Mti byod wp_uk

BRING YOUR OWN DEVICE

The future of corporate computing?

Prepared by MTI Technology

w: mti.com t: 01483 520200 f: 01483 520222

Bring Your own Device MTI WHITE PAPER PAGE 2 of 11

INTRODUCTION

This White Paper has been written to discuss the numerous issues that Bring Your Own Device (BYOD) is raising. It is aimed at IT Security Officers, Network Managers, and anyone involved in the security and running of an organisations data and computer network. This paper is Vendor agnostic, and has been written to assist in the understanding of the issues surrounding BYOD, not just the one area that is getting the most publicity – Mobile Device Management. The term Bring Your Own Device (BYOD) has been coined by the marketers to describe the consumerisation of IT. The growth of home computing and new mobile devices, including smart phones and tablets, has lead to a business demand for simpler, easier business computing to match home use. BYOD could also represent, Buy Your Own Device. This is where organisations no longer desire to provision or maintain an individual’s IT equipment. Instead, they give the individual a cash incentive, along with T&C’s on what it should be capable of. The individual is then responsible for availability of the equipment, e.g. approved Operating system, Browser, Anti-virus etc. All this means that there is now a real demand for businesses to open up their closed corporate networks to allow access to the workforces own computing devices. For many the move to BYOD is a natural progression, as the work/private life balance blurs. The advent of the Blackberry and email on the phone means work does not stop at 5.30pm for many, and even infringes on private/holiday time. This has been supplemented by the growth in Remote Access technology as working from home and on the road over Wi-Fi and 3G networks (and 4G in the future) becomes the norm. This drift towards a ‘casual’ style of computing is also highlighted with Microsoft’s new Windows 8 software being on the mobile phone/tablet GUI. Some companies are even taking the concept of flexible working even further where the employees are no longer set a holiday period, and can take time off when they like, so long as they carry out the work required of them. Cloud computing also brings its own set of challenges that any BYOD strategy must encompass, e.g. security of access, data leakage, browser support (lowest common denominator). However, no matter how working practises change, the fundamentals remain the same. Security of the data is critical, and recent legislation and industry regulations are now making security of data mandatory. The industry definition is summed up with three words: Confidentiality, Integrity and Availability. Today’s business environment has meant Compliance, Risk and Policy are critical factors for organisations to implement security, but often at a risk of a ‘tick box’ security mentality.


RISK

It is important to assess the risk’s BYOD may bring to an organisation. The risk’s can be broken down into: Network Access – you are opening up the access to the network to non-corporate devices. How do you decide if someone can access the network, and then what they can access once on the network. Malware – we are starting to see new Malware being written to exploit BYOD and we expect this to be a major issue going forwards. Whilst a lot of people are talking about mobile device malware, BYOD does include people using their own Windows based systems. Data leakage – corporate data is now likely to be stored, certainly accessed, by a non corporate device. What if that device is lost? What if someone deliberately steals corporate data on their own device? A lot of data leakage happens accidently – it is reasonable to expect this will increase. Bandwidth – most people will focus on using Wi-Fi for BYOD connectivity to the corporate network, but the Wi-Fi networks will almost certainly need upgrading to cope with the growth in use. If Wi-Fi is not available, 3G/4G coverage and performance will be of major concern, as even the highly populated ‘Thames-Valley’ has a remarkable number of GSM/3G dead-zones. The type of application in use will impact this, but we expect the use of streaming media to grow, as most of the mobile devices use multi media extensively. Breach of Acceptable Use Policy – is it OK if employees use their own device to access a website contrary to corporate acceptable use? Should a business be able to tell someone what they can and can not do on their own machine? The AUP has been developed to counter threats to a business, be that offensive material being brought in to a work environment, time wasting, harassment and so on. With BYOD the boundaries of a work environment are being blurred.

POLICY

All security practice starts with a policy to address the identified risks. This should be a formal, documented policy, but in practice many organisations have an informal policy based upon what the IT team believe is best practice. However, ISO 27001 (the Information Security Management System) and PCI mandate the use of formal written policies. Any tools purchased to protect a network, or the data on the network, are there to enforce policy. With BYOD policy is critical. Everything discussed in this White Paper should be considered and included in a BYOD policy. It is also critical to ensure every member of staff understands and agrees to the organisations policy before being given access to corporate data. For many organisations they will need to retro fit a policy – email going to non-corporate owned assets has slowly, but surely grown, often without proper consideration.


WHAT DEVICE

The key issue with BYOD is that the end user can use any device he/she prefers. And this document needs to consider new devices which may not even have been invented yet.

LAPTOP Whilst there is currently a lot of talk about tablets and smart phones, we expect businesses to start providing their end users with an annual allowance to buy their own laptop PC or MacBook.

TABLET Apple’s development of the iPad has brought tablet computing in to the mainstream. With lots of companies now developing tablets based on other mobile operating systems, the tablet is pushing back in to the corporate world. Microsoft has recently highlighted the importance of this market by developing their new Windows 8 platform around the tablet/phone GUI rather than a traditional desktop. Apple’s success has spawned many replica devices from the likes of HP, HTC, Samsung (running Android) and Blackberry (running their own operating systems) and Android based systems. At the time of writing Apple control over two thirds of this market. The general predictions are that Android based systems will slowly eat into to this market share.

SMARTPHONE The smartphone has developed a lot in the last few years. The Blackberry was the first real corporate mobile device that pushed email beyond the desktop. The Blackberry was developed with the business user in mind, focused on email to the device, with many important management features in the Blackberry Enterprise Server (BES). Other smartphones slowly emerged using Symbian, Palm and Windows Mobile, but it was the iPhone that really kick started the smartphone revolution. Apple’s use of mini applications, ‘apps’ published on it’s App Store, provided software developers a simple platform to sell their applications, which in turn enhanced the whole user experience. Google’s development of Android has accelerated this into the general consumer market and Google have followed Apple’s lead with their own Android ‘Marketplace’. These two operating systems are diametrically opposed in their basic concepts. Apple’s iOS and AppStore remains very tightly controlled with limited access to underlying operating system via API’s and every App being checked by Apple before publication. In contrast Google give away their operating system as open source and publish any application. Whilst this is a noble philosophy, it has meant there is much more room for a cyber-criminal to develop malware on the Android platform. With the end user adopting this type of device, there is a drive to embrace them for corporate use.

OPERATING SYSTEMS The proliferation of different operating systems brings new challenges. How do you publish corporate applications to Windows (various flavours), iOS, Blackberry, Android and so on. The web browser front end is one option, but the GUI needs to be optimised to display in the screen of the viewing device. The user-device interface is another issue. How do you translate Touchscreen gestures in to keystrokes/mouse actions expected by traditional applications? The user experience is going to be very important to the success of an application. In addition to this there are security issues with Android as an operating system, due to its open source nature. Malware is republished through official channels, as there are no checks on software published. Recent research has suggested 8% of Android apps contain malware. Your policy may state what operating system may be used or may take an operating system neutral stance.


BROWSER INCOMPATIBILITIES BYOD could introduce a lot of browser issues. Access to on-premises applications will need careful consideration, e.g. legacy Microsoft on-premise applications like Dynamics CRM and Sharepoint do not work with browsers other than IE. Apple’s Safari browser does not support Adobe Flash that is used on web development platforms to provide a ‘rich experience’. Whereas, emerging Cloud services are in the main, being designed to be browser agnostic.

MOBILE DEVICE MANAGEMENT INCOMPATIBILITIES There are a number of Mobile Device Management (MDM) tools coming to market. However the broad range of capabilities provided by these MDM tools may not be available on individual devices, e.g. the Apple iOS platform is tied down which means that some of the MDM features advertised are not available on iOS devices.

CONNECTIVITY There are 3 principal means of connection: Wired Wi-Fi within the corporate offices Internet

o 3G/4G o Home o Road Warrior

Wired: this is probably the easiest to address from a security standpoint. The user has entered a corporate office and plugs into the network. Physical security should provide the first layer of defence – you should know who is in the office. There are some areas where this isn’t covered well such as, after hour’s access by contractors such as cleaners/security guards, and buildings which are unoccupied such as a remote storage depot or sub-station. Network Access Control (NAC) would provide the second layer of defence – NAC should identify the User on the device (e.g. using 802.1x Authentication), and in addition it may assess the posture/health of the device (e.g. using 802.1x Enforcement), before allowing internal network access. The other challenge with this is that historically people have relied heavily upon the physical security and taken a view that if you are plugged in to the network, then we trust you. This has resulted in the current security issues we have where a company will focus on building a wall around its network, whilst not improving the internal security stance. The net result being a hard shell with a soft interior. Once you are inside the network the security is poor or often trivial to circumvent. Wi-Fi within the corporate offices: whilst this has a level of physical security, wireless by its very nature has no boundaries. It is important for anyone running a wireless network to know the extent of the leakage of the wireless network. It is also important to know if there is any overlap of the wireless with any neighbour. This is itself may cause major performance issues. Wi-Fi security has improved massively since its introduction to the corporate market. However there are still many networks not running to the level of security that is available. Many Wi-Fi networks need to be reviewed and enhanced with both security and performance considerations. In recent years new wireless attacks are focused on areas like ‘Man in the Middle’ and fooling a user in to logging on to a rogue access point thinking it is a corporate device and supplying legitimate log on credentials. Wi-Fi networks should all be deployed with 802.1X NAC in a similar manner to wired networks and all Wi-Fi networks should consider Wireless Intrusion Prevention Systems (WIPS) to enhance security. These will monitor the network and provide IPS and alert to rogue access points.


Internet based access: Connections are treated as VPN access and there is a mature security model for VPN access. However there are some issues that still need considering:

o Connection type – SSL/IPsec/SSH o Authentication o Security of end point device, particularly malware infections

All internet connections need the same level of consideration. In addition to this all Internet connections may be susceptible to Man in Middle type attacks, and the more recent development of ‘Man in the Browser’ attack focused on browsers.

AUTHENTICATION Any access to services will need to include authentication – once you have confirmed who the user is you want them to have access to all the relevant data they need to do their job. You will need to consider how this is appropriate with individual devices and applications, i.e. how easy is a 2 factor token to use with a Smartphone? Would Soft Tokens, One Time Codes or SMS be acceptable?


APPLICATIONS

Deciding what applications a user may use is a complex issue. The organisation may not own the device, so they can not really say what applications can be loaded. However there may well be licensing issues if software is being used for corporate work then the company needs to ensure it is licensed and there are no issues with of any license terms (shareware is often only for personal use and precludes use in a corporate environment). One approach to presenting applications is to deploy Virtual Desktop using Citrix, Microsoft Terminal Service or VMware View. Will all BYOD’s be supported or be able to format the data presented in their limited screen format/size? Organisations may also have their own applications they wish to republish in a new format to support the new devices now being introduced to the organisations. This is likely to cause major issues as applications need rewriting to support the different screen sizes and input methods. A compromise now being promoted is a list of corporate approved applications being enforced through Mobile Device Management tools, which will allow a change of policy based upon a change of profile when the user is no longer at work. We are also seeing the development of corporate App stores, to promote and distribute Apps for various devices. A corporate policy for BYOD must address this issue and ensure an employee is responsible to ensure all software on their device.

EMAIL Whilst email is just another application, publishing email to smartphone/tablets has its own set of issues. Do you want to allow email to be stored on the BYOD by allowing Exchange Active Sync (EAS)? Or will the BYOD just have webmail access? If the BYOD is receiving mail via EAS do you want to control the message content received, or restrict attachments with some form of Data Leakage policy?


NETWORKING ISSUES

The advent of BYOD will introduce new complications in to the network. Firstly, capacity. With the extra devices there will almost certainly be an increase in network traffic. The new devices support a lot of multi media and the users expect a level of service experienced at home once inside the corporate environs. With home broadband improving on an almost daily basis streaming media is becoming the norm. Whilst this works fine at home for a single user, a network of many users may well suffer from the increased demands. We are definitely seeing more people having issues with their corporate Internet bandwidth. Major events, like the Olympics are also increasing this pressure. In addition to the bandwidth issues, the number of connected devices is creating other issues as we are seeing users now with three or four devices, each having an IP address. IP address management may come under strain and IP address schemes planned many years back were designed without consideration of growth of the magnitude we are seeing. In addition to this some software applications are licensed based upon the number of users. The number of IP addresses now going through a gateway may have risen threefold (PC, Smartphone and iPad user), and licences are now being breached. This may need addressing with individual vendors and licence schemes. It may be a shock to the business to discover their software licence costs have increased two or threefold.

MALWARE

Malware is a major security issue, as it is now the major attack vector for organisations data. Malware can easily be crafted to target specific organisations. This malware can be distributed in many ways, the most common of which now is an email encouraging someone to visit an infected or unknown malicious website. Whilst the majority of attacks are aimed at software running on Wintel PC’s, the attackers recognise the growth in BYOD and that the BYOD devices may well be less well protected. This could be either through a lack of patching, as they are not on the corporate patching scheme, or through lack of antivirus/antimalware. The Android operating system is a current target area, as it has been developed as an open operating system with few checks on the applications. New operating systems like Windows 8 may well create further issues. From our experience of Penetration Testing, we can see that patching of systems is considered as a critical first line of defence against Malware. This means we have to consider; BYOD’s that the organisation has some control over, and BYOD’s that they do not:

If you do not own the BYOD, how can you patch it? Do you allow a ‘jailbroken’ BYOD’s access? How do you scan BYOD’s with iOS/Android/Windows for ‘unwanted apps and malware? If you are not checking BYOD (Wintel) machines for patch levels on both operating systems and key common

software applications, such as Adobe, you will be increasing the risk of attack.

It is worth noting that at the time of writing, 80% of malware was targeted at software application flaws rather than operating systems. Malware is also written to exploit ‘zero day’ flaws where no patch has been written as the software writer is unaware of the flaw. These exploits will always be harder to defend against, but tools are available to provide defences, both at a gateway and network level.


DATA STORAGE

ON DEVICE One of the major issues with BYOD is how the data is handled and ultimately where it is stored. Organisations must know how data is moving around and where it is being kept. Whilst a significant proportion of an organisations data is ultimately of very little value, the data that is confidential and of high value needs protecting. Each organisation should know what data is critical, and this will vary from sector to sector. For example the requirements of a health organisation are very different from a corner shop. If that critical data is being stored on any BYOD device it is likely to leave the control of the organisation. This may influence how end users are allowed to access critical data - use of a thin client can be configured to ensure data stays in a data centre, but some business processes may need collection of data and upload? Thin clients may not always present the data to BYODs very well. Email is often stored locally so what is the implication of a device being lost with email on it, and continuing access to email.

ON NETWORK Because of the risks of devices being lost/stolen organisations may chose to back up the BYOD device for the end user. This has the merit of ensuring there is a proper back up – something individuals often overlook. However there may be issues with backing up personal data. If the end user has unlicensed software, music, or films the organisation is now storing illegal material. Smartphones hold personal photographic images, and it may be inappropriate to be storing these. When someone leaves an organisation it will be very important to remove any personal data stored on the network, and it may become a legal requirement in the future to prove that all personal data has been removed.

IN THE CLOUD Many mobile devices have cloud back up services provided for them by the Vendor – Apple’s iCloud service for example. This may mean corporate data is inadvertently being copied to a third party and the control of that data is now lost i.e. what county/continent is the data stored/archived to within the Cloud service infrastructure? Is the data adequately encrypted in the Cloud? In addition to the data now being stored by a third party, the third party may by default replicate this data to a home PC or other device, where there will be no control of who has access to the data. Whilst these services work well for an individual, they are inappropriate for corporate data.


