SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

Three ways to achieve data security whilst enabling BYOD

Mon, 19th Nov 2018
FYI, this story is more than a year old

Providing the ability for employees to work remotely is a well-established method of attracting and retaining talent. Allowing employees to perform their job duties from mobile devices gives them the freedom of flexibility; specifically, the ability to work from home, at the airport, in a coffee shop, or from anywhere else outside of the office and regular business hours.

As such, an organisation's mobile strategy is more important now than ever before. That said, selecting the right one is often no small task. IT teams must consider their organisations' overall efficiency, productivity, and cybersecurity, as well as the privacy of their users. Perhaps unsurprisingly, the rising popularity of bring your own device (BYOD) has complicated the challenge of balancing these items even more.

Personal devices that are used for work have access to both corporate data and users' personal apps. This increases the likelihood that malware will make its way into corporate systems. Additionally, this myriad of smartphones, tablets, and wearables also represents an easy entry point for cyber threats that leverage unsecured devices as a gateway to target otherwise safeguarded corporate data on the network.

Today, security administrators can choose from a wide variety of mobile and data management solutions. Here are a few factors to take into consideration when mapping a mobile security strategy and determining what will be the best fit for an organisation.

1. The classic: Agent-based mobile device management (MDM)

Mobile device management (MDM) solutions are generally favoured by large enterprises with the aim of enforcing company data security policies across a large number of mobile devices.

Typically, MDM solutions require software to be installed in the form of a mobile agent on all employee devices. This, in turn, enables them to be centrally managed by IT administrators. who govern features such as password protection, remote data wiping and the rejection of unsafe WLAN networks via a central interface.

However, a major problem can occur with MDM if the mobile environment is heterogeneous – that is, if to the network is to support numerous disparate mobile operating systems and devices. In that case, it's possible that management functions may not be available for all of the devices on the network.

Because these mobile systems are notoriously complex to implement, it's incumbent upon organisations to involve employees at an early stage of onboarding and implementation in order to ensure that the MDM solution adequately supports their workflows while also being able to look ahead and assess whether the administrative requirements for that device will tap IT resources and bandwidth down the road.

In addition, MDM presents several privacy challenges. In general, agent-based MDM solutions work best for large enterprises that employ adequate staff to manage corporate-owned devices.

When considering using these solutions as part of a BYOD strategy, organisations will need to hold discussions with the workforce and explain functions and access rights in detail.

However, as part of its set of features, MDM gives IT administrators significant access to user information, leading to lack of acceptance among users valuing more stringent privacy policies.

An MDM solution that allows the company to reset device settings, identify their location, or potentially harvest information on their device as well as usage and internet habits, has the strong potential to be regarded as an unacceptable intrusion into users' private lives.

As a result, it's very likely that those same employees will feel justified in refusing or block any kind of device security software installed on their phones or tablets.

The repercussions of this series of events could potentially have significant consequences. Not surprisingly, a dearth of devices connected to the corporate network bereft of any kind of security software opens the door for a potentially unpopular company-wide personal device ban.

2. From the device to the application: Mobile application management (MAM)

In contrast to MDM, mobile application management (MAM) focuses on securing and protecting company-provided applications if the solution is primarily used from a BYOD perspective to support the day-to-day employee needs –a travelling salesperson who requires access to email or in-house CRM systems for example.

 
To ensure that application data is secure and protected, various company applications are made available for mobile use, which is then managed centrally by security administrators or IT personnel. However, similarly to agent-based MDM solutions, MAM also requires the installation of external software on employee devices. largely because the agent is the only way business data can be remotely wiped if a device is lost.

Like many mobile security solutions, MAM also has some limitations, particularly around detecting and blocking shadow IT. While MAM strongly governs many corporate applications, it does not cover popular cloud applications like Gmail, Dropbox and Slack. What's more, a usage policy also needs to be installed to ensure adequate data protection, as the solution does not provide any device management functionality.

3. Homing in on data: Agentless mobile security

Developments in cloud-based security tools have given rise to a new set of mobile security solutions that can protect data without installing an agent on the employee's device. Yet at the same time, these mobile security solutions still provide all MDM functions, including data loss prevention and remote wiping of company data.

They can also offer data encryption that can be extended to all popular cloud apps, including G Suite, Office 365, Slack and Salesforce. That means that all types of critical data will ultimately be secure, regardless of what application an employee is accessing via their personal device.

While all devices accessing corporate data are still required to be centrally managed, security administrators can govern mobile devices without installing intrusive management software or an agent on every individual device, essentially making them "agentless."

As a result, rollouts are conducted more quickly while also alleviating many users' privacy concerns or hesitancy in allowing employers to fully access their personal information.

In general, these kinds of agentless solutions are largely aimed at businesses worried about security issues attributed to cloud application access from personal devices. And with the increasing popularity of cloud services, the number of agentless solutions is firmly set to rise – a trend validated by Gartner analysts who predicted in 2015 that more than half of BYOD users with an MDM agent on their device will be managed by an agentless solution this year.

Identify specific requirements

Organisations need to consider numerous factors when assessing a mobile security strategy – the importance of those factors will vary depending on the type of business.

Before settling on a particular mobile management solution, IT administrators need to compile a comprehensive profile that takes into account the industry sector and company-specific compliance regulations.

From there, they need to ensure that implementation will not be impeded by practical - or even anticipated - privacy challenges by users who want to keep their personal data private.

In response to the increasing prevalence of BYOD in the workplace, organisations need to identify the devices and operating systems used by their employees, as well as the applications that they need to access from personal and mobile endpoints. This reconnaissance is a crucial step towards securing BYOD.

Next, the enterprise must decide whether security solutions need to be backed up by legal agreements in order to provide a greater degree of protection in the event of something going wrong. Finally, all stakeholders should be involved in the decision-making process so that the selected mobile security solution suits all relevant parties.

For those looking to learn more, the Australian Federal Government's Australian Cyber Security Centre (ACSC) has resources on securing BYOD.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X