The complexity of mobile device security is compounded when the user community takes advantage of “bring your own device.” In this video, you’ll learn some security best practices around securing these user-owned mobile devices.
<< Previous Video: Mobile Application SecurityNext: Operating System Security and Settings >>
From an IT security perspective, the goal of BYOD is one that has a number of advantages and a number of disadvantages. This concept of bringing your own device to work means that the organization doesn’t have to spend a lot of money purchasing more devices when we all have a phone, and we all have a tablet anyway. The challenge, of course, is that the security team still needs control of that device. So there is a balancing act of having the right amount of control, yet still allowing you to use your personal device.
In almost every case, an organization is going to use a Mobile Device Manager, or an MDM. That means that they’re going to connect your mobile device to the MDM. And at that point, they’ll be able to deploy the policies that are able to keep that device secure wherever it happens to go. There’s probably going to be a completely different AUP– that stands for an acceptable use policy– for these BYOD devices. There’s obviously acceptable use for the computers that you’re using inside the walls of the building where you work.
But what are the acceptable uses of a device that is personal to you that you use outside of work? Which policy is going to win– the personal policy or the business policy? And all of these need to be well-defined and communicated to everyone in the organization. It would be great if our technology was one that allowed us to do whatever we’d like. But from a mobile device perspective, there are a lot of different and very proprietary environments out there, such as Android, iOS, Windows Phone, BlackBerry, and there’s others as well. So where do you draw the line? We need to make sure that we’re able to keep all of these devices secure. But we can’t manage every single one of these proprietary platforms. We’re going to have to get a Mobile Device Manager that is then able to access and manage whatever we’ve chosen to be of these approved devices.
We might say in our organization we’re going to allow anything that’s iOS and anything that’s Android. And of those devices, we’re going to manage them through our MDM. We’re going to need to then purchase the Mobile Device Manager software. There may be even a hardware component associated with it. We’re going to have to, of course, get trained on this technology. And there’s probably going to be ongoing maintenance costs as well. This device is going to need access to the internet– which ultimately, will allow you to communicate with all of those mobile devices wherever they happen to be in the world.
So now you’ve started working for this company. Your mobile phone is now part of the Mobile Device Manager on the network. And now the organization is in charge of supporting that device. If you lose your phone, your first call is probably going to be to your corporate help desk to let them know to lock everything down, or even erase everything that happens to be on that phone. It’s not generally going to be to your wireless provider. That’s probably your second call. But obviously, your corporate information is going to be the most important thing to secure if that particular mobile device gets out of your hands.
The corporate office is then probably going to wipe the data. You’re obviously going to need some backups if that happens. Or maybe there is a partitioned area of that mobile device. And the Mobile Device Manager will simply delete everything in the partitioned area, leaving your mobile device absolutely intact with all of your applications and all of your data.
This gets to be a little complicated, as you come onboard and offboard in an organization. If you start with a company, they’ll obviously connect your device. But what if you leave the organization? They’re obviously going to want to either delete everything on that device, or perhaps just remove that device from the Mobile Device Manager. If you wanted to be very secure with your personal information, it might even make more sense for you to do a factory default wipe of the device, and then reinstall from a backup. That way you can be absolutely sure that there are still no lingering connections back to that corporate environment.
These mobile devices we carry around are little computers. They’re powerful pieces of technology that allow us to do a lot of different things. So we’re installing applications all the time. And we’re moving data around on this device all the time. And every time we install something new, we have the potential to introduce something malicious into this little mobile computer that we’re carrying around.
Sometimes when we will patch a mobile device, we’ll break something or create a security problem, just by adding a patch into this. And we don’t want to disable the functionality of our corporate or work applications. So we want to be very careful of the applications in the patches that we install on these devices. It might be a good idea to have an anti-virus or anti-malware application running on our mobile device. If this is integrated with a Mobile Device Manager, the MDM may be able to perform scans of these applications and data, and protect your device from that end.
We have, obviously, technology concerns dealing with security. But they’re also policy concerns when you’re dealing with these mobile devices, especially if it’s a BYOD device where the end user owns the device. And effectively, it’s a private device that they’re using in their private life as well. So there needs to be well-defined policies that sets up where these lines are drawn. At what point is this a corporate asset, and at what point is it a personal asset?
And everything needs to be well-documented and communicated to everybody who’s going to be using these BYOD devices. We spoke earlier of segmentation of this data. Some Mobile Device Managers can partition off a separate section of the mobile device so that you can really define what happens to be the corporate side of that mobile device. And there’s a very clear dividing line as to where the private side of that mobile device might be.
You’ve probably seen in your day-to-day life that there are certain places that have policies restricting the use of the camera that’s on your mobile device. For instance, if you’re a member of a gym, there’s big signs up that ask you not to use the camera when you’re inside the gym. This can be a bit of a challenge, of course, from a privacy perspective.
And it’s certainly a concern from an industrial espionage perspective. You don’t want visitors coming into your building and taking pictures of your documents and the inside of your facility, if that information needs to remain private. There are some Mobile Device Manager policies that will restrict the use of the camera so that you could apply technology to restrict that. That way you’re not relying on the end user to simply not use the camera. You’re completely disabling the functionality of that camera or video functionality.
There is also Mobile Device Managers that allow you to do something called geo-fencing. This means that they will recognize when you get to a particular area and when you’re inside of that area, a certain policy will apply. For instance, if you’re inside of your corporate building, it might automatically disable your camera. And when you get back out to the parking lot, your camera is re-enabled. So you can use it wherever you happen to go.
The legalities regarding the data that’s on your mobile devices are different wherever you happen to be in the world. And a lot of these laws are still being created. And we’re still trying to determine where do we draw the line, with what information is private and what information is owned by your company. There are also concerns, obviously, if there’s been a security attack, if somebody has gathered information from inside of your network. You may want to go through every bit of data on these mobile devices. So there needs to be some policies and procedures that will set limits, or perhaps allow you access to all of the data or some of the data on these mobile devices.
With a desktop inside of your company, you generally have complete access to it. The security person will show up, in some cases, remove the entire machine, replace it with something new so that then they can go back and look through the forensics of that device.
The mobile device, obviously, has personal data inside of it. The forensics process you’re running may need to exclude certain aspects of the mobile device to maintain the privacy of that individual. So the question then becomes is who really owns this data? The BYOD devices is owned by an individual. But the data on the device needs to be accessible by the organization. So there needs to be some very specific policies put in place so that everybody knows what information is private and what information is available to the organization.