Back in 2012, I wrote a post Bring Your Own Device (BYOD): Is BYOD Bad for Your Company? based on the commonly available technology at the time. Now that nearly 6 years have passed, I’d say it is time for an update.
BYOD (Bring Your Own Device) is the allowance of employee-owned equipment onto company systems. Typically, this involves employees using consumer computing devices (such as iPads or Surface tablets) to get work done, either in the office, at home, or on the road. Many of these devices are not designed to “get work done,” but instead to consume content (e.g., checking email, reading news, social media, etc.). These devices are not managed and may lack even the most basic security features enabled. Here is the problem: If your BYOD strategy is not planned correctly, this can spell disaster for any corporate network. How is your company protecting its data on devices out of its control? What happens when an employee leaves the company or a device is accidentally left behind at a coffee shop?
Historically, only company-owned computing devices would ever be allowed to touch a company network or system. In today’s world of cloud first, this is rapidly changing, and BYOD doesn’t seem to be going away.
So, the big question… How can we protect our companies from these unmanaged devices?? There is no simple answer, and there is no single answer that is right for every organization. However, through ample planning and testing, it is possible to reasonably secure your network and company data. Here are a few key points to consider when planning your BYOD strategy. Please consider this a starting point to your strategy and not a complete checklist of everything you need. Always consult with your IT security professionals before implementing a change as drastic as BYOD.
Policies, policies, policies!!
In today’s business world (yes, even the small business world), we are driven by policies. All businesses should have polices to define how complex our passwords should be, and policies to identify how we should connect, protect, and share data. These policies help define what it means to be a responsible computer user in your organization. Some companies accomplish this through a set of full Information Security policies, while others fulfill their policy needs with a simpler WISP (Written Information Security Program). Either way, polices define how we operate securely as IT for an organization. It is also not a bad idea to have an outside company perform a security assessment to identify any regulatory requirements your organization should consider.
Protect each device as much as possible
Since devices in the BYOD model are not owned by the company, you have limited ability to truly protect the device,
MDM to protect company data on BYOD devices
Through the use of Mobile Device Management (MDM), you can ensure mobile phones and tablets have certain policies enforced, such as requiring a password/pin and device/storage encryption. Additionally, many MDM solutions allow for sandboxing of corporate applications. Sandboxing allows an administrator to remotely wipe company apps and data without affecting personal data and apps on the phone. So, a user won’t lose their family photos, but all company email and documents are eradicated. Sandboxing can also protect corporate data in the event that the mobile device has contracted a malicious infection. There are many levels of MDM from Office 365’s basic remote wipe, to full MDM solutions which can also protect remote laptops.
MFA to protect systems from unauthorized users
Multi-factor authentication (MFA) is a method of requiring a piece of information (e.g., Smart card, text message, or key fob pin) in addition to a username and password. This greatly protects your systems from unauthorized access via brute force/dictionary attacks. MFA should be enabled for all remote systems such as email, terminal servers, SAP, and other applications. Ideally, MFA should be required for any user to login to any company system.
Wireless network protection
If foreign devices are allowed onto your wireless network, it is critically important to determine how they should be allowed. Typically, BYOD devices are only allowed on a guest wireless which provides Internet access only. Users connect to other systems (such as email and terminal server) as if the device was at home connecting over the internet. RADIUS authentication should be configured to allow only authorized domain-joined computers to access the corporate wireless network. All other devices will have Internet-only access from the guest wireless network. As a side note, it is also common to build multiple wireless networks with varying levels of access, but this goes a bit beyond the scope of this topic.
Wired network protection
With your current configuration, any computer plugging into your wired network will obtain an IP address and can see other systems (including your servers) on the network. Implementing MAC filtering on your network will allow the DHCP server to only provide IP addresses to authorized devices. All other devices won’t get an IP address. There are other methods to protecting your wired network from unexpected devices, but this is probably the simplest. Basically, you don’t want unexpected devices gaining access to your network by simply plugging into a live network jack in your conference room.
Restricted VPN access or BYOD
If BYOD devices need to connect using VPN (Virtual Private Network), they should do so using a different profile than company-owned computers. Since they are not protected and controlled by the company, they should not have the wide level of access that would normally be granted to a company owned computer. For example, it might make sense to only allow BYOD devices access to the terminal server and nothing else. Limiting access to these devices could greatly help prevent malware spread from an infected BYOD device.
Remotely access data in the most secure way possible
In the old days, each device would remotely connect to a company network using a VPN tunnel. VPNs are great… for devices you trust and manage. In the case of BYOD, this may not be the best option. Don’t get me wrong, VPN (especially SSL VPN) makes sense in many cases and should be locked down as mentioned above. Just consider alternatives. Keeping company data in SharePoint, OneDrive for Business, or other company-controlled cloud platforms can provide a happy balance between security and accessibility. Users have the ability to access company data securely on the device they desire, and companies can control and secure data.
Domain join and give up control
In many organizations, employees can use personally-owned devices to connect directly to company systems with one pretty big caveat. They must give up control of their system by domain joining it and allowing the company to fully manage their system. By doing this, employees no longer have admin rights to the device they own. Only company approved software can be installed, and it must be installed by an administrator. When an employee leaves the company, the computer needs to be completely wiped or factory reset removing all company data and software in the process.
If executed in a secure and appropriate manner, a carefully planned BYOD strategy can be an immense value to the employees and to the company. No matter which solutions you choose to employ, there is no substitute for good planning. Figure out how your organization should be allowing access in every situation necessary, identify any regulatory and industry requirements, and seek input from your IT and security staff. Then, you’re far less likely to be scrambling to resolve an unforeseen issue.