Guidestar Associates

Bring Your Own Device Mobile Security Fredric Messing, Ph.D. July 2012

Energized by the capability of consumer mobile devices, employees demanded them in the workplace. Information technology organizations had neither the time nor budget to satisfy employee demands. Enterprises align employee demands with technology organization limitations by establishing a bring-your-own-device policy and infrastructure enabling employee productivity and securing enterprise data and systems. Security controls the enterprise places on employee devices must respect employee privacy and must not impact personal activity or user experience. Enterprises with successful BYOD programs achieve higher employee productivity, higher employee retention, and lower information technology costs.

[email protected]

GuidestarAssociates.biz

301.529.8811

Guidestar Associates

Energized by the capability of consumer mobile devices employees demanded them in the workplace. Information technology organizations had neither the time nor budget to satisfy employee demands. Enterprises align employee demands with technology organization limitations by establishing a bring-yourown-device policy and infrastructure enabling employee productivity and securing enterprise data and systems.

Bring-your-own-device Launch of iPhone in June 2007 and iPad in April 2010 marked the beginning of a new era in consumer electronics. Global smartphone shipment volume reached 491.4 million units in 2011, up 61.3% from 304.7 million units shipped in 2010 1 . Smartphones currently comprise over 50% of U.S. mobile handsets 2. In April 2012, Gartner 3 forecast worldwide tablet sales of 118.9 million units in 2012, a 98% increase from 2011 sales of 60 million units. In late 2012 the tablet market may experience a growth spurt Gartner could not have forecast before Microsoft announced 4 in June 2012 the Surface tablet to be based on the Windows 8 operating system. Energized by the capability of these consumer mobile devices, employees demanded them in the workplace. IDC’s 2011 worldwide survey 5 of over 3,000 information workers and business executives in nine countries concluded 69% of information workers reported using smartphones and 13% use tablets for business purposes. Cisco Internet Business Solutions Group surveyed 600 enterprise information technology leaders from 18 industries 6 and concluded • 78% percent of U.S. white-collar employees use a mobile device for work purposes. • 65 % of white-collar workers in their organizations require mobile connectivity to do their jobs. • 48% of knowledge workers telecommute at least once per week. Employees who were not provided with enterprise mobile devices used their personal devices to access enterprise systems even when they were not authorized to do so. Employees who received enterprise mobile devices often experienced a range of frustrations. They wondered why they needed to carry around two functionally equivalent devices such as an enterprise Blackberry and a personal iPhone. They wondered why the enterprise device was an obsolete version when their personal device was the latest version with the most advanced features. Others wondered why the enterprise forced them to use an iOS device when they much preferred an Android device. Faced with these frustrations, employees often used their personal device for business purposes when outside of the office. Information technology organizations often had a completely different perspective. Platform standardization, including a pre-configured end point image, is an essential tool for managing procurement costs, operational costs, and security. Many enterprises lock down their devices preventing any employee customization or installation. Even if they wanted to support the multitude of devices and operating systems, they had neither the time nor budget to design, test, and deploy images for every new product release. Upgrading users to the latest and Page 2 of 8

Guidestar Associates most capable device was incompatible with technology refresh strategy and budget. Mixing personal and enterprise data on a device posed security, privacy, and compliance issues. Allowing employees complete freedom violated acceptable use principles and policy. Inevitably information technology organizations were overwhelmed by the tidal wave of consumer electronics. Forrester reports 7 59% of firms now officially support use of personally owned smartphones for business purposes. Consumerization of information technology has led enterprises to align employee demands with technology organization limitations by establishing a bring-your-own-device (BYOD) policy and infrastructure enabling employee productivity and securing enterprise data and systems. Roger Baker, Assistant Secretary for Information and Technology for the Department of Veterans Affairs, recently stated 8, “I think it’s possible we have issued our last contract to buy desktop computers … I can see the point at which the way you access the information you use to do your work is through a device that you have personally selected, you own and are authorized to bring to work.” BYOD is implemented in three different models. 1) The enterprise purchases the device, pays for service, and permits the employee to use the device for personal purposes consistent with acceptable use policy. This is actually an attempt to avoid BYOD and is unlikely to satisfy most employee requirements. 2) The employee purchases the device and pays for service but it permitted to use the device for enterprise work. This is unlikely to meet enterprise security requirements without placing impediments to employee productivity. 3) The employee purchases the device and pays for service. The enterprise adds security controls to the device that protect enterprise data and systems, protect employee privacy, and permit complete freedom of use for personal purposes. This approach is generally accompanied by an enterprise stipend (fixed or tied to device purchase and service plan costs) in return for the benefit to the enterprise and the employee’s acceptance of security controls related to work use of the device.

