After Hours

10 ways to reduce security headaches in a BYOD world

Security is a huge concern when it comes to BYOD. Here are several steps you can take to protect your network and keep your organization's data safe.

You're about to officially allow Bring Your Own Device (BYOD) in your organization. Understandably, you're concerned with the security of your network and data. With all those unknown variables entering the mix, how will you safeguard your company and keep sensitive data from falling into the wrong hands?

To put your mind at ease, you need to tackle BYOD with an eye toward security. This means policies and plans must be put into place. With BYOD, you can't always think in the same way you do with standard networking. But fear not, I have 10 ideas that might help you get through this transition.

1: Secure your data

Before you allow any non-company devices onto your network, you need to make sure your data is secure. This should go without saying, but if you have sensitive data on open shares, you're asking for trouble. Every network administrator must know the company's data is secure. But if you are about to open the floodgates to BYOD, this must be a priority.

2: Tighten your network security

Just as you've secured your data, you must make sure your network security is rock solid. Do not rely on Windows Firewall to secure your data -- you need to deploy an actual, dedicated device (such as SonicWALL, Cisco, or Fortinet) to handle network security. Pay close attention to making sure the outside world is carefully locked out of your network. With all of those new devices coming in -- and the possible security holes they can create --you must make sure you have a solid network security plan in place.

3: Implement a BYOD antivirus/anti-malware policy

Any device running an operating system that is susceptible to viruses must be running a company-approved antivirus solution. For devices that do not run a vulnerable platform (Android, IOS, Linux), make sure those users are not passing along suspect files to fellow workers (or customers). To that end, you can still require these users to install and use an antivirus solution to check all outgoing files for signs of infection.

4: Mandate encryption

If your BYOD users will be sharing data from outside your secured LAN, you should require them to use some form of encryption. This might mean any application that stores data on the device will require its own password to gain access to that data (this is on top of the device password). Also, if users are storing company passwords on the device, those passwords must be protected under a layer of encryption.

Save valuable time and effort. Download TechRepublic's ready-made BYOD (Bring Your Own Device) Policy and customize it to fit your organization's needs.

5: Take advantage of mobile application management (MAM)

You have to know what applications are being used on your network. This doesn't mean you have to prevent users from accessing Facebook or playing games (that's your call, of course). But you must make sure any application being used isn't a threat to the security of your company data. Some devices, like Android, allow you to side-load applications, so any application not on the Google Play Store can be installed. You want to make sure one of your employees isn't inadvertently letting a sniffer or port scanner loose on your network.

6: Require apps like Divide

There are apps out there, like Divide, that do a great job of placing a barrier between your personal and work data. In fact, Divide provides completely separate desktops, so the user can make no mistake. Gaining access to the business side of Divide requires a password -- as well as simply knowing how to gain access to that (mostly) obfuscated desktop.

7: Require multi-layered password protection

You must require all devices to be password protected. But just having a single password to gain access to the device isn't enough. Any application, folder, or file that houses company data must also be password protected. Though it might be an inconvenience, the more password protection those mobile devices have, the safer your data will be. At the same time, you should make sure that users do NOT have passwords (such as those for company VPNs) stored on the machine, unless they are stored in an application that requires encrypted password to open.

8: Implement company-wide phone wipe

If your users want BYOD, they have to be willing to sign on to a plan that gives you the power to wipe their phone if it's lost or stolen. Though this should be the case with every user (not just those using their devices for work), many don't see the value in making sure their sensitive data can be easily deleted if the phone winds up in the wrong hands.

9: Require use of company wireless when on premise

You know some users will "forget" to connect to your wireless network when they arrive. You do not want them doing business on their carrier network. Make sure all users understand that if they are to use their device on premises, they must use your wireless network. Not only will this help secure your company data, it will allow you to better monitor and control what goes on.

10: Limit device support

Thought I would like to think any network/system administrator can support all devices, the reality is that the more flavors of technology the more challenging the job. If you open your company up to BYOD, you are within your rights to limit that policy to certain devices. Say you only want to open this up to tablets that do not have a carrier (so they are limited to Wi-Fi only) or to a single platform. By doing this, you not only make your job easier, you help keep your company network/data more secure.

Other advice?

What measures has your organization taken to prevent security breaches in a BYOD environment? Share your suggestions with fellow TechRepublic members.

More resources

For a comprehensive look at BYOD strategies, benefits, and challenges, check out ZDNet's latest feature page, BYOD and the Consumerization of IT.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

15 comments
wdewey@cityofsalem.net
wdewey@cityofsalem.net

If the underlying operating system is compromised I am uncertain how effective an app like Divide would be.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

I don't see anything special in this post for BYOD. These are things that every organization should be doing to protect their data. Personally I don't think these steps go far enough. One of my pet peeves is network infrastructure. If your network infrastructure is compromised then there is very little you can do to protect your network. Use accounts that are not tied to any type of computer account. Only allow changes from boxes physically located on site. Monitor activity to critical data. Only use encrypted protocols for access to network devices. Monitor network configurations for changes (tripwire offers a framework for doing this). This may sound a little draconian, but the network layer is used to segment and protect the rest of the network. If it's compromised then all other security is in doubt.

