You are on page 1of 3

FEATURE

Best practices for


BYOD security
Hormazd Romer, Accellion Hormazd Romer

IT revolutions tend to be double-edged swords. There are always benefits – New forms of malware: New forms
increased computing power or mobility or ease-of-use or some exciting combi- of malware targeting mobile devices are
nation of features that might have seemed unimaginable just a few years earlier. on the rise. IBM predicts that mobile
Inevitably however, these new features and benefits also bring new difficulties malware will grow 15% annually for
and risks. the next few years. Hackers and crimi-
nal syndicates realise that most mobile
For IT security teams, the new risks devices, rather than just on those officially devices are less secure than more tra-
typically include security vulnerabilities. provisioned by their company. What does ditional devices such as laptops. They
Attackers are quick to exploit design this mean for the teams and administrators have begun targeting mobile devices for
flaws or architectural weaknesses that responsible for network security? attacks ranging from mischievous pranks
can be used to steal data, sabotage to advanced persistent threats that
networks or siphon funds. Over time, New security risks stealthily copy internal data over many
vendors and customers discover these months, transmitting it to remote con-
flaws and weaknesses – usually the hard To assess the risks of BYOD computing, trol centres around the world.
way, by discovering that they have been we need to consider everything from
exploited – and fix them. Until the new data contamination to user habits to the “Malware that would have
technology matures, security teams find activities of criminal syndicates. Let’s been caught by network
themselves racing to patch vulnerabili- start with the device itself. defences in the office on
ties, educate users, fine-tune processes, Security as an afterthought: Monday afternoon is able to
and deploy new security solutions tailor- Consumer devices such as iPads were not install itself on the mobile
made for the post-revolutionary world. designed with rigorous data security in device of an employee work-
For enterprise mobile computing, mind. Most mobile devices either lack ing remotely on Friday night”
the race to contain new threats is defi- advanced security features or have them
nitely on. The Bring Your Own Device disabled by default. Even basic features Phishing attacks that slip past net-
(BYOD) revolution has swept enterprises such as screen locks are turned off, and work defences: Many employees rou-
of all kinds. In organisations as diverse most users leave them that way. tinely catch up on email and work dur-
as law firms and manufacturers, employ- Data contamination: Today, an ing evenings and weekends, and when
ees are buying their own mobile devices employee’s vacation photos are likely to they do, they typically use smartphones
such as smartphones and tablets and reside on a smartphone or tablet that an or tablets. Realising that most of these
using them for work. employee also uses for work. The photos devices lack AV software and that most
Employees are not just bringing a single and other content share storage space email and web traffic accessed remotely
device to work, either. A recent survey by along with confidential business data. bypasses inspection by firewalls and
iPass found that the average mobile worker Never before has personal data mixed gateways, attackers are now design-
now carries 3.5 mobile devices, which so freely and casually with business ing phishing attacks and other email
might include smartphones, laptops, and information. This combining of data exploits to be triggered during non-
tablets. Employees may have purchased introduces new risks to the enterprise. business hours.
some or all of those devices themselves. Through carelessly configured back-ups And the attacks are working. Malware
Recognising that employees love their or file copies, personal content might that would have been caught by net-
Android phones, iPhones and iPads, and accidentally end up on corporate file work defences in the office on Monday
won’t leave them home, a majority of servers. Worse, personal files that contain afternoon is able to install itself on the
organisations have formally adopted BYOD malware might spread to business files mobile device of an employee work-
policies. Employees can now store business and from the mobile device to internal ing remotely on Friday night. Once
data and do work on their own mobile file servers and other enterprise assets. installed, keyloggers and other malware

13
January 2014 Computer Fraud & Security
FEATURE

can feed attackers valuable information “When you upload or otherwise ing on device security, IT organisations
for launching more damaging attacks submit content to our Services, you depending on MDM platforms for secu-
against file servers email servers, and give Google (and those we work with) rity often find themselves with an endless
other internal assets. a worldwide license to use, host, store, to-do list of moves, adds and changes.
Lost devices: On average, a cellphone reproduce, modify, create derivative Taking a different approach to MDM,
is lost in the US every 3.5 seconds.1 Even works (such as those resulting from Mobile Content Management (MCM)
if a lost smartphone or tablet does not translations, adaptations or other chang- is a new class of mobile security solu-
contain confidential data, it still might es we make so that your content works tion that focuses on securing content,
include apps or cached credentials that better with our Services), communicate, wherever it is located. To protect content
make it easier for criminals to infiltrate publish, publicly perform, publicly dis- stored on or being transmitted to or
an enterprise network. As workers begin play and distribute such content. The from mobile devices, MCM solutions
carrying more devices, the likelihood of rights you grant in this license are for the provide secure software ‘containers’.
them losing devices only increases. limited purpose of operating, promot- These containers shield confidential
ing, and improving our Services, and to data from unauthorised access and
“To ensure all their devices develop new ones. This license continues malware infection. Even if other files
have the files they need, even if you stop using our Services (for on the device do become infected with
employees often try out one example, for a business listing you have malware, the files within the container
or more file-sharing services, added to Google Maps).”2 remain safe. IT departments can config-
including free but risky file- Understandably, most enterprises would ure and control these secure containers
sharing apps” be reluctant to surrender control of their remotely, so if a device is lost or stolen,
data to Google under such sweeping administrators can quickly disable access
Risky file sharing: A mobile device terms simply for the convenience of free rights for all files in that container on
without data is of limited use. To ensure file-sharing and collaboration. the device.
all their devices have the files they need, Leveraging a secure MCM solution,
employees often try out one or more Best practices here are six best practices for protecting
file-sharing services, including free but confidential data on mobile devices.
risky file-sharing apps that run on public Fortunately, new security solutions are
clouds. Unfortunately, these services, available to help organisations protect 1. Choose a solution that
though popular, are usually not secure their mobile content and networks. To
enough to be trusted with enterprise make the most of these solutions, it’s
protects all confidential
data. For example, the popular service important for security teams to focus files on all devices
Dropbox accidentally disabled all pass- their attention on just what it is they Organisations should select an MCM
word protection on all its customers’ are securing. Ultimately, what is more solution that works with whatever
accounts for four hours in 2012. Having important for enterprise security: pro- mobile devices employees are carrying,
originally been designed for consumers, tecting an ever-changing collection of so that no device is unprotected, no
these services usually lack the centralised mobile devices, or protecting enterprise matter what OS it’s running. At a bare
control and monitoring features that data itself, regardless of the device? minimum, the solution should support
large enterprises and government agen- Mobile Device Management (MDM) Android, BlackBerry, iOS, and perhaps
cies need for security and compliance. solutions focus on securing devices. They Windows Phone.
In addition, many public cloud file- help organisations provision mobile
sharing services also pose legal risks to a devices and maintain Access Control 2. Centralise access
company’s claim to own and control its Lists (ACLs) of devices permitted to
data. For example, the terms of use for access the network.
control and monitoring
Google Drive, Google’s free file-sharing MDM solutions have two shortcom- Centralised monitoring allows network
service, begin by stating that users retain ings. First, they typically lack detailed administrators and security officers to
the intellectual copyright for the ideas in controls for securing individual files. monitor the distribution of files and to
the content they store. But the terms of As their name implies, their focus is on detect anomalous behaviour before it
service go on to say that by using the ser- devices, rather than on individual files, leads to data breaches. Centralised moni-
vice, customers grant Google and its part- which might require access rights that toring and logging are essential capabili-
ners the right to reproduce and modify vary by user and even by device. ties for organisations that need to com-
any uploaded data in order to operate, Second, the pool of devices being used ply with industry IT regulations such
promote, or improve Google services: by employees is in constant flux. By focus- as Sarbanes-Oxley (SOX) or the Health