User experience User experience is one key to the success of consumer electronics. Security controls the enterprise places on employee devices must not impact personal activity user experience.

User experience is one key to the success of consumer electronics. Consumer electronics were designed with ease of use. Application stores where individuals can purchase applications for only a few dollars enable each individual to customize the application space for their own interests and tastes. Browsers and email applications designed for consumer electronics are particularly important access tools for consumers. Successful BYOD programs must respect consumer application preferences. If employees access enterprise applications via a browser, the Page 3 of 8

Guidestar Associates application must be configured to function properly with the employee selected browser so he/she can use the same browser for personal and work purposes. The same principle applies to email. Security controls the enterprise places on employee devices must not impact personal activity user experience. Employees must be able to access web sites (e.g., gambling) that would be inappropriate for access from an enterprise provided device. Employees must be able to install applications that would be inappropriate for an enterprise device (e.g., games). The entire user experience, when the device is used for personal activities, must remain unchanged. To the maximum extent possible, users should be provided with a consistent experience for work and personal activity. In addition, employees must have the freedom to leverage any network access mode they choose. This includes wireless and wired private networks, public networks (e.g., restaurants, malls), and cell phone networks.

Employee privacy Enterprises must not collect and must have no access to employee personal data. Enterprises must not access any indicators of activity not explicitly related to work.

Most enterprises subject employees to an acceptable use policy prohibiting activities inappropriate for the work place, limiting or prohibiting personal use, and controlling device configuration. In addition, employees are informed that their activities may be monitored and recorded and all data are subject to enterprise access including their email. BYOD policy must reverse these controls. Enterprises must not collect and must have no access to employee personal data (e.g., documents, photographs), private data 9 also known as personally identifiable information, email or other messages, address books, or passwords. Enterprises must not access location tracking, Internet site history logs, phone call logs, or any other indicators of activity not explicitly related to work.

Access models Four access models, listed in Exhibit 1, present a range of benefits and security challenges. The least popular model with smartphone and tablet users is the virtual desktop. In this model the enterprise provided desktop is replicated on the employee’s personal device. This has a relatively low security challenge because both the data and applications are on a server in the enterprise data center, protocols are strictly controlled, and the network link is encrypted. The user experience mimics the desktop experience rather than the device experience. If the employee device is a desktop or laptop computer the employee should find the experience acceptable. If the device is a tablet or

Page 4 of 8

Guidestar Associates smartphone, employee acceptance will be low and the BYOD program will have minimal success. Application Data

Security challenge **** *** ** **

Native Local Native Server Browser Server Virtual Server desktop Exhibit 1 Access models

User experience **** **** *** *

Portability Offline productivity * **** * **** **** -

Second is the browser model. In this model the employee accesses all enterprise applications via the native browser. Because the data and applications remain on the enterprise server, the network link is encrypted, and access protocols are controlled, the security challenge is low and has probably already been addressed for mobile employees with enterprise issued laptop computers. This model works well for applications that lend themselves to a browser interface. The user experience is poor for applications which, like email, have a high quality user experience with device native applications. Browser and virtual desktop models are highly portable requiring little or no effort for compatibility with multiple devices. The two other models are based on native applications providing excellent user experience with either public or enterprise developed applications. They are distinguished by data being located on enterprise servers or on the employee device. Portability is rated low because compatibility is required with the device operating system. This drawback is mitigated by the 98% market dominance 10 of iOS and Android operating systems. Blackberry is projected to capture 1% of 2012 sales. Windows 8 will likely capture enough market share to require compatibility.

To the extent that security controls do not restrict reasonable behavior or impose excessive or complex burdens, most employees will accept them in return for the benefits of using the device of their choice configured as they so desire.

Employees may circumvent the security model by finding ways to capture enterprise data on their device for more convenient processing. The enterprise data is then protected by whatever security controls the employee implements for his/her personal data. Recognizing this vulnerability the best option is to address the security challenge of protecting enterprise data held locally on the employee device. This model has the additional advantage of enabling employee offline productivity in the absence of a network link.

