Solving the BYOD Puzzle by Controlling Data and Devices
A Security Magazine Online Exclusive
|BYOD trends are sweeping the nation; How is your company handling them?|
Eighty-eight percent of IT professionals report that Bring Your Own Device movement (BYOD) is here to stay, whether their companies had a sanctioned policy or not, according to a 2012 survey from MokaFive.
So how do you manage a movement that’s going to infiltrate the organization no matter what? You can start by examining what role BYOD plays in your enterprise, says Larry Whiteside, Jr., CISO and Director of Information Security, Risk & Compliance, and Director of Enterprise Operations at Spectrum Health.
“In the healthcare industry, our physicians and clinical facilities drive the business,” Whiteside tells Security magazine. “We’re always seeking ways for them to be as efficient as possible – finding the best possible ways for doctors to get their jobs done – which drives us toward technology.
“The reality is,” he adds, “Virtual workplaces are more prevalent now – the iPad craze exacerbated the situation. Our physicians want to use their personal devices to access charts, patient records and corporate emails, and we have to devise a strategy that addresses those risks.”
However, allowing BYOD doesn’t mean shelling out enough funds to buy every employee a company-issued cell phone.
LivingSocial, a deal-of-the-day website with more than 70 million members worldwide, has roughly 2,200 employees in the U.S. – 1,000 of which are salespeople that work at home or in mobile offices. For those employees, the policy is straightforward BYOD, says Rinaldi Rampen, Director of Security & Risk at LivingSocial.
“It’s user-friendly but challenging from a security standpoint,” Rampen says. “The huge majority of our employees work with iPhones and iPads, and Apple’s cloud (iCloud) has built-in protections. We keep looking at different enterprise solutions, but we haven’t found anything out there yet that’s worth the money.” Outfitting each device with one of the enterprise BYOD solutions on the market would cost $50-80 per device, he adds.
“BYOD is dictated by executives,” says Rampen. “Your boss will walk into the office with a new iPad Mini and say ‘Tell me how I can use it – Figure out how to make it work,’ and that’s just what we have to do.”
“Security used to be the ‘Office of No,’” says Whiteside. “We would tell people what they can’t do and why not. But now, the CSO and CISO are more aligned with the business goals, and we measure key performance and risk indicators for our enterprise.” This new focus, he says, forces security professionals to address the wants and needs of the company’s key players as more of a priority in order to help them increase their efficiency and job satisfaction.
Solutions for the BYOD Puzzle
According to the MokaFive survey, one-third of respondents reported that their companies have no BYOD policy in place, and 10 percent after that admitted that they did not know if they were operating under a BYOD policy or not. Eleven percent of respondents stated that while their companies do not allow BYOD, they use their personal computing devices anyway. This shows that employees are opening more and more doors to valuable data, and the lack of permission doesn’t seem to be abating the flood of devices into the workplace. So how can CSOs and CISOs stem the tide of information?
Within the Spectrum Health system, employees using their own devices are allowed access to data for presentation only, not downloading, Whiteside says. “Employees can virtually access data through the network, but nothing is downloaded or stored on personal devices.” That way, if a device is lost, the employee reports the missing device and that user’s token and password is killed in the network, ensuring that access to the data is shut down.
For Ward Spangenberg, former director of information security at Pearl.com and newly hired senior vice president of Development and Operations at Attensity, BYOD is evaluated on a case-by-case basis.
“You have to have a business purpose for each device,” he says. “All devices work as a one-off – Does everyone really need email access on their phone?” These questions are necessary, Spangenberg says, in order to close as many entry points for data loss as possible.
But in an enterprise where everyone is working on their own devices, Rampen can’t close all of the entry points, so he has to prioritize which risks are the most dangerous.
“In the end, devices are just conduits to data,” he says. “Maybe, in your organization, email isn’t all that important. Maybe it’s everything. You have to understand where your critical data sets are being kept, and you can work protection out from there.” These data sets will be different for every organization, so no two BYOD policies can be exactly the same.
Rampen works with the CISO Executive Network to discuss the latest trends, what has worked and what doesn’t – “From a client perspective, people are willing to share their experiences, especially on BYOD,” he says. “It’s such a new movement, and a lot of the kinks are still being worked out.”
He notes that it’s important to have a working committee to manage and update BYOD policy. Those committees should include representatives from IT, Legal, HR and Security departments, Rampen adds.
At Pearl.com, Spangenberg recommends – especially when issuing company devices – that BYOD devices are scanned and verified whenever they connect to the network, and that any “jailbroken” or suspicious devices are isolated and addressed.
“You have to have a goal for your BYOD policy,” says Whiteside. “Develop that goal at a corporate level with your business partners and liaisons, then go back to create a policy that reaches that goal. Ensure that you won’t have to uproot and change your system because you lost track of the end game.”
“Information Security is now responsible for managing information security across the whole organization, not just managing technology,” Whiteside adds.
Like Rampen says, the technology is just the conduit to the real asset worth protecting – the data.