14
Computer Fraud & Security January 2014
FEATURE

Insurance Portability and Availability Act local copies of files and copying them (NIST) developed the FIPS specifica-
of 1996 (HIPAA). from device to device, thereby under- tion to ensure that government agencies
To comply with HIPAA, for example, mining the security and version control use sufficiently strong cryptographic
healthcare organisations (HCOs) in the features of the ECM system. services, including authentication and
US must be able to demonstrate that Organisations should select an MCM encryption, for protecting agency data.
they can monitor and control the dis- solution that provides access to content If an MCM platform has received FIPS
tribution of all files containing Patient stored in these existing systems. This 140-2 certification, organisations can
Health Information (PHI) – healthcare way secure mobile file sharing becomes be sure that the platform’s authentica-
records that could be used to identify a natural part of the workflow, and tion and encryption technology has
specific patients. If files are distributed workers in remote locations always have passed inspection by the US Federal
over a public cloud service such as access to the critical files they need. Government and been approved for use
Dropbox, the HCO’s IT and security by government agencies. It also means
teams will lack any way to monitor the 4. Increase trust and the software has been tested and proven
distribution of files. On the contrary, to securely protect data at rest and in
confidential patient data could be eas-
control with private transit on mobile devices.
ily replicated or distributed broadly, clouds
and the HCO would never know until Private cloud solutions – cloud services Conclusion
the data breach was exposed, probably that enterprises run in internal datacen-
resulting in regulatory censure and tres – can provide the scalability and By following these six best practices,
other penalties. cost-effectiveness of cloud computing enterprises can enjoy the benefits of the
without the security and availability risks BYOD revolution – increased productiv-
“When access proves diffi- of public clouds. ity and collaboration – while avoiding
cult, employees sometimes Whenever possible, enterprises should the security risks. A rigorously secure
begin keeping local copies of deploy their MCM solutions on private MCM solution that supports a broad
files and copying them from clouds, giving their own IT organisa- range of mobile platforms gives network
device to device, thereby tions complete control over the location administrators and security teams the
undermining security and and availability of data. controls and monitoring features they
version control” need to protect mobile devices and the
5. Block risky services data they carry.
By using an MCM rather than a
public cloud service, the HCO’s IT and Even with an MCM solution in place, About the author
security teams can ensure that the dis- employees may be tempted to try the Hormazd Romer is Accellion’s senior direc-
tribution and storage of PHI adheres to free services that their friends are using. tor of product marketing. He has over 12
industry regulations and policies. By blocking these services, enterprises years’ experience driving product marketing
can ensure that mobile workers don’t and product management for enterprise
3. Connect to SharePoint jeopardise the confidentiality and integ- software solutions. Accellion provides
rity of the confidential data. enterprise-class mobile file sharing solutions
and other important Educating users about the risks of that enable secure anytime, anywhere access
services these public-cloud services is another to information while ensuring enterprise
Most enterprises and government agen- important way to ‘nudge’ them into fol- security and compliance.
cies have invested in ECM systems such lowing best practices for data security.
as SharePoint. These systems provide References
advanced role-based controls for file 6. Choose proven 1. Yu, Roger. ‘Lost cellphones add
storage and powerful search capabili- up fast in 2011’. USA Today, 23
ties to help employees find information
solutions Mar 2012. Accessed Jan 2014.
quickly. Organisations should select an MCM http://usatoday30.usatoday.com/
Unfortunately, accessing these systems solution that has been certified to meet tech/news/story/2012-03-22/lost-
remotely can be cumbersome or outright stringent security requirements, such phones/53707448/1.
impossible, depending on the configura- as the Federal Information Processing 2. ‘Google Terms of Service’. Google.
tion of the mobile devices and the ECM Standard (FIPS) 140-2 requirements for Updated 11 Nov 2013. Accessed 7
system. When access proves difficult, US federal agencies. The US National Jun 2013. www.google.com/intl/en/
employees sometimes begin keeping Institute of Standards and Technology policies/terms/.

15
January 2014 Computer Fraud & Security