Guest Post: Shamoun Siddiqui, PhD, CISSP
Recent years have witnessed a veritable revolution brought about by the consumerization of Information Technology. At the heart of this consumerization is a trend generally known as “Bring Your Own Device” or BYOD. This refers to the increasing use of employee owned computing devices such as smartphones, tablets and laptops within a corporate environment, to connect to the company’s networks and its information assets.
The motivation behind BYOD is the self-sufficiency and expertise that employees now possess in the use of personal computing devices that are often technologically superior and more functional than the computers that a company’s IT department typically provides. Increased productivity, employee satisfaction and reduced IT expenses are generally listed as the benefits of a BYOD program.
Therefore, in just a few years, BYOD has suddenly exploded on the information technology and information security landscape in a manner heretofore unseen. Most information technology and information security conferences are simply overwhelmed by BYOD conversations and IT vendors are clamoring to develop new technologies or to force fit their existing solutions into this space.
Unfortunately, with all the hype surrounding BYOD and all the discussions and all the vendors claiming a silver bullet, there really isn’t a solution that by itself offers a true BYOD environment for anything other than a very simple enterprise. Here is the problem: employee owned devices can include smartphones and tablets running a couple of versions of iOS, multiple revisions of Android and a few variations of Windows etc. They may even include personal Blackberrys with their own OS releases. They certainly include Windows laptops and Apple Macs with multiple versions of the operating systems. Within a corporate network, these devices may need access to Exchange services (email and calendar) as well as Sharepoint, file servers, internal websites and of course business applications.
Finding a solution that encompasses all of these varieties of devices and the combination of resources is a challenge, to say the least. Certainly, Blackberry is an outlier at this time and stands on its own. There are efforts underway to allow it to be managed with other heterogeneous devices but for now the proprietary nature of the Blackberry Enterprise Server limits its incorporation. So let’s leave Blackberrys aside for now and focus on a strategy for the generic Android, Windows Mobile and iOS devices.
For most organizations, the challenge centers around managing the proliferation of employee owned smartphones and tablets that are being used, for the most part, to access the company’s Exchange environment via ActiveSync. The connectivity, in general, is through a 3G or 4G cellular network even while on campus. This “invisible network” adds to the burden on the network (Exchange servers for example) and therefore adds to the IT operational costs.
Increasingly, employees with personal devices are asking for connectivity to the corporate wireless network. After all, they have wireless Internet access at home, at Starbucks, in Hotels and in other public places. Why is it that they cannot have wireless Internet access for their personal devices when they are at work? This seems like a valid request. The problem is that most corporate wireless networks may not have been designed with enough capacity to handle the additional load. Adding wireless capacity to provide an enhanced user experience for employees’ personal devices may not be at the top of the CIOs list of priorities.
From a security perspective, the single biggest concern around employee owned devices in a corporate environment centers around data leakage. The presence of company data on non-company devices may violate customer or client contractual requirements and even local laws. Furthermore, in the event of a breach and an ensuing forensic investigation, the chain of custody could extend to the employee owned devices and to the employee’s home resulting in significant costs to the company.
It is, therefore, obvious that in order to mitigate some of these risks, technology solutions are required. Luckily there are multiple options available to address specific areas of concern.
The first in the series is a Mobile Device Management (MDM) solution. An MDM solution focuses on devices with a “mobile operating system”, i.e primarily smartphones and tablets. It is designed to recognize the various flavors of mobile operating systems, the associated devices and the service providers and to enforce a consistent set of configurations and policies. MDM can allow the deployment of a large number of mobile devices in a secure manner and monitor their use centrally.
The ability to detect jailbroken devices and the presence of potential malware ensures that non-corporate devices cannot harm the company’s network or its information assets. One of the crucial features of an MDM solution is the ability to selectively remove data from a mobile device. Without an MDM solution, a mobile device connecting to corporate email via ActiveSync, is subject to a complete wipe in the event the employee separates from the company. This could result in the employee losing all of their personal data including applications, contacts and family photos etc. MDM allows the surgical removal of only the company applications and associated data.
Here is a brief summary of what to look for in a typical MDM solution:
- User device enrollment / registration
- Certificate based device authentication
- Policy enforcement (PIN/Password policy, screen timeout, jailbreak check, application inventory/blacklisting, remote wipe etc)
The first three items are security centric while the latter two are privacy and compliance centric. Containerization allows company data to be stored and accessed separately from personal information. This facilitates the remote removal of this container when an employee leaves the company. Encryption of this container ensures that the company data is protected at all times and also provides a safe harbor from breach notifications and customer contractual requirements.
Currently, most MDM technologies (with their focus on devices with mobile operating systems) do not allow the management of employee owned laptops and Macs. For a true BYOD environment, laptops and Macs must be accounted for. This is where Network Access Control (NAC) comes in.
