The security risks of BYOD -- Amtel [Q&A]
Allowing employees to use their own mobile devices for work has led to a number of new challenges, particularly when it comes to keeping devices and data secure.
We talked to PJ Gupta, CEO of mobile security specialist Amtel about the risks BYOD presents to enterprises and what they can do to ensure they remain safe.
BN: Are businesses becoming more vulnerable as a result of implementing BYOD strategies?
PJG: This question is always asked whenever new technologies and paradigms are introduced into enterprise IT environments. Did networking make the enterprise vulnerable? Doesn’t Wi-Fi access to corporate data expose the company to security breach?
The short answer is, yes. Risks and vulnerabilities increase when you introduce external variables to a well-controlled system. When employees bring in their own mobile devices to work, the risks rise but the flexibility, efficiency and productivity gains from such technologies and initiatives make it worthwhile to embrace the advances and manage the risks.
BN: What are the risks presented by third-party apps on employee devices?
PJG: Typically, on a BYOD device, there may be platform apps, enterprise apps and public apps. Platform apps, widgets and tools come with the device from vendors such as Apple, Google, Samsung and major Carriers. Enterprise apps are created by your company or a trusted partner (an example may be Salesforce.com or Workday). Public apps are downloaded by the user from a public app store such as the Apple App Store or Google Play.
Despite efforts by Apple and Google, the sheer volume of public apps makes it very hard to verify that such apps do not bring security and data leakage risks to an enterprise. For example, using a personal Dropbox account to store corporate data can jeopardize data security. In addition, risks associated with uncontrolled use of social media, streaming and game apps can waste time, hit employee productivity and cause HR policy compliance headaches.
BN: In addition to protecting their networks, companies need to safeguard their intellectual property. What steps can they take to minimize the risks BYOD presents in this area?
PJG: Companies need to protect confidential data and intellectual property that may be stored on enterprise systems, applications and email. The key to protection is authentication of users, access control and encryption of confidential information.
Companies need to put password policies in place for strong authentication of users. Integrate with Active Directory and LDAP for managing access control to corporate email and applications. Adopt Single Sign On (SSO) and two-factor authentication for application access for simpler and better security. They should also make sure remote access via Wi-Fi or wide area networks is secured through virtual private network (VPN) technology.
In addition they can protect sensitive information by encrypting the data at rest and in transit (on the wire or wireless transport). Secure containers on BYOD devices themselves can be encrypted too. Putting in place data loss prevention policies such as remote location and selective wiping of mobile devices and data leak prevention that thwarts copy and paste to and from secure containers helps keep data safe.
BN: Does BYOD present additional problems when it comes to compliance?
PJG: Compliance is a thorny issue for BYOD. Security and compliance with regulations such as HIPAA, SOX and PCI require complete accountability, traceability and audit trails. On the other hand, BYOD is a personal device but the company’s privacy policy needs to be honored and Personally Identifiable Information (PII) needs to be protected. For example, regulatory compliance may require that you track a device at all times, but personal privacy mandates that you don’t track a device when the employee is not at work (either onsite or offsite).
The answer is a delicate balance between regulatory compliance and personal privacy. Perhaps GPS tracking can be forced on during work hours and become optional after hours as employees wish. Location based policies via geofencing technology will provide more flexibility in a BYOD environment. For example, public app access and device features such as camera and NFC can be restricted within work location boundaries, but can seamlessly be enabled outside.
BN: How can businesses minimize the risk of data leaks from devices that are lost, stolen or simply fall into someone else’s hands?
PJG: There are two prescriptions for loss prevention of corporate data if a device is lost or stolen. The first one is location tracking, remote locking, and selective or full wipe of the device. This can be accomplished so long as the device is managed with a mobile device management app installed.
The second imperative, as mentioned earlier, is to protect sensitive information by encrypting corporate data in a secure container on BYOD devices. Enterprise apps and mail server must share corporate information only in the secure container which can be automatically wiped when the user exits the enterprise app or corporate location (as determined by geofencing).
BN: What happens when employees move on to another role or leave the company altogether?
PJG: Again administrators can selectively wipe a corporate container on the device while leaving personal content intact. They can also manage credentials and access control with Active Directory (AD) integration so that access privileges are removed when AD is updated with an employee exit event.
A tricky aspect is when a sales rep, sales engineer or partner rep leaves the company. Company policy should ensure that third-party contact information is saved in company databases (such as Salesforce.com for example) not just on the individual’s BYOD device.
BN: Can BYOD ever work in a completely safe way?
PJG: BYOD can never be 100 percent safe. In business you take calculated risks for the sake of operating efficiency. BYOD brings clear benefits of flexibility and efficiency. BYOD risks can be managed to realize the benefits.
Image Credit: PlusONE / Shutterstock