There’s an
accelerating trend in the workplace raising new challenges for today’s CIO: the
bring your own device (BYOD) revolution. The use and acceptance of mobile
devices in the workplace is a critical issue that many chief executives are
considering for their corporate environment. A BYOD strategy enables an
employee to use a single device with the flexibility and usability they prefer,
while providing access to both their personal and business applications and
data. There are also potential cost
savings for the enterprise as the employee may bear the cost of the device and
the ongoing mobile access plan.An
enterprise should consider the extent to which BYOD will be embraced, and the
challenges BYOD presents as a part of an enterprise’s overall mobile security
management strategy.
Before embarking on this journey, an organization should first decide – why BYOD? Does the increased user productivity and availability of data outweigh the risk and the associated mitigation expense? There are risks introduced at the device, application and infrastructure levels that present new challenges. These challenges may vary from compliance issues, to data leaks, to malware and challenges will likely only intensify as the number of mobile devices and operating systems proliferate.Another option is that the employer can provide employees with a mobile device hoping to enhance their productivity and ability to support the organization remotely. The illustrative chart below depicts some of the Pros and Cons of an employer providing corporate mobile devices versus letting employees use their own mobile phones and tablets.
Benefits/Obstacles | Bring Your Own | Corporate Provided |
Pros |
|
|
Cons |
|
|
As an organization gains an understanding of the key risks that may affect the business, the next step is determining and defining the approach to a secure BYOD solution deployment. One of the primary risks of mobile devices to the enterprise is the security of data that is stored on the devices. Corporate email, financial and marketing data and any other sensitive data may leak out of the organization if the device is not encrypted and adequately protected.
Another point to consider is how the organization might prevent rogue mobile devices from accessing the network. What will prevent users from bringing in their own unpatched/unapproved devices into the environment? Network Access Control (NAC) solutions may help to solve this issue. These solutions have become a popular way to manage the risk of employee owned devices. NAC allows organizations to control which devices can access each level of the organization’s internal network. For example, NAC can limit how a device can connect to the network, what it can access, prevent downloading and potentially prohibit a device from connecting at all. A“health-check” that inspects for required security configurations and controls can be performed before allowing a device to connect to the network to keep the network safe from viruses and malware that could be on an employee owned mobile device. If a “health-check” is not performed before the device is allowed on the network, the scenario described below could occur:
When determining the desired approach, it is critical for an organization to understand the specific use casesand incorporate key business drivers andobjectives.This will allow the enterprise to determine if the primary objectives from a mobile security perspective are device, or data centric or a combination of both for their BYOD program.
Device Centric | Data Centric |
Mobile device management (MDM) | Minimal device data footprint |
Strict device policy enforcement | Communications encryption |
Local data encryption | Virtualization |
A device-centric approach focuses on the mobile device and associated security controls. This approach is typically centered on how the devices are managed, how policies are enforced, data encryption on the local device and solutions such as secure containers. Some key considerations supporting this approach include:
- MDM software secures, monitors, manages and supports corporate-owned and employee-owned mobile devices deployed across an enterprise
- Policy enforcement supports permissible/non-permissible devices, considers factors such as who can connect to the network (user types, etc.)
A data-centric approach focuses on the data stored or processed by the mobile device and how it is secured and transmitted. This approach considers how the data is managed on the devices, transmission security, virtualization and data integrity. Some key considerations are:
- Minimizing local data storage on the device reduces the risk associated with device loss or theft
- Securing the transmission of the data from the mobile device to internal/external servers, applications, or other devices is critical
- Virtualization is an important technology/solution to consider in a data centric approach: virtual desktops accessible from the mobile device or data stored in virtual/cloud environments are critical elements to evaluate
- Accessing corporate data from mobile devices introduces the need for data integrity controls
For a solid BYOD approach, not only are well defined policies and standards critical, but the technology that enforces this governance should be in place to help ensure that the standards are adhered to.Many organizations may have well defined and communicated policies, but enforcing these restrictions on their users may be a daunting task without the appropriate technology and security framework. To facilitate this approach, mobile security requirements should be defined.A gap analysis should be conducted comparing current state capabilities to the desired state. Next, an overall mobile security operations framework should be developed and the operational processes to support this framework need to be defined.If the mobile security framework is planned appropriately to support a BYOD program and the risks are mitigated throughout the lifecycle, enterprises may see increased user productivity and satisfaction.
About the Writer:
| Tim Sanouvong is a Senior Manager in Deloitte & Touche LLP’s Security & Privacy practice with 13 years of experience in the information security area.He specializes in leading large security projects spanning areas such as security strategy and governance, mobile security, and identity and access management. He has consulted for several clients across diverse industries such as financial services, retail, healthcare, state government, and aerospace and defense. |
This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.Deloitte shall not be responsible for any loss sustained by any person who relies on this document.
About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/aboutfor a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please seewww.deloitte.com/us/aboutfor a detailed description of the legal structure of Deloitte LLP and its subsidiaries.Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2013
Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited