BYOD doesn’t need to mean ‘bring your own disaster’

Bring your own device (BYOD) programs can potentially save organizations big money on equipment—and they might have other benefits, like increased productivity.

But those gains come with trade-offs: decreased control over an organization’s attack surface, managing a workplace with non-standardized IT inventory, and concerns over workers’ privacy. Experts who spoke with IT Brew laid out some of the best practices organizations can adopt to minimize the chances of a BYOD disaster.

Don’t just flip the switch. BYOD programs require careful planning. Erick Galinkin, principal researcher at security firm Rapid7, told IT Brew the “number one” prerequisite for implementing a BYOD policy is a strong data classification regime.

“You are always going to have very sensitive corporate data, and then you are going to have less sensitive corporate data,” Galinkin said. With the former, he added, “There are real tangible impacts of that information getting out…We would never want somebody’s device where we couldn’t guarantee the security of that device to touch that data.”

Having that data classification policy in place allows administrators to identify which data shouldn’t be touched by which devices, Galinkin told IT Brew: “Environments where people can access corporate data from their cell phones can go awry very quickly.”

Jeff Schwartz, VP of engineering for the Americas at Check Point, told IT Brew that “application access absolutely needs to be restricted to least privilege.”

“Whether the application is hosted in a SaaS based platform or in a traditional data center…make sure that the application and the access to the application is tightly restricted, and there’s enforceable controls that could provide preventative capabilities to limit that if there’s changes in…what’s accessing it or changes in the application,” Schwartz said.

“The second piece, of course, is the users and assets themselves,” Schwartz added.

For example, Schwartz told IT Brew, any successful BYOD program requires a modernized identity provider in place.

Balance the org’s privacy with your users’. Jim Taylor, chief product officer at identity governance firm RSA, told IT Brew that administrators can exercise control without invading personal data by using threat detection apps like RSA’s Mobile Lock. Rather than monitor the user, those apps only intervene after detecting a security threat, by restricting them from authentication.

“It’s all configurable by policy,” Taylor said. “Organizations are able to pick 50, 60, 70 different threat vectors or criteria on the device, and decide which ones are important to them.”

“It’s very unobtrusive on the device itself,” he added. “We don’t impact your device, we just impact your device’s access to our corporate data.”

Schwartz said that companies should consider restricting access to the most sensitive data, like source code, only to devices where they can exercise the highest degree of control. A mobile device management (MDM) policy requiring installation of security software on personal devices becomes a must at any “reasonable amount of scale,” he added.

“If I want to be able to access corporate resources, I need to adhere to the corporate profile,” Schwartz said.

Anticipate common problems. BYOD policies can cause problems down the line. For example, administrators should be aware that one of the inherent drawbacks of BYOD is the “wild inconsistency of the actual asset class,” Schwartz told IT Brew.

“Whether it’s a tablet, a personal laptop, or mobile device, the expectation of end user communities is that the application accessibility and usability is consistent, irrespective of the actual asset,” Schwartz said. In practice, he added, that can mean organizations with BYOD policies may only perform limited validation or security assessments of employee-owned devices when they connect to third-party systems that might nonetheless host company data, like SaaS providers.

Galinkin also advised to plan around how adversarial users can become if they feel employers are impeding functionality or overstepping boundaries on their personal devices. For example, he said, organizations can offer BYOD incentives like free antivirus software or password managers, or implement web filtering at the internet gateway rather than endpoint level.

“As soon as you start restricting their ability to use their device in ways that they expect, they will happily shut off mitigating controls,” he told IT Brew. “It can be very hard to validate that control on a device that you don’t have some endpoint agent on, at which point it’s not really BYOD.”