NAC goes as far back as 2003 and is making the rounds these days in its second or third incarnation having failed to deliver on its much hyped earlier promises. The modern NAC appears to be elegant and far more functional than its predecessors. Properly implemented, a NAC solution would allow the intelligent determination of employee vs. corporate assets, whether on the wire or on a WiFi network and then, based on the health or categorization of the connecting device, determine the level of access to be granted.
During the mid-2000s the primary focus of NAC was to allow a mechanism for Guest access (vendors, consultants, contractors etc– wired or wireless). This requirement may still exist for most organizations. However, now the added consideration is around employees and their personal laptops and macs. For the most part, the three large categorizations are:
- Employees with corporate assets
- Employees with personal assets
- Non-employees with non-corporate assets
NAC provides the ability to distinguish between these classes of users (and more) and then based on defined policies, provides a certain level of access and services over the wire or over the corporate wireless network.
As may be obvious from the above discussions, MDM and NAC focus on the device side of the equation. Both technologies are designed to control devices on the network and to enforce policies. Both technologies are agnostic of the data being accessed or processed by the end points.
This is where Data Loss Prevention (DLP) comes in. For most organizations that store or process large amounts of consumer or client personal information or credit card information, it is essential that the data flow be tracked. Even with an MDM and/or a NAC solution in place, it would be crucial to know if Personally Identifiable Information (PII), Payment Card Industry (PCI) Data, Protected Health Information (PHI) or other sensitive information is moving to an end point that is not a corporate asset and to be able to control or prevent the flow of such information. State and Federal laws and, increasingly, client and customer mandates, are discouraging the storage of sensitive information on non-company assets.
In situations where this is not controlled, the loss or theft of a device containing sensitive consumer or client information could necessitate breach notifications or credit monitoring services in accordance with the local laws. This could be a very costly exercise for most companies.
Therefore, for companies with strong data privacy needs, it is crucial that a technology based solution be implemented to monitor the flow and storage of sensitive information on non-corporate end points.
Data Loss Prevention technologies have become fairly mature over the past few years and there are several very strong commercial offerings that are highly effective in monitoring and controlling SMTP, HTTP/S and FTP traffic flowing inside and across the company’s perimeter.
There is already some DLP integration available at the MDM and NAC levels and at least one major vendor seems to be offering a marriage of DLP with MDM. However, it is only a matter of time before these technologies merge together seamlessly.
Finally, we come to Virtual Desktop Infrastructure (VDI). VDI could be considered the one possible silver bullet for a true BYOD strategy from a data loss perspective. Virtual desktops are the only mechanism by which the end point can be completely decoupled from the corporate networks thereby eliminating any concerns around the risk profile of the end-point and data storage and leakage from a non-corporate asset.
Obviously VDI is not without its own challenges although some of the more recent incarnations of VDI appear to be highly functional as well as easily manageable and deployable. Virtually any device can be now used to connect to the virtual desktop infrastructure and the state of a user’s desktop environment can be maintained between sessions and even between devices.
The state can even be “downloaded” onto end point so that work can be done offline. The state is a self-contained and encrypted container that does not allow information to cross over to the user’s personal space on the device. When network connectivity is established, the “state” is synced with the corporate systems, all changes are uploaded and the local container is wiped out.
As attractive as VDI can be for a true BYOD environment, for most organizations it may be a dream beyond reach. VDI can require some significant capital dollars initially and the ongoing operational expenses may not offset any savings that result from allowing employees to bring in their own devices. Furthermore, a virtual desktop infrastructure may require a different breed of administrators to support end users, resulting in additional costs due to education and training. A CIO looking for a return on investment (ROI) may not be able to justify this expense.
In conclusion, a true Bring Your Own Device (BYOD) initiative would require that several complimentary technologies be implemented concurrently to address each of the disparate requirements. If the intent is to just rationalize the unmanaged proliferation of employee owned mobile devices, then a suitable MDM solution would suffice. If there is a need to manage vendor and guest access and to allow wired/wireless access from non-corporate laptops/Macintosh computers, then a NAC solution may be required. If the company stores, processes or transmits PCI data, PII or PHI etc, then a DLP solution may be a mandatory requirement. If device agnostic access to corporate networks and applications is required from a multitude of employee owned devices, then a Virtual Desktop Infrastructure may be the only answer.
The industry appears to be recognizing these challenges and vendors appear to be complimenting their core functionalities with some of these supplementary technologies. At least one major player in this space appears to be offering a limited marriage of their MDM solution with their DLP offering. Others are catching up as well. The space is maturing very rapidly. Whether we wait or implement one or more of these technologies now, we can be sure that in the coming months and years we will see single vendor solutions that will start to encompass all of these moving parts.
Shamoun Siddiqui, PhD, CISSP is the Director of Information Security at Sabre, Inc in Southlake, Texas.