BYOD: New Guidance on a Big Issue

Bring Your Own Device (BYOD) mobile devices are currently a big issue for CIOs and ICT Security Professionals, both in Government and in the private sector. The US National Institute of Standards and Technology (NIST) has just weighed in with some help in its June 2013 Special Publication, Guidelines for Managing the Security of Mobile Devices in the Enterprise.[i]

 

Why is BYOD such a big issue? A recent Cisco partner network survey, BYOD Insights[ii], gives some answers:

9 in 10 Americans use their smartphones for work

40% don’t password protect their smartphones

51% of Americans connect to unsecured wireless networks on their smartphone

52% disable Bluetooth discoverable mode

Of course that survey was in the US. How would Australia compare? Probably worse, judging by an April 23, 2013 Haptic Generation report, How Australians Engage With Smartphones and Tablets[iii], which notes that:

• There are 30.2 million mobile services in Australia
• More than half of Australians are forecast to have a tablet by 2016
• 12% of Australian web traffic is via mobile devices
• 43% use smartphone to find product reviews before making a purchase decision
• Australians are leading the world in smartphone adoption
• Australian mobile ad spending is forecast to rise by 65% this year
• Mobile ads are noticed by 87% of smartphone users
• 54% of Australians have already engaged with advertising on a mobile phone

Specific BYOD issues which have been discussed recently by industry gurus, include:

• The BYOD privacy problem: Employee suspicion and resentment of organisational BYOD policies which expose personal data to organisational scrutiny
• Loss or theft of BYOD devices
• What to do when BYOD staff leave or are laid off
• Mandatory BYOD, where the employment contract requires staff to buy a personal device and use it for work. A May 2013 CIO Magazine article. Mandatory BYOD Heading Your Way [iv] notes that “Half of employers will require employees to supply their own device for work purposes by 2017, says a Gartner survey of CIOs” and “Already, BYOD experts are anticipating a flood of employee lawsuits over privacy and overtime.”

Industry articles and blogs have been suggesting ways of dealing with the BYOD issue. A good example is the InfoWorld blog The Squeaky Wheel by Brian Katz, who in a June 03, 2013 blog, The right way to manage BYOD[v],  suggested that a tiered access approach to information assets is the key to effective mobile security  Brian says that the real way to handle BYOD is to move to managed BYOD (MBYOD), which means “building a tiered system for access to your corporate ecosystem. You create your tiered system of access, then associate different devices with each level of access. The final piece is to publicize this system to everyone in the company.”

How does that advice stack up against the NIST recommendations? In general, It aligns with the NIST guidance that

• Organizations should have a mobile device security policy
• Organizations should develop system threat models for mobile devices and the resources that are accessed through the mobile devices
• Organizations deploying mobile devices should consider the merits of each provided security service, determine which services are needed for their environment, and then design and acquire one or more solutions that collectively provide the necessary services

In Section 2.2, High-Level Threats and Vulnerabilities, the Guidelines list the major security concerns forthese technologies that would be included in most mobile device threat models. e.g:

Section 2.2.1, Lack of Physical Security Controls, notes that “when planning mobile device security policies and controls, organizations should assume that mobile devices will be acquired by malicious parties who will attempt to recover sensitive data either directly from the devices themselves or indirectly by using the devices to access the organization’s remote resources.

The mitigation strategy for this is layered. One layer involves requiring authentication before gaining access to the mobile device or the organization’s resources accessible through the device… A second mitigation layer involves protecting sensitive data… Finally, another layer of mitigation involves user training and awareness, to reduce the frequency of insecure physical security practices.”

Section 3, Technologies for Mobile Device Management, gives an overview of the current state of centralized mobile device management technologies, focusing on the technologies’ components, architectures, and capabilities.

Section 4, Security for the Enterprise Mobile Device Solution Life Cycle, explains how the concepts presented in the previous sections of the guide should be  incorporated throughout the entire life cycle of enterprise mobile device solutions, involving everything from policy to operations.

The Appendices provide useful references to supporting NIST SP 800-53 Security Controls and Publications and to other Resources, including Mobile Device Security-Related Checklist Sites.

The NIST Publication notes that most organizations do not need all of the possible security services provided by mobile device solutions. Categories of services to be considered include the following:

•  General policy: enforcing enterprise security policies on the mobile device, such as restricting access to hardware and software, managing wireless network interfaces, and automatically monitoring, detecting, and reporting when policy violations occur.
• Data communication and storage: supporting strongly encrypted data communications and data storage, wiping the device before reissuing it, and remotely wiping the device if it is lost or stolen and is at risk of having its data recovered by an untrusted party.
• User and device authentication: requiring device authentication and/or other authentication before accessing organization resources, resetting forgotten passwords remotely, automatically locking idle devices, and remotely locking devices suspected of being left unlocked in an unsecured location.
•  Applications: restricting which app stores may be used and which applications may be installed, restricting the permissions assigned to each application, installing and updating applications, restricting the use of synchronization services, verifying digital signatures on applications, and distributing the organization’s applications from a dedicated mobile application store.

Mind you, the above are only a few of the points from the Executive Summary of the NIST Guidelines.  The Publication is  intended for Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), and security managers, engineers, administrators, and others who are responsible for planning, implementing, and maintaining the security of mobile devices. It assumes that readers have a basic understanding of mobile device technologies and enterprise security principles.

The NIST Guidelines  apply to both organization-provided and BYOD mobile devices. (Laptops are out of the scope, as are mobile devices with minimal computing capability, such as basic cell phones.) The Guidelines recommend on selecting, implementing, and using centralized management technologies. They also explain the security concerns inherent in mobile device use and give recommendations for securing mobile devices throughout their life cycles.

So while the NIST Guidelines are a welcome addition to our Knowledge Base on BYOD and the security of mobile devices in general, they may be a bit “over the top” for the small to medium organisation or even for some Government Departments. In the next issue of the Newsletter we look at some specific examples of how the Australian government and private sector are handling the BYOD and security of mobile devices issues.

References:

 

Ted is Managing Director, Montrose Computer Services Pty Limited, established in 1994. Ted is current QESP Chairman, former National Chairman, Software Quality Association (SQA), former ASMA/SQA NSW Chairman and in 2006 was awarded the Australian ITP Lifetime Achievement Award for services to the IT Industry.  Ted’s specialties are Software Process Improvement, Software Project Management, Software Quality Assurance & Testing and Software Risk Management. Ted has project managed numerous IT process improvement and certification programs and is a qualified ISO 9001, ISO 20000 and ISO 27001 lead auditor. He has run many training courses in Australia and overseas and has consulted to a wide range of clients, including Australia Post, Australian Quarantine & Inspection Service, Optus, RailCorp NSW and RTA NSW