. Access controls should protect business data stored on the file system from being copied, altered or deleted by a user other than the employee.
Tampering isn't always malicious. Just think of the last time you saw a frustrated parent pass a tablet to a child to get the youngster to pass some time quietly by reading or playing a game. What if that tablet was still logged into the parent's business email? Include controls such as inactivity timeouts in your policies to mitigate the risk of unintentional tampering.
IT must also prevent malicious software on personal devices from interfering with business applications, data or networks. PCs and personal devices might not be affected in the same way by malicious content, but attackers could use BYOD as a vector for introducing malicious content to networks.
When a personal laptop or desktop connects to a virtual private network, it should be scanned to ensure that the operating system is a supported version and sufficiently updated. Scans should also determine if antimalware apps and personal firewalls are installed.
Make sure content that is uploaded from personal devices is scanned for malware. Malware developers have become adept at hiding their payloads from signature-based detection. IT should also use behavior-based detection methods, which analyze what a program does.
About the Author
Dan Sullivan, holds a master's degree in computer science, and is an author, systems architect and consultant with more than 20 years of IT experience. He has had engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence.