This document discusses bring your own device (BYOD) policies in the workplace. It begins by introducing BYOD as allowing employees to use personal mobile devices for work. Benefits include increased productivity and employee satisfaction, while costs are reduced. However, less security, management challenges, and lack of device control are cons. The document outlines regulations like HIPAA that apply. Mobile devices face threats like loss, theft, rogue apps, and jailbroken devices. Effective security includes mobile device management, antivirus, VPN, and policies governing device usage and access. Legal issues and privacy must also be considered. In conclusion, while BYOD is becoming standard, organizations must regulate usage through clear policies, training, and security measures.
3. Introduction
Bring your own devices (BYOD), it’s a new trend
of permitting that employees can bring
personally owned mobile devices (smartphones,
tablets and laptops) to the workplace and use
those devices to access, store or create
company information.
The rapid rise of mobile devices and the
introduction of them to the workplace bring new
security and operational issues to companies.
4. Benefits
More productive employees
24/7 access to the company’s email and information
stored in the company’s servers.
Higher morale among employees because they can
use the technology that they want and not what the
company provide.
Low or no cost to the company
Hardware is bought and maintained by the employee
Sometimes, carrier calls and internet cost also are
paid by the employees
Advantage of new technology
5. Cons
Less security
Administrative cost
Software acquisition to manage mobile devices
Develop policies and procedures
Management issues
Infrastructure costs
Service (Carriers) cost
Not full control of the device
6. BYOD and Regulations
HIPAA
Protect private data
Encrypt emails and data
On the device
On the transmission
Remote management of devices
Controls to access data and
applications
Monitoring
Malware and threats protection
Compliance reporting
PCI/DSS
Explicit approval of authorization to use the
device
Authentication (two factor authentication)
Comprehensive list of devices (make and
model) and OS (iOS, Android, Windows, RIM)
List of personnel with access to this devices
Labeling of devices with owner information
Device encryption
Transmission security (SSL/TLS, IPsec)
Mobile Devices and personal/confidential data are heavily regulated in some industries.
Not recommended or have a lot of aspirins at hand. A violation of any regulation carried
a fine. (up to 1.5 Millions per violation on HIPAA) (Other Regulations: GLBA, HITECH, SOX)
7. Hostile Environment-Threats
Lost or stolen devices
The very best advantage of mobile devices is It’s
worst enemy. Mobile devices are small, compact and
…. Yes, MOBILE. Lost or stolen devices are the
pinnacle of BYOD threats.
Attack surface
Rogue apps can extract contact information and
data from mobile devices.
Even if you only allow authorized app, a scan of a QR
code can download an app.
8. Hostile Environment-Threats
Attack vector
Attackers can connect mobile devices to open
wireless access points and start scanning your
network.
Backtrack (and now KALI) have ARM versions that
can be installed and be used in mobile devices.
Rogue Apps
Apps should be sandboxed. Only allow authorized
applications on devices with company’s data stored.
Rogue apps are entryways of malware infections.
9. Hostile Environment-Threats
Jailbrake/ Rooted Devices
People tend to crave for power and control.
One thing they do first with mobile devices is
jailbrake or root it. This open a new window of
threats. Access of rogue applications (and
users!) to the root account could be
dangerous to the company’s data.
10. Security Enhancement
Management
A plethora of mobile devices exist with different models, OS’s, that a possible
chaos could erupt at any moment.
List of all devices allowed access to the company and prepare a periodical
reports.
Look for unauthorized devices on you network
Mobile Device Management
Mobile expense control (downloads, roaming and international costs)
Remotely locate, lock and wipe lost devices
Security control checks
Anti-virus
Lock mechanism
Apps
Jailbreak/root
Automatically wipe company data
11. Security Enhancement
OS Update
Look for solutions that include different os.
Notification to users
SMS before wiping, exceeding data or service plan limit
Personal data segregation
Photos, email, calendar, call logs, voicemail, texts
Protect entryways to Corporation
Firewall rules checked and double checked!
Secure wireless access points
Single recurrent error
VPN
Quarantine unauthorized devices
12. Enrollment
Bulk enrollment or single enrollment
Authentication with Active Directory
Policy
Reason for authorization
Devises allowed on company infrastructure
Data services or personal plan (Stipend)
Security
Applications Authorized
Security Enhancement
13. Cont. Policy
Services Provided
What data the employee can access with the device
Help desk services to personal device
Agreement between employee and company
Personal data
Education of employees of the risk associated with BYOD
Training of encryption application and communication
Not every “C” level employees knows about encryptions and
safe communications
Security Enhancement
14. Legal Matters
First thing first- I'm NOT a Lawyer
Legal issues may arise
If the employee Is a suspect in an internal
investigation, can I take possession of the mobile
device for analysis?
The employee may be accountable for any access
from the mobile device if he/she lost it?
Privacy?
15. Final Thoughts
BYOD is here to stay
Prepare an analysis of the pros and cons of the
implementation of BYOD in your company
Regulate the use of BYOD
Policies anyone?
Training programs for employees