[BreachExchange] 3 options for securing BYOD data
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Dec 14 19:04:12 EST 2017
https://www.csoonline.com/article/3242151/byod/3-options-for-securing-byod-
data.html
In today’s mobile, cloud-first world, organizations are allowing
unprecedented levels of work to be completed from outside of the office.
Employees and employers both benefit from the flexibility and efficiency
that arises when workers can perform their duties from coffee shops,
airports, their homes, and more. As such, providing employees with the
ability to work remotely is an excellent way to attract and retain a
talented, productive team.
The devices and security measures used throughout an organization play a
significant role in enabling safe, efficient remote work. Unfortunately, it
can be quite challenging to determine which devices should be granted
access to corporate data. IT teams need to consider how device policies and
security solutions affect user efficiency, user privacy, and the security
of corporate data.
Unsurprisingly, the rising popularity of bring your own device (BYOD) has
complicated the challenge of enabling secure remote work. A personal device
that is used for professional and personal activities has access to the
corporate network and the user’s personal apps – increasing the likelihood
that corporate data can be accessed by unauthorized users or infected with
malware. The workforce’s myriad of smartphones, tablets, and wearables
represents an entry point for cyber threats that leverage devices to target
corporate data.
To secure mobile and BYOD, IT can choose from a wide variety of mobile
security and data management solutions. However, the large number of
options can be overwhelming. As such, organizations should consider the
below solutions when selecting a mobile security strategy.
1. Locking down devices: agent-based mobile device management (MDM)
Mobile device management (MDM) solutions are generally favored by large
enterprises seeking to enforce security policies across a large number of
corporate-owned devices. Typically, MDM solutions require software to be
installed on all employee assets. This enables all devices to be centrally
managed by IT administrators who implement features such as password
protection, remote data wiping, the rejection of unsafe WLAN networks, and
more.
However, a major problem can occur with MDM if the mobile environment is
heterogeneous, or contains disparate mobile devices and operating systems.
Within these diverse environments, device management functions are often
unavailable for some of the assets on the network. Because heterogeneous
mobile systems are difficult to secure with MDM, it’s necessary for
organizations to involve employees at an early stage of onboarding and
implementation. This helps organizations to assess if the MDM solution
supports all employee workflows and if deployment will be excessively
challenging for certain devices.
While agent-based MDM solutions can secure corporate-owned devices, they
lead to privacy challenges when deployed on BYO assets. These solutions can
allow companies to reset device settings, identify device locations, and
collect information about device usage and user internet habits. When these
capabilities are used on personal devices, it is often seen as an
unacceptable intrusion into users’ private lives. As a result, many
employees refuse having any kind of security software installed on their
phones or tablets, creating substantial challenges for enterprise security.
2. From the device to the application: mobile application management (MAM)
Unlike MDM, mobile application management (MAM) focuses on securing
company-provided applications that house sensitive data. Where BYOD is
allowed, MAM is occasionally used to secure mobile data access; for
example, when a traveling salesperson uses a corporate app on her or his
personal phone to access customer relationship management (CRM) systems. To
ensure that application data is sufficiently protected, company mobile apps
are centrally managed by security administrators or IT personnel.
Despite the above, MAM has multiple limitations. While MAM can govern a
number of corporate applications, it does not cover popular cloud apps like
Gmail, Dropbox and Slack. Like agent-based MDM solutions, deploying MAM
requires the installation of software on employee devices. Additionally, as
the solution does not provide device management functionality, a usage
policy must also be installed on each device. Finally, MAM provides no
assistance with detecting or blocking shadow IT.
3. Honing in on data: agentless mobile security
Fortunately for the enterprise, mobile security solutions can protect data
without requiring anything to be installed on employee devices. Despite
their agentless approach, these solutions can still provide MDM functions
like data loss prevention and remote wiping of company data from even BYO
devices. They also offer data encryption that can be extended to all
popular cloud apps including G Suite, Office 365, and Salesforce. This
means that sensitive data is secure regardless of the app in which it is
stored or the device through which it is accessed.
Through agentless solutions, security administrators can govern device
access without the installation of intrusive software. As a result, they
offer rapid deployment and alleviate users’ privacy concerns about
employers accessing their personal information. In light of the above,
these solutions are often adopted by businesses seeking to secure corporate
cloud data as it is accessed by a variety of devices. With the growing
popularity of cloud services and BYOD, the proliferation of agentless
solutions will continue to increase.
Identify specific requirements
Organizations need to consider a variety of factors when selecting a mobile
security strategy. First, IT administrators need to compile an exhaustive
list of governmental regulations relevant to their firms. From there, they
must ensure that deployment will not be impeded by users who want to keep
their personal data private. In light of escalating BYOD trends,
organizations should also identify the devices and operating systems in
use, as well as the mobile applications employees need. Determining whether
a security solution should be bolstered by legal agreements is another
important consideration. Finally, all stakeholders need a voice in the
decision-making process in order to ensure the adoption of a mobile
security solution that is fair and effective for all.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171214/5998614a/attachment.html>
More information about the BreachExchange
mailing list