So, you are the CSO, CIO or CISO of an organization that is embracing BYOD (Bring Your Own device) for its flexibility and efficiency benefits, but you have that nagging worry about what this means to the security and compliance needs of the enterprise. Your instincts are correct. Keep an eye out for the following five major pitfalls in BYOD policy building:
Pitfall #1: “BYOD doesn't mean bring ANY device… right?”
Many companies launch BYOD programs and allow devices that can't be easily protected. Some versions of Android and iOS devices don't have enough built-in security for compliance and data protection. Setting minimum OS version thresholds for users to bring in their own devices for work is a baseline requirement to protect corporate data and apps running on them. When a mobile device is compromised, you cannot safely allow it to connect to the corporate network and it could expose the organization to malware and virus attacks.
You should require upgrading to the latest Android version before allowing corporate network access. This can help mitigate more than three-fourths of existing Android malware threats. To simplify management, you may need to restrict the types of devices supported by the BYOD program, so that you don’t end up spinning your wheels trying to support an outdated phone.
Pitfall #2: Lax User Access Control Policies
Authentication and access control mechanisms have been around since the mainframe days and have evolved through shifts to mobile devices. Carelessness of the user who leaves the device open without a password in a public place can compromise sensitive business information. Sometimes the users are not savvy enough to grant only the minimum necessary permissions to applications added to the mobile device, exposing stored business data on the device to unauthorized access.
Stronger authentication must be encouraged by managing and enforcing password policies. Two-factor authentication should be required before access to corporate networks. User profiles with access rights and restrictions need to be defined using the principle of least privilege. Processes should be put in place for catching exceptions, alerting management upon violations and automatic remediation.
Pitfall #3: Public Wi-Fi and Lack of Data Protection
Public Wi-Fi is dangerous business because your communications are not protected. Standard configuration settings will need to be enforced for enterprise access, including the use of an encrypted network and data access only via VPN and secure HTTPS sessions.
To protect your data, you need to encrypt sensitive information with strong keys as soon as it is acquired, so there is no data traffic in the clear. Data at rest in storage, servers and devices as well as data on the wire (and over the air) should remain encrypted as it is used, stored or moved and eventually decrypted only by the intended receiver.
Pitfall #4: Using the Same Policy for Work and Home
The mobile security policies need to be sufficient to protect sensitive information, ensure productivity and meet compliance requirements. For example, the ability to define time and location windows with access restrictions, including what apps can be run and what apps cannot be run within the boundaries gives you tighter control. For example, your employee might be a wizard at Angry Birds at home, but within business hours, the device would not be able to access that app, keeping the focus on work-related productivity.
Then you can use geo-fencing to monitor and enforce location-based access and usage policies at work locations. You’ll want to make sure that the GPS and location tracking features persist within geo-fence boundaries even when a user turns GPS off.
You need the visibility to track where devices are, where they’ve been, and where they are going at any point in time and have the capability to remotely lock and wipe content, apps and passwords on lost or stolen devices.
Without continuous monitoring, following up on exceptions and alerts, and automated or manual remediation actions, policy compliance can’t be achieved. Are dashboards being monitored? Are reports being generated and reviewed by appropriate personnel? Are alerts being simply ignored? Do you have exception handling, remediation, escalation and audit processes in place? With strong policies, monitoring and enforcement, you can detect and stop misuse, respond to violations and compliance issues and quickly remediate.
Pitfall #5: Ignoring Apps Data and Usage
If you have sensitive data, you need a private enterprise app store for managing your internally developed custom apps, and customized apps that you buy from ISVs and cloud service providers. You should also take control of apps – pushing mandatory apps, blacklisting rogue or time-wasting apps, and whitelisting recommended apps that employees can easily discover and use.
Don’t ignore usage. Usage monitoring, threshold-based alerts and analytics can help uncover misuse, security exposures and prevent cost overruns due to excessive data bandwidth usage or unexpected international roaming charges. After policy threshold levels are set up, you can alert users upon exceptions and monitor patterns to forestall security breaches or attacks.