…one particular area of concern with BYOD is that, by definition, the user owns and is primarily in control of the device – not IT. In short, accept that BYOD will, at some level, be used, with or without authorization, and focus on the security issues raised to minimize the risk of loss, theft or disclosure of [confidential information]. (Adapted from Source)
Mobile devices are entering the workforce is large numbers. According to Gartner, it is estimated that nearly 300 million tablets and 2 billion smartphones will be deployed by year 2015. Additionally, it is expected that almost 75% of these devices are personal devices. While 75% of the devices are personal, over 90% of the organizations are expected to support corporate applications on these devices. (Source: Gartner Group Report).
In yesteryear, laptops were often stolen because they were portable, served as data-rich sources for identity thieves. Now, iOS/iPads and Android tablets are the new target for theft. Although a fraction of a cost, tablets are hot items that thieves continue to be on the lookout for…and your school district’s confidential information may be on it, especially since you implemented that nifty Bring Your Own Device (BYOD/BYOT) program!
Where does your program fall along the Cisco continuum shown below?
Two other questions come to mind:
- Often, desktop and laptop computer hard drives are drilled, shredded, erased a la Darik’s Book and Nuke (DBAN)…but what happens with someone’s personal device they happened to view content on? What happens to devices (e.g. smartphones) that get replaced? If they stored data on them at some point, how are those devices wiped? Whether it’s a smartphone that is acting up or an iOS device that gets taken back to Apple for fixing, how is that data secured?
- How can remote wipe be accomplished on personal devices?
- Questions from the Gartner Report cited earlier:
- What are the security implications of connecting mobile devices to the corporate network?
- Should personal devices be allowed to connect via VPN – where they have unfettered access to the entire corporate network?
- How to securely connect mobile devices to corporate repositories like SharePoint, file servers and other document repositories?
- How to manage whether a mobile device should be allowed to store corporate data locally?
- How to ensure that local copies of data on the device are encrypted?
- Can users be prevented from emailing the documents?
- Can users be prevented from opening the documents in other applications?
- Active Directory compatibility?
- Is there support for multi-factor authentication that doesn’t require entering a passcode every time the device wakes up from sleep?
- How does “jail breaking” a mobile device affect the security and access?
- Use encrypted access (https) to access confidential documents on your mobile device/tablet.
- Require a passcode or swipe combination on all mobile devices that hold confidential information.
- Modify your BYOD policy to reflect this perspective: “If the employer is saying that you do not have an expectation of privacy with a personal device that you use in conjunction with corporate systems, this lets the employee know the device could be subject to a search or a review.” (Source)
- Use services (MS ActivSync is one example) to enforce a passcode on a mobile device and wipe data if needed (e.g. in case of loss or theft).
- Use a portal to access confidential data that doesn’t involve downloading documents to the device.
- Use something like Auto-anchor Mobility is a configuration included in many current network manufacturer OS’s that allows for secure tunneling of wireless devices, useful for BYOD and personal devices.
- Protect your passwords with Keepass – Encourage your staff and students using individually assigned devices to take advantage of solutions like Keepass for Android and/or iOS devices (e.g. iPad, iPodTouch, iPhone).
Here’s a list of platforms available:
KeePassPPC & KeePassSD (for PocketPC & Smart Devices; 1.x & 2.x)
7Pass (for Windows Phone 7)
MiniKeePass (for iPhone/iPad)
iKeePass (for iPhone/iPad) <—This is the one I use on iPad
MyKeePass (for iPhone/iPad)
KyPass (for iPhone/iPad)
KeePassDroid (for Android; at Google Play) <—This is the one I use on Android
KeePassMobile (for J2ME / mobile phones)
KeePassJ2ME (for J2ME / mobile phones)
KeePassBB (for BlackBerry; compat. with KeePass 1.x)
KeePassBB2 (for BlackBerry; compat. with KeePass 2.x)
Export to Keyring (for Palm OS)
KeePassX (for Linux / Mac OS X; compat. with KeePass 1.x)
To be honest, this list of tips appears quite feeble to me. While a part of it may come from the fact that BYOD makes it tough to secure data, another may be I’m just ignorant. What suggestions do you have?
Enter your email address:
Delivered by FeedBurner