BYOD: Challenges of Protecting Data - Part Two

Wednesday, August 01, 2012

Rafal Los


Fair warning! This post is a little... lengthy, or as I like to think of it - "complete".

Welcome to part 2 of a 4-part series on Bring Your Own Device (BYOD).  The previous post provided some background on the subject, and gave some setup for the series.

 In this second part of the series I will address one of the key points that proponents of BYOD use to make their case - employee productivity.  

Productivity appears as one of the focal points of many discussions around BYOD so in order to understand the implications we must first understand the full scope of the point.

Just last April a article titled "Are BYOD Workers More Productive?"  The author, Tom Kaneshige, comes to the conclusion that BYOD workers are indeed more productive with this conclusion- "The silver lining, though, is that BYOD really does lead to net worker productivity gains."

CIO's are a generally smart bunch, and won't just accept this as truth without some proof, as he goes on to elaborate: "But CIOs prefer quantitative metrics over qualitative hearsay, and clear-cut BYOD performance gains are somewhat elusive."  Herein lies the rub, as they say.  

You see, there are some subtle things going on here that are only obvious if you've gone through one of these programs, or are in the process of bringing your own device into the office - with or without corporate IT's blessing.

After I wrote the previous post I had some fantastic reactions from folks who are either living this today, or have some other experience in the matter.  One comment caught me particularly at attention, from someone claiming to be "slightly anon" .  Read this comment and notice the touch on productivity...  My reader uncovers a negative aspect of BYOD which is a little scary for some folks - the part where your device is compromised.  

Productivity is nice to talk about when you can sit at home and read your corporate email on your tablet, or mobile phone - but what if that device is ridden with malware, or hijacked to be part of a botnet... there are very serious security and productivity implications there!  Great point, let's expand on this just a bit.

So Who Supports this 'Broken' BYOD Device Anyway?

Think about it, what happens when your user's laptop isn't quite working to spec today? Odds are the user calls IT support.  As much as we all like to complain about how poor support is in many organizations, it's one of those things that we complain about until we have to do without.  Your employees may think your IT support is the worst in the world, until they have to call the store they bought their mobile phone at, or the manufacturer, or worse some 3rd party - because their device isn't getting corporate email.  

When there is a clear ownership of the device (corporate owned device, corporate problem, right?) the support call is clear - but when the corporate email simply "won't work" on, say, an Android device - who gets the call?  I can just hear the string of "well, that's an issue with your corporate email, call your provider" calls, and finger-pointing endlessly from carrier, to hardware provider, to corporate IT... where does it end?  Who ultimately takes responsibility for the support?

Making a clear distinction is hard, because if it's a personal device you can't expect your IT organization to support every mobile device out there, can you?  It would be insane to think your corporate IT support people would handle Apple, Samsung, HTC, Motorola, LG and countless other devices each with their own operating system, nuanced applications and carrier issues potentially.  Yikes!  

Think about this when you talk about increased productivity gains... how fast can your corporate support team offer support for a thing they own end-to-end, versus having to share responsibility and potentially finger-point with other vendors' support organizations?

On the other hand... this could be a very nice thing for your IT support organization.  Not having to have a fully fledged support department that supports cell phone carriers, operating systems, applications, corporate connectivity and everything else lets you focus on the things that really matter to your company.  Your corporate applications matter because you support those - why not outsource the support of everything else to the experts?

I Think I Have a "Virus"

I can hear the support calls in the queue right now.  "I think I have a virus", my BYOD laptop/tablet/handset isn't working right."  Even if, and I'm not willing to take this as a given yet, productivity due to improved support is a reality as a result of BYOD, what happens when security issues start to get in the way.  Productivity is hampered by malicious software (malware) and other unfortunate surprises all the time in corporate IT land.  

I know my laptop's been nuked a few times over the years not because I browse the dark recesses of the Internet, but because I hit sites like BusinessWeek.  If legitimate sites can't keep from being hit and spreading malware... what hope does the average business user have?  Now ask yourself how careful you are with your "work" laptop versus your "home" computer... if you're honest I bet you're willing to click on, or go to, a lot more risky content from a computer you know corporate isn't monitoring you from, right?

So as the commenter brought up - there are serious roadblocks to productivity when your personal gadgets are malware-ridden!  Oh, and let's not forget the liability issues now.  Remember how when you went through new employee training they told you that surfing "questionable content" was something that could result in you being written up, or even losing your job?  

