In writing this, we assume that your organization does not already use third party solutions for managing user-owned end points, such as mobile device management (MDM) or mobile application management (MAM) services. Those may (or may not) replace some of the activities suggested here and alleviate some of the reliance on users, for example when it comes to initiating a remote wipe of your organization’s data on the device in case it is lost.
BYOD may not be limited to smart phones and tablets. You might be contemplating letting users bring their private laptops to work as well. This blog entry focuses primarily on mobile devices, but apart from the examples provided the principles lined out here apply to full-fledged PCs as well.
What Are the Risks?
The management of user-owned devices in your IT ecosystem should be informed by an assessment of the threats to organizational assets facilitated by the presence of those devices, and the likelihood and magnitude of potential damage that might be caused if those threats realize. If your organization is already dealing with company-issued devices, a risk assessment for user-owned devices will likely look similar, with some nuances and adapted countermeasures based on the fact that the organization does not have complete control (nor governance) over these devices. This fact may also lead to a different set of residual risks. The results of this kind of analysis will allow you to make informed decisions about the level of security measures you may want to implement.
An example of a question that a risk assessment would help answer in a more qualified fashion than just operating based on gut feeling would be: Are you happy to rely on the password/PIN barrier implemented by the operating system of a (particular type of) device in order to protect organizational assets, or do you need to take into account that your organization’s adversaries might have the resources and motivation to circumvent that protection, warranting the need for additional protection measures?
How To Get a Grip on User-Owned Mobile Devices?
You will need to augment your security management system with policies and procedures to clearly spell out under which circumstances and for which purpose employees are allowed to use their own mobile devices to access your systems and networks, and what is expected of them in return for that privilege.
Since the company does not own the device, it is important to assert the organization’s authority over certain aspects of its management in order to address situations like an employee leaving the company, loosing their device, or your monitoring efforts indicating that their device may have been compromised. For example, you cannot just initiate a remote wipe of the device in case it is lost, because you don’t have access to the user’s credentials required for this. (And for reasons of privacy protection and liability, you probably don’t want to have that access, either.) This requires clear upfront communication about expectations, and – to the extent possible – some sort of legally binding consent.
As discussed above, the configuration settings an organization prescribes for user-owned devices and the incident response procedures involving those devices should be based on threat modeling and risk management.
Clear Communication is Key
Depending on the outcome of your risk assessment, expectations that should be addressed with your users and that they should sign off on might include things like:
- Adhering to configuration standards mandated by the organization (for example, not jail-breaking the device, setting a non-trivial PIN for access to the device, applying operating system patches in a timely manner, and not providing access to the device to family members or other third parties).
- Making the device available for configuration audits at the request of the organization.
- (Manually) removing any organization-owned data from the device upon ending employment with the company.
- Promptly reporting the loss of the device to the organization so that access to corporate accounts can be reset.
- Initiating the remote wipe function for the device at the request of the organization, if the device is lost or stolen.
- Handing over the device for forensic investigation at the request of the organization. (This also means you need to have a plan in place on how to deal with the user’s private data and personally identifiable information when investigating such a device.)
- Making the device available for discovery purposes in legal affairs, if requested by the organization.
- Installing organization-mandated software on the device. (For example, a VPN client or malware scanner.)
- Etc. Your mileage may vary.
Also note that getting into legal arguments over a user's device is probably not going to help you resolve a security incident involving that device in a short-term fashion. Educating users upfront about the potential need for their cooperation seems like a more efficient use of resources.)
More Thoughts on Best Practice
A likely result to come out of your analysis is that you probably want to limit the amount of organizational data on the user’s device as far as possible, with or without making tradeoffs to usability based on the risks you are looking at. It is easy to disable VPN access to your network for a lost device. It is much harder to purge copies of trade secrets from a device that is lost, even more so if you didn’t own that device in the first place. Do your users really need access to all of that CRM data while their device is not connected to the CRM server?
Which leads to a related task that is crucial: Creating an inventory of the (types of) corporate data that might be located on a user’s device. Email, company directories, calendar entries, documents with sensitive information, etc. For one, if you don’t know which of your information assets might end up on those devices, your risk assessment might end up being incomplete. And it may be harder to remind users of the types of data they have to delete from their device when leaving the organization, trying to assess the potential damage of a data compromise on someone's device (how many credit card numbers!?! ;-)), etc.
It should also be best practice to keep mobile devices from connecting directly to your internal network. Provide a separate wireless network and require devices to establish a VPN connection if they want to access internal resources. This allows more fine-grained control over the resources that can be accessed by those devices, and keeps unauthorized devices and/or users out of the corporate network.
It is important that BYOD policies and procedures are based on proper risk management. You can implement best practice policies found on the Interwebs (and this blog) as much as you like, but some of them might be overkill depending on your particular situation, and the summary of all of them might still not address a particular threat that only your organization is exposed to. Or maybe you don’t trust end points at all, and there’s not much you have to care about here anyway. ;-)
Clear communication with users about responsibilities imposed on them in return for letting them access organizational assets with their privately owned devices is key. Users need to buy into the organization having a stake in their beloved smart phone or tablet in order for you to be able to protect organizational assets properly.
Sorting all of these things out in advance is most certainly an advantage over having to deal with them in hindsight while trying to deal with a breach that may have occurred through a user-owned device on your network.
cio.com: How BYOD Puts Everyone at Legal Risk
2013-11-22: Edited to add the "Further Reading" section.