[BreachExchange] Three options for securing data in BYOD

Audrey McNeil audrey at riskbasedsecurity.com
Thu Sep 7 19:45:33 EDT 2017


http://www.idgconnect.com/blog-abstract/27763/three-options-securing-byod

Mobile working is an increasingly important factor in the attraction of new
talent and the retention of experienced employees. Workers value having the
freedom to work flexibly – at home, while travelling or outside normal
working hours – and the ability to tailor working arrangements to suit
their needs. Albeit an essential part of today’s infrastructure, many IT
leaders will admit that selecting a mobile strategy for the enterprise is
no easy task. IT teams must balance the productivity and privacy needs of
the workforce with the security needs of corporate data.

The mobile security challenges have been exacerbated in recent years by the
rapid uptake of BYOD. These unmanaged or employee-owned devices require
access to corporate data, but this increases the risk of sensitive data
being leaked, especially if a device is lost or stolen. A further
vulnerability is that BYOD devices represent a potential entry point for
introducing viruses and malware to the rest of a corporate network.

Faced with a range of mobile and data management solutions on the market
today, IT leaders can quickly lose track of what’s important – and what’s
not – when mapping out their mobile security strategy.

ONE - The classic: agent-based Mobile Device Management (MDM)

Typically favoured by big companies looking to enforce company policies
across a large number of mobile devices, MDM solutions install software in
the form of a mobile agent on all devices so that they can be managed
centrally by the IT department. Functions such as password protection,
remote data wiping and the rejection of unsafe WLAN networks are all
handled via a central administration interface.

Difficulties can arise with MDM if the device landscape to be managed is
heterogeneous – in other words, if the system is required to cope with a
large number of differing mobile operating systems. For example, some
management functions may not be available for all device types. These
systems are also notoriously complex to implement, so organisations will
need to involve employees at an early stage to ensure that the planned
solution adequately supports their workflows and assess whether the
on-going administration requirements will overstretch IT resources in the
long term.

Employee privacy is a further important consideration. MDM software gives
the company’s IT department wide-ranging access rights, which can lead to
user acceptance problems. Employees may regard the company’s right to reset
device settings, identify their location, or potentially harvest
information on their device usage and internet habits as an unacceptable
intrusion into their private lives and may therefore refuse to have the
software installed on their own devices.

With no software installed, it’s likely that an enterprise will simply ban
the employee from working on their personal device. For this reason,
agent-based MDM solutions work best for companies that provide staff with
corporate-owned devices. When considering using these solutions as part of
a BYOD strategy, organisations will need to hold discussions with the
workforce and explain functions and access rights in detail.

TWO - From the device to the application: Mobile Application Management
(MAM)

In contrast to MDM, MAM puts the focus on protecting company-provided
applications. MAM is used primarily in the context of BYOD to support the
everyday needs of workers – for example, a sales person who want to access
email or in-house CRM systems when out in the field. In order to shore up
data security, certain company applications are made available for mobile
use and are managed centrally by the IT team. Similarly to agent-based MDM
solutions, MAM requires software to be installed on users’ devices. This is
because, if a device was lost, the agent is the only way these solutions
can remotely wipe business data.

MAM solutions have some limitations, particularly around clamping down on
shadow IT. MAM is only available for specific applications; it does not
cover popular cloud applications like Gmail, Dropbox and Slack.
Furthermore, to ensure adequate data protection, a usage policy must be put
in place because MAM does not provide any device management functionality.

THREE - Homing in on data: Agentless Mobile Security

Developments in cloud-based security tools have given rise to a new set of
mobile security solutions that can protect data directly without the need
for an agent on the employee’s device. Encryption of sensitive data can be
extended to all popular cloud apps such as G Suite, Office 365, Slack and
Salesforce, which means that data is secure regardless of what application
an employee is accessing via their personal device.

While all managed and unmanaged devices still need to be managed centrally
by the IT team, this can be done without the need to install management
software or an agent on each and every end device. In this sense, these
solutions are “agentless”. In practice, this means that the rollout time is
much faster and users are less concerned about the enterprise having full
access to their personal information.

These solutions can still offer all MDM functions, including data loss
prevention and remote wiping of company data. Such agentless solutions are
suitable for businesses specifically worried about access to cloud
applications from personal devices. The increasing popularity of cloud
services means the number of agentless solutions looks set to rise;
analysts at Gartner predicted in 2015 that more than half of BYOD users
that have MDM agent on their device will be managed by an agentless
solution by 2018.

Identify specific requirements

There are a number of factors to be taken into account when assessing a
mobile security strategy and the importance of specific factors will vary
depending on the type of business. Before deciding on a particular mobile
management solution, a comprehensive requirements profile should first be
produced. Key requirements to consider are sector and company-specific
compliance rules. The next step is to make sure that implementation will
not be limited by practical problems – that is, by end users not wanting
their privacy to be invaded.

Specifically, for BYOD, it will be important to establish what devices and
operating systems employees are using and identify what applications they
need on a mobile basis. Finally, it will be necessary to decide whether the
solution needs to be backed up by legal agreements. In order to come up
with an effective solution, all stakeholders will need to be involved in
the decision-making process.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170907/031d5fd7/attachment.html>


More information about the BreachExchange mailing list