What happens when you bring your personal laptop into the office which is infected with some piece of malware, and that laptop starts to open up pop-ups of a... shall we say... questionable taste when other co-workers are around?  What does HR have to say about this whole mess?  When your workstation was corporate-managed you could just blame it on corporate IT's inability to keep malware off your system... but now that responsibility is yours right?

What if your machine attacks another organization from within the corporate perimeter, as part of a BYOD-approved work agreement?  Who's liable for the attack?  Is it you the individual, or the employer that gets the suit filed against them?  I'm not trying to be funny here, this is serious business.  

I suspect most folks who think about BYOD and start thinking about all the money they're going to save on devices rarely think about the liability they're accepting, or pushing off on their users... are we going to get a piece of paper to sign that transfers liability to the user from the corporation?  I wouldn't sign it... would you?

It's not all that gloomy

OK, I admit, for someone who's generally upbeat about bringing your own device into the corporate environment, this post has turned particularly negative.  Looking deeper into the issue is troubling, and I definitely think there are serious challenges.  However, all is not lost.

Where corporate IT had the ability to push those 10 "agents" to all of your corporate-owned laptops before - you know... full-disk encryption, anti-virus, anti-malware, identity-control, personal firewall, personal IPS, policy-enforcement - now you don't have that ability.  Well, maybe...

There are two camps out there of thinking - some organizations make provisions to push items out to their clients, while others simply monitor for the presence of such.  I can tell you that at my old job, we allowed people to plug in non-corporate-owned assets onto the network with a few conditions.  When you popped your system onto the network you would eventually be presented with the 'captive portal' which told you of all the rules and regulations of being on the network.  

You could choose to simply have Internet access (which was via a GRE tunnel to the outside of the corporate firewall) or you could install the corporate package to bring your machine up to compliance, if it wasn't already, with standards. These standards included things like a complete, managed, anti-virus package and personal firewall along with an identity management agent... and the ability to poll your machine to enumerate running applications and to determine the general health of your PC.  Once you passed the 'check', you would be allowed onto the network and have access to corporate resources.

How many of us today would be comfortable with this?  Maybe you are OK with it, maybe you're not - but to maintain the security of the network (integrity, really) this was necessary.  Also, there was no self-destruct so once you jumped into the network once and installed the bits they were on your machine until you forcibly removed them manually.  

Most people wouldn't know how to do that by themselves... Then there's the issue of how easy it was to 'fake' the installation of the corporate package.  Our red team exercise determined that with a few manually entered registry keys, a few 'faked' replies on specific ports via a script, and you're off to the races without having to actually install anything.  This begs the question of how much security was really being offered!

The other approach I'm seeing and hearing about is the governance/monitoring approach.  It's quite possible to allow your device to be enumerated by the corporate 'checker' as in the example above, to make sure you've got up-to-date anti-malware and are up on your patches and application tweaks.  If you are not you can simply be denied access with recommendations, rather than force-feeding you binaries and corporate stuffs.

Even though there are ways to 'trick' your way onto the corporate perimeter, there are even more options for maintaining the integrity of the network.  As one of my colleagues, @JadedSecurity, says - consider everything on the network hostile and work from that premise.  This means that you'll need more IPS, more firewalls, more VPNs and generally more 'stuff' to make sure that your network doesn't flood up with nastiness. You could always harden your applications, tighten access to critical files and systems, and manage identities better... but you would have already gotten that right by now.

The Final Analysis

So... does BYOD help productivity?  I don't know, maybe.  I guess I started this post out with the intention of extolling the virtues of having a more productive workforce - but now I'm not so sure.  Having a background in information security - I just think maintaining integrity of your corporate space gets that much harder and depends that much more on the fundamentals we're all failing at... Seriously.

Is it possible to maintain the integrity and security of your corporate network if you implement BYOD?  Absolutely.  Is it more difficult to do when you don't directly own and control the device?  Research would point to yes, absolutely.

As always, your mileage may vary depending on what the state of your IT affairs is right now, before BYOD.  Things could be better, and in some cases this is possible, but unlikely.  The security of your organization could also take a serious turn for the worse... but you know what, it still all comes down to doing your fundamentals right.

  • Secure your applications.
  • Manage your identities.
  • Tighten control over access to critical systems and data.

If you do all those, BYOD can be a good thing.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
PDAs/Smart Phones
Information Security
Enterprise Security malware Security Strategies Data Loss Prevention Mobile Devices Mobility Policies and Procedures BYOD
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.