Feature Article: Bring Your Own Device (BYOD) to Work…and the risk management steps every CIO should know
By Rick Dakin, CEO and Chief Security Strategist, Richard Fleeman, Senior Consultant, and Rick Link, Director - Coalfire
Ready or not, mobile devices will enter your workplace. The use of smartphones and tablets has accelerated to the point where every consumer or employee has one and will use it with or without guidance from their employer. What are the short-term and long-term risk mitigation steps that every CIO should know?
Short Term Steps - The first step in the process is to connect with your workforce. The short-term risk mitigation steps require cooperation between systems users and data owners. Even so, these risk mitigation steps may not allow every organization to achieve security objectives or maintain regulatory compliance. However, the following steps should help organizations avoid claims of negligence.
- Conduct a risk assessment for each critical data source and application. Understand the mobile risk on the server side and restrict access to mobile devices accordingly.
- Select a matrix of controls to mitigate risk on mobile devices and the server side of the connection.
- Publish mobile device policies to include the following baseline controls:
- Require that user access credentials be entered prior to accessing enterprise applications and data.
- Require devices to be registered with the organization and permission granted to remotely wipe the device if it is lost or stolen.
- Prohibit the device from being jail broken or rooted to reduce risk of vulnerabilities and prohibited applications.
- Periodically inspect the devices for unauthorized settings and applications. If these exist, restore the device to the default setting or prohibit access.
- Enforce configuration and security policies via a MDM or other configuration policy manager to protect corporate data. These configuration settings should include:
- Enforcing of complex passwords on the mobile device.
- Enforcing only secure connectivity via Wi-Fi WPA2, SSL, Certificates, or VPN.
- Enforcing use of corporate credentials where possible via LDAP, Active Directory, etc.
- Enforcing a data retention policy for corporate data, i.e. shared files, email, etc.
- Locking down device capability while accessing corporate network resources, including disabling of Bluetooth, unprotected Wi-Fi, built in Camera, etc.
- Enforce audit logging on the mobile device where applicable.
- Enhance system monitoring for those systems that allow mobile access. The monitoring should be tuned to collect date and time of access, the individual accessing data, and types of data accessed, if possible. This monitoring will be essential to avoid data breach notification upon loss of a device as well as monitoring rogue access by a device user.
- Update Incident Response Plans to accommodate event analysis for a stolen device, defined incident declaration, and investigation procedures to determine the potential for data loss. (This step may require hiring a third party to perform device forensics or analysis of stored data from server logs.)
- Implement an awareness campaign and train your employees on the risks of using mobile devices in the workplace (malware, appropriate vs. inappropriate use, etc.).
Long Term Steps - In the not so distant future, new mobile platforms like Android V4.0 and even the next version of Apple’s iOS will have security features built into the mobile devices. Just like the President can securely access data and communicate on his mobile device, users should be able to securely communicate with business colleagues, partners and clients. While these capabilities are only months away, application integration into new platform features may still be years away from implementation. Design features that should be considered when authorizing user access in the future are:
- Use only the encrypted chip integrated into each mobile device to store sensitive data and conduct transactions (this is the new wallet feature that will be deployed in Android 4.0 and the new iPhone).
- Use the system ID from the encrypted chip as a token to establish two-factor authentication prior to allowing access to sensitive data and critical systems.
- Require all stored data to be purged after a set number of hours to ensure critical files are not replicated on mobile devices.
- Implement and track application inventory, block or blacklist prohibited applications, and/or whitelist approved applications for use on mobile devices with access to corporate resources.
- Implement a cloud solution for storage of corporate data via mobile platforms.
- Continue to monitor and update the awareness campaign for employees. Ensure they understand their responsibility and educate them about any new risks for mobile device usage in the workplace.
While current controls may not be adequate to fully secure mobile devices, specific risk mitigation steps will dramatically reduce claims of negligence in allowing mobile access to sensitive data and critical systems. In the near future, organizations should carefully consider a migration to “SECURE and VALIDATED” cloud services as a replacement for current enterprise applications. Much like the migration of federal systems to the cloud are being managed by a FedRAMP program where security will be tested and validated by third parties prior to authorizing the migration, each commercial entity should work with their internal development teams and vendors to develop secure mobile applications that leverage new security features designed into the next generation of mobile devices.