Enterprise security Most employees participating in BYOD programs recognize the need to protect enterprise systems and data. They are generally willing to accept what appear to them as reasonable security controls that do not burden excessively their personal use. Compliance with security controls depends Page 5 of 8

Guidestar Associates on simplicity and convenience. To the extent that security controls do not restrict reasonable behavior or impose excessive or complex burdens, most employees will accept them in return for the benefits of using the device of their choice configured as they so desire. Employees should be required to comply with an enterprise acceptable use policy. The policy should separately address use of enterprise devices (on or off enterprise networks), use of employee devices on enterprise networks, use of employee devices accessing enterprise systems or data over the Internet or on their device, and personal use of employee devices. Employees who use personal devices in the office over enterprise networks should expect to encounter filters preventing access to inappropriate sites and should only engage in activities appropriate to the work environment. Typical BYOD security controls visible to the employee include strong passwords for identity authentication and device access control. After a period of inactivity employees are required to reenter their password. Multiple failed access attempts may lock the device, requiring enterprise administrator unlock, and/or wipe (delete all) enterprise data. Many devices have the capability to share their Internet access with nearby devices by creating a wireless local area network. BYOD security controls typically disable this capability while enterprise data or networks are being accessed to prevent access by unauthorized individuals or devices. Controls often prevent copying enterprise data to cloud storage or file sharing sites other than those provided by the enterprise or in the enterprise data center. Most other security controls should be almost undetectable by employees. Enterprise data stored on the device is generally encrypted and may be stored in a separate container (partition). Connections to the enterprise network over the Internet are encrypted creating a virtual private network (VPN) automatically established in the background when the employee initiates network access. Access privileges may be tiered based on the device. Employees may notice this if they are prohibited from accessing certain systems from outside the enterprise network or from personal devices. This policy should be the exception and not the default to encourage employee compliance. Mobile application management may control which applications access enterprise data. Malware protection and firewalls are mandated. Enterprise data is wiped from lost devices which may also be locked. Security scans assure that all controls are in place and prohibit access to enterprise data

Page 6 of 8

Guidestar Associates and systems if enterprise or manufacturer controls have been compromised 11 (tampered with or disabled). BYOD access is generally initiated by self service device registration at an enterprise portal. After employee identification and authentication based on credentials in the enterprise directory service, the employee supplies the device media access control (MAC) address enabling the portal to identify the specific device and its type. If the device is an approved type, the employee authorizes the portal to install enterprise native applications and security controls. Employees typically have options including wiping personal data or geo-locating a lost device. Based on access control policy, privileges are established aligned with the user role, group, and device tier. With registration complete, the employee attains new dimensions of freedom and productivity in his/her work life. The complexity of providing security to multiple operating systems and a rapidly evolving device environment led a number of vendors to develop enterprise mobile device management (MDM) systems. Some are offered as software for enterprises to install in their management environment and some are offered as cloud-based software services. Gartner 12 recently reviewed offerings by 20 MDM vendors and identified AirWatch, MobileIron, Fiberlink, Zenprise, and Good Technology as the leaders. They identified 40 additional vendors who offered some type of MDM capability but did not qualify for their review. With a high quality MDM system and well designed security and privacy policy enterprises achieve high levels of employee compliance and effective protection of enterprise systems and data.

Conclusion The consumerization of information technology will result in most enterprises adopting a BYOD program. Successful BYOD programs enable employees to select their device and applications, use them as they please for personal purposes, enable access to enterprise systems and data, preserve user experience, respect and protect employee privacy, and unintrusively deploy security controls. Information technology organizations need to size enterprise networks for BYOD employees, ensure high network availability, provide internal wireless networks for mobile devices, establish security and acceptable use policies, and implement MDM systems. Enterprises with successful BYOD programs achieve higher employee productivity, higher employee retention, and lower information technology costs. If they also implement telecommuting programs, they achieve additional productivity and retention gains, improved employee attendance, and facility cost reductions.

Page 7 of 8

Guidestar Associates

1

IDC, Smartphone Market Hits All-Time Quarterly High Due To Seasonal Strength and Wider Variety of Offerings, www.idc.com, February 6, 2012. 2 Kathryn Weldon, Bring Your Own Device - How to Protect Business Information and Empower Your Employees at the Same Time, www.currentanalysis.com, June 2012. 3 Gartner, Gartner Says Worldwide Media Tablets Sales to Reach 119 Million Units in 2012, www.gartner.com, April 10, 2012. 4 Microsoft News Center, Microsoft Announces Surface: New Family of PCs for Windows, www.microsoft.com, June 18, 2012. 5 IDC, 2011 Consumerization of IT Study : Closing the “Consumerization Gap”, www.idc.com, July 2011. 6 Cisco Internet Business Solutions Group, BYOD and Virtualization, www.cisco.com/ibsg, 2012. 7 Forrester, Market Overview: On-Premises Mobile Device Management Solutions, Q3 2011, www.forrester.com, January 3, 2012. 8 Kathleen Miller, “VA may stop buying desktop PCs”, The Washington Post, July 2, 2012. 9 The Privacy Act of 1974 (as amended) defines of private records as, “any item, collection, or grouping of information about an individual … including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.” NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), April 2012, defines personally identifiable information as “any information about an individual … including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” 10 Brooke Crothers, IDC forecast: iPad up, Android down, BlackBerry irrelevant, news.cnet.com, June 14, 2012. 11 AirWatch, Enabling Bring Your Own Device (BYOD) in the Enterprise, www.airwatch.com, April 2012, states, “Devices that have been modified to remove security limitations imposed by manufacturers are known as ‘jailbroken’ or ‘rooted’ devices.” 12 Gartner, Magic Quadrant for Mobile Device Management Software, www.gartner.com, May 17, 2012 (revised June 21, 2012).

