The world knows that BYOD trend is here to stay. And enterprises must embrace it. Like any other technology, BYOD is not without its usual hype and is an evolving.
BYOD also implies BYOR, Bring Your Own Risks. Enterprises around the world continue to struggle to protect their information assets through consistent application of security policies even on devices owned by them. Business requirements, end user experience, employee friendly policies, operational overheads tend to override security risks especially when resources are hard to come-by.
Such approaches are not risk-based but risk-accepted approaches, which means inconsistent and flexible implementation of policies and other controls. A risk-accepted approach leaves more holes unless enterprises keep a tab on them and re-assess their exposure and strategic position on the accepted risks.
Maintaining control over enterprise-owned devices is a must to be able to ward off potential threats and evaluate BYOD risks constantly. A BYOD brings in an additional attack surface and a vector, which is growing in size in terms of likelihood of threats and impact from such threats. Just multiply threats by the number of BYODs. Bringing One’s Own Risks is very well over and above other risks enterprises have been trying to stay ahead of. BYODs pose a huge security challenge, no doubt.
There are a few steps, which even small enterprises can take, provided the infrastructure supports.
1. Control access to corporate information resources through domain authentication
2. Create a VLAN (Virtual Local Area Network) for BYODs and make use of ACLs (Access Control List) as an additional layer in Network Defense
3. Allowing BYODs of different types definitely requires a wireless network, one more layer in your Defense
a. So, have the users authenticate themselves
b. Implement wireless encryption
c. Enforce a tight network access & security policy through the Wireless Access Controller
d. Make use of DHCP (Dynamic Host Control Protocol) to allow only policy-permitted IP addresses
e. Should you decide to go a bit further, make use of MAC address of BYODs
f. If you have a PKI infrastructure, client authentication of BYODs is possible with a little but worthwhile overhead
4. Email infrastructure such as an on-premise Microsoft Exchange or an Office365 infrastructure can help enforce an MDM (Mobile Device Management) capabilities through a mailbox policy
a. Limit retention of emails, most used application on most BYOD
b. Limit email attachment sizes
c. Require a password to access the phone
d. Enforce encryption on device storage as well as removable storage cards
e. Be in the know by keeping a tab on all devices that connect to your Email application and a few more controls
5. When a BYOD is within a corporation, one can subject them to the scrutiny by the network firewalls, IPS/IDS (Intrusion Prevention/Detection System) and leveraging on web content screening and filtering (Uniform Resource Locator).
Many BYODs are just used like a personal mobile Internet browsing shops inside an enterprise. In India, there is a regulation for such shops to keep a record of the users.
- Thiruvadinathan A. is Director of Security & Compliance at Happiest Minds Technologies