Janis Tupulis
Janis Tupulis

I'd even go further and say that everything except 1st one is old-school and therefore crap. Sounds like and advice to use old weapons in a war of new generation, just more of them! Will not work. Those guys out there have done their work inventing those devices. Now it's security turn to do inventing. I'm not an expert in the field, but here are a few general ideas: a) embrace the major change that has happened instead of denying it (i-dont-like/lets-ban/f...ing-executives type of statements) b) security has to become more granular, protect locally instead of the whole network; c) make/use new generation apps; d) analyse situation and data; e) generate NEW ideas.

333239
333239

many people I know with a company-supplied smartphone don't even have a password to unlock the phone, ie they could leave it somewhere and anybody could pick it up and access all their company or private emails. If these companies can't even get it right with their own stuff, how much security will there be with BYOD?

jk2001
jk2001

I'm in the middle of trying to split our network into a public wifi lan and a private office lan that's entirely wired. Staff with devices will use a vpn to access office lan resources. There will be a proxy for printing, and possibly other services. Otherwise, they will use internet resources. This arrangement's goal is to give wifi device users with a familiar internet-centered experience, and the desktop and laptop users a traditional lan-oriented experience. There's just not going to be a combination lan-over-wifi experience. Instead, they will get a vpn-over-the-internet experience, which is a little less convenient.

Bazzie
Bazzie

With MDM you can create secure containers and only allow certain apps to interact with your organisation's resources from within that container. Many people work for companies that don't believe their people need tablets to do their work, but the people find that they carry their own ones to work anyway, and can use it to make their lives at work easier. It just makes sense to allow it, but control it. Same thing with mobile phones. My company will only give me an LG L7 but I want to use my own Galaxy S3 (or read iPhone or whatever decent flavour you prefer) because the LG drives me nuts while waiting for the CPU to catch up to me. And I'm not all that fast...

clowny200
clowny200

While it is truly impossible to have a 100% safe, connected network, BYOD is certainly a risk probably not worth taking. Sure AV mandates and scans, HW firewalls, encryption and DMZs are great and required nowadays, but I think severely restricted user accounts are also a good practice worth at least consideration. Otherwise, company assets only seems to be a better option.

albayaaabc
albayaaabc

must in your hand the facilitating device that will increase the apility of BOYD device as applicaple where ever.

zygote
zygote

Since when was there an imperative to allow people to use their own devices? The whole idea is clearly being driven by the manufacturers of mobile devices as no network/security/sys admin in their right mind would allow personal devices on the network. My policy is exactly that and we check DHCP leases regularly and move all non-PC devices to the deny list. Mind you, for any of this to be useful you also need to have policies/proxies in place to prevent access to any medium that can be used to send data out of the network, so blocking Dropbox et al and webmail has to be implemented. When this is in place you have a solid argument for not allowing iPads etc to be used for work purposes as they would need to justify breaking policy just to use the device.

techrepublic
techrepublic

linux/android/ios aren't vulnerable? did you really just say that? Also, if a user _can_ use their device from outside the office to "do business", what would be more secure about having them do it from the company wifi? What difference does being "on premises" make in that context? It seems to me that if you can get away with _never_ having them on the internal network, and still do their business effectively in a secure way, that's the best of both worlds.

ProfessorLarry
ProfessorLarry

"For devices that do not run a vulnerable platform (Android, IOS, Linux)"? How naive and shortsighted. All these platforms are vulnerable to malware already in the wild, including the fabled fortress of iOS.

TsarNikky
TsarNikky

It would be best to just ban BYODs. But... (a) "senior" executives with a sense of entitlement that is greater than the importance of corporate data security; (b) corporate pandering to youngsters, under the guise of being "hip" or "cool;" (c) ; all of which will subvert corporate data security to personal whims and desires. Regrettably, several major data breaches will have to happen in critical companies, before companies wise up to the threat. But then, its too late the damage has been done.

mark1408
mark1408

Although I'm generally anti-BYOD and unconvinced by the touted supposed benefits to the company, it's making a stealthy small beginning with us in the form of executive mobile devices that are either non-Company, non-Windows or both. Ostensibly these only connect to Exchange via ActiveSync (the policies for which I need to review) but there's nothing to stop them being used as storage devices for files. At least I have DLP in place in the form of monitor-only file transfer checks by our AV software. BTW, it might be wiser to call Android, iOS et al "less vulnerable" rather than not vulnerable. Or does Jack write these things to see if anyone's paying attention? ;-)

Robiisan
Robiisan

"Lee - YOH - dah" is my guess at pronunciation, but that's not important. What is important is the concept. I'm working on a start-up insurance brokerage where certain (limited) financial instruments can be sold over the phone. But the client data must still be taken and kept (for years!) and all other laws adhered to - like the USA PATRIOT Act, to name but one. We will require the use of company-purchased mobile devices (MDM) AND we will strictly control the apps available on each device (MAM)! In addition, all calls will be recorded and the recordings will become a part of the client or corporate records, as appropriate. No unauthorized devices will be allowed to connect to the corporate network, and all business related calls must be conducted from the approved devices, both as a client privacy issue and as a Dept of Insurance compliance issue. It's the only way to stay in business in this case.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

I consider using the company WiFi more of a security risk. If the device is a zombie then it can scan and possibly even act as an entry point into the corporate network. Unless the corporate network is doing SSL inspection then there is no way to know that a device isn't using HTTPS to provide a shell into their environment.