CONTENT

The data content being accessed is important. A user may be using their device to access personally identifiable data in contravention of the Data Protection Act. A data controller is responsible for the data and is legally obliged to secure that data. If the data is leaking out of the network there will be issues. Other areas to consider include credit card data. The requirements of the PCI Data Security Standard are clear. If BYOD devices are accessing this data it needs to be secure and encrypted at all times. The standards may be breached inadvertently with issues like data unencrypted in a cache and walking out of a secure network. Conversely, the issues of what content is being brought into a corporate network needs to be addressed. Unlicensed or illegal copies of software, music and films should be covered in the BYOD policy. Web content should also be considered under this heading. Most organisations will have an acceptable use policy to clearly state what is considered acceptable and what isn’t. This will vary from organisation to organisation and will be influenced by corporate culture. What is reasonable access for an employee using their own device, and will this differ based upon when and where they are? Is it reasonable for an organisation to enforce a restrictive policy on someone’s own device when outside the office or outside work hours? All of these issues need to be considered.

MOBILE DEVICE MANAGEMENT

Mobile Device Management (MDM) is the new term to cover tools to help an organisation deploy, provision and manage their own devices and those of their staff and other third parties. The tools are developing very quickly to enable organisations enforce many policies covering the areas discussed. Some tools are proprietary and built to manage a single platform and do their job well – the Blackberry Enterprise Server (BES) did a very good job at managing corporate Blackberries. However the uptake of new Smartphones means more devices will need more management. Specialist vendors, like Good Technology and Mobile Iron, helped create a market. Microsoft have added significant functionality in Exchange Active Sync (EAS), however this is not comprehensive enough, as BYOD goes well beyond a Smartphone. We are seeing many new entrants into this market. All major end point software vendors are producing a solution to provide an element of MDM. We believe that this functionality will be offered in anti virus software and data leakage tools. The dedicated tools will continue to develop to maintain their relevance, or will wither away. Key issues to consider include: Type of devices managed (which is often related to maturity of product) The ability to remotely provision the tool to the end points The ability to control applications in use To know what data is stored on which device The ability to enforce different policies at different times – so a corporate policy is enforced during the working day

and a not outside of hours for private devices The ability to remotely lock devices that have been mislaid/lost The ability to delete confidential corporate data without impacting on an individual’s data To be able to track network usage To be able to track devices – subject to recognising that this could result in a breach of human rights if used

inappropriately.


CONCLUSION

Whilst many marketing departments will insist their Mobile Device Management tool is the silver bullet to cure all your BYOD issues, it is clear there are many issues to consider. The MDM tools certainly provide a provisioning and security layer, but security needs to be multi layered and cover many issues. Not just managing the MD’s iPhone or the iPad he/she got at Christmas. The end users are driving the adoption of BYOD by asking to use their own tools to improve their productivity, and they are also demanding an improved user experience. Many people have more powerful computers in their bedroom than on their desk at work. In addition to this as home broadband improves, so does the pressure on organisations to improve their own corporate connectivity. What BYOD has helped re-enforce is the need to secure the data. The corporate boundaries are being extended beyond the corporate firewall and the need to consider data security from end-to-end is now critical. Applications and networks should consider security at design phase, not as last minute bolt on. BYOD has also highlighted the potential savings a business could make by paying an employee an allowance and letting them sort out their own computing platform of choice. In the same way as we have seen the company car become extinct, the company owned PC could be the next dinosaur.

Head Office Riverview House Weyside Park Catteshall Lane Godalming GU7 1XE

Worthing Office Columbia House Columbia Drive WorthingWest Sussex BN13 3HD

About MTI

MTI is a leading provider of data centre storage, virtualisation and security solutions, servicing both public and private cloud environments. With offices in the UK, Germany and France it services over 3000 customers across the world. MTI work with their customers to focus on their data – ensuring it is secure and always available whether in a public or private cloud.

MTI engage with clients at every level addressing the many issues faced with securing data, delivering a full consultancy service, ranging from Data Protection Act issues through to ISO 27001 Compliance, and are qualified to conduct CHECK and CREST level penetration and application testing services. MTI can also help clients achieve PCI DSS compliance through our team of PCI Qualified Security Assessors (QSA).

Tel: 0845 888 6060 Fax: 0845 888 6061 Web: www.mti.com

Design

Mti byod wp_uk