Page 8 of 8

Bring your own device mobile security.pdf

Bring your own device mobile security.pdf. Bring your own device mobile security.pdf. Open. Extract. Open with. Sign In. Main menu.
Download PDF
111KB Sizes 3 Downloads 163 Views
Report

Recommend Documents

Bring Your Own Device (BYOD) agreement
Bring Your Own Device (BYOD) agreement. The purpose of the BYOD policy is to recognize the value of these tools in an educational environment and to allow ...
Vestavia Hills City Schools Bring Your Own Device ...
electronic devices starting at the beginning of the 2012- 2013 school year. In order to comply with Federal regulations, all student owned devices will be subject to Internet filtering policies. Personal electronic devices used on school grounds are
Bring Your Own Device To School - Microsoft Download Center
schools to specify a fully functional laptop for Junior. Secondary, or Middle school students, and a pen and touch-enabled tablet for senior grades or High School.
2-1-Bring your own device in Educationد.pdf
2-1-Bring your own device in Educationد.pdf. 2-1-Bring your own device in Educationد.pdf. Open. Extract. Open with. Sign In. Main menu.
Download G Suite apps on your mobile device
you have an Android or Apple ® iOS ® device, you can download all G Suite mobile apps or just the ones you want to use. If you want to use your phone's ...
bring your buddy -
Good exp in People management, client management and good leadership qualities. ➢ Able to ... Good exposure to manufacturing process GD&T application. .... software development activities and relate it to full product development lifecycle. Support
Programmable mobile device with thumb wheel
Oct 19, 2004 - may display inventory information, pricing detail, etc. which is to be transmitted to .... The spring button is always in contact with contact SW2 of.
Programmable mobile device with thumb wheel
Oct 19, 2004 - wired network, such as a local area network (LAN) or a wide area network ..... memory 50 may also serve as a storage medium for tempo.
8.2.4.4 Worksheet - Mobile Device Information.pdf
Device: Pathway Features/Information. Page 2 of 3 ... 8.2.4.4 Worksheet - Mobile Device Information.pdf. 8.2.4.4 Worksheet - Mobile Device Information.pdf.
Mobile Device Management (MDM) -
Cloud-based solution provides ease of access for the administrator. How does it provide ... Almost all MDM products support easy integration with Exchange.
Citrix® XenMobile Mobile Device Management - Phoenix Akash.pdf ...
Page 1 of 1. Citrix® XenMobileTM Mobile Device Management - Phoenix. Akash. Page 1 of 1. Citrix® XenMobile Mobile Device Management - Phoenix Akash.pdf. Citrix® XenMobile Mobile Device Management - Phoenix Akash.pdf. Open. Extract. Open with. Sign
Build Your Own
Page 1. PDF Online Build and Pilot Your Own Walkalong Gliders (Build. Your Own) - PDF ePub Mobi - By Philip Rossoni. PDF online, PDF new Build and Pilot ...
Optimizing Mobile-Device Design with Targeted Content - Media15
Form factor reference design did not meet customization targets for groups of ... standardized issues-management application, is accessible through the.
Securing a Remote Terminal Application with a Mobile Trusted Device
we trust it to a certain extent (e.g., not to deny service). If users want to access their sensitive home computing environment from an untrusted terminal, it would ...
Notification of event by mobile communications device using radio ...
Oct 2, 2012 - device having a processor, memory, a wireless network inter- face, and a ... Other features, objects, and advantages of the disclo- sure will be ...
Industrial Device OS using Mobile Comm..pdf
Industrial Device OS using Mobile Comm..pdf. Industrial Device OS using Mobile Comm..pdf. Open. Extract. Open with. Sign In. Main menu.
Optimizing Mobile-Device Design with Targeted Content - Media15
To realize these goals, we worked with the business to separate content ... Management and Training Lead, Intel. Acronyms ... in one portal. • Reduce the amount ... all relevant platform content (bundles) into XML and routing them to their final ..
Global Mobile Device Management Market 2016 Industry Trend and ...
Global Mobile Device Management Market 2016 Industry Trend and Forecast 2021.pdf. Global Mobile Device Management Market 2016 Industry Trend and ...