Secure BYOD, the BYOD way
Bring your own device (whereby employees work from personal devices like their mobile phones) is quickly becoming the norm in today’s business environment. Companies that embrace BYOD are able to give employees more freedom to work remotely, resulting in increased productivity, cost savings and talent retention. In fact, 85 percent of organizations now allow BYOD for at least some of their stakeholders, including employees, contractors, partners, customers and suppliers.
It is important to note that BYOD does change an organization’s threat landscape and requires security tools that are different than those that are used to protect managed devices. Unfortunately, a widespread misunderstanding about this point has contributed to an unfounded assumption that BYOD is inherently riskier than the traditional way of doing things. In reality, this is a myth fueled by companies that fail to implement proper security tools and processes for protecting data in BYOD environments. Consider the following findings from a recent report on BYOD and security:
- One in five organizations lacks visibility into basic, native mobile apps on personal devices
- Only 56 percent of companies employ key functionality like remote wipe for removing sensitive data from endpoints
- 43 percent of organizations don’t know if any BYO or managed devices downloaded malware, indicating a significant lack of visibility
- 24 percent of organizations don’t secure email on BYOD at all
These statistics indicate that companies aren’t entirely prepared to secure data properly in BYOD environments. Additionally, in the same report mentioned above, 51 percent of respondents believed that the volume of threats targeting mobile devices is continuing to increase. Because many BYO devices are personal mobile devices, these trends continuing unabated will inevitably lead to countless breaches in the future.
While 30 percent of companies still do not allow BYOD due to security concerns, it is highly probable that, in the coming years, these companies will alter this practice in order to maintain a competitive stance in the market. As such, when implementing BYOD, it is essential that organizations add proper security controls at the same time – not weeks, months or years after the fact. Some of these security controls can be found below.
- Single sign-on (SSO): The absolute minimum requirement for basic identity and access management (IAM) in cloud and BYOD environments. SSO serves as a single entry point which securely authenticates users across all of an enterprise’s cloud applications.
- Multi-factor authentication: A tool that requires a second method of identity verification before employees or other users are allowed to access resources. For example, after inputting their passwords, users may be prompted to verify their identities through an SMS token sent via email or text, Google Authenticator, or a hardware token that they physically carry.
- User and entity behavior analytics (UEBA): Analytics that provide a baseline for normal user activity and detect anomalous behavior and actions in real time, allowing IT departments to respond accordingly and automatically.
- Data loss prevention (DLP): Various tools capable of allowing, blocking or providing intermediate levels of data access; for example, through redaction, digital rights management (DRM) and more.
- Selective data wipe: This allows administrators to wipe all corporate data off of a device without affecting the personal data stored therein; for example, photos, contacts, calendar events, emails, text messages and other items.
In BYOD environments, employing all of the aforementioned tools and best practices requires that organizations leverage agentless solutions that are deployed in the cloud. Agent-based tools that demand software installations on personal devices invade user privacy and harm device functionality; this frustrates employees, impedes deployments, and counters the myriad of benefits offered by BYOD. Fortunately, agentless tools secure data without these disadvantages and offer highly specialized capabilities. For example, agentless advanced threat protection can detect and halt threats as they are uploaded to any application, as they are downloaded to any device, and when they are at rest within the cloud.
Despite popular opinion, BYOD can be fully secured if companies leverage the proper tools. However, organizations that insist on securing personal devices with the same strategies used to protect corporate endpoints will continue to find that they are incapable of properly defending their data. By employing the tools noted above, companies can embrace the benefits of BYOD without compromising on data protection.
Anurag Kahol expedites technology direction and architecture. Before joining Bitglass, he was director of engineering in Juniper Networks’ Security Business Unit. He received a global education, earning an M.S. in computer science from Colorado State University and a B.S. in computer science from the Motilal Nehru National Institute of Technology.