Bring Your Own Device To Work: Security Nightmare?
Has your company been forced into a debate whether or not employees can use their own personal devices for business related activities? If not, the day is coming that you will be forced to make decisions on employee devices. A few years back there were discussions regarding whether or not to allow employees to use their personal computers, such as their laptop or home desktop, to work from home. Some companies created secure VPN solutions, remote desktop, or allowed users to use OWA (Outlook Web Access) to perform limited functions from their home computer. Now, with the proliferation of devices that employees carry, the issue of using their own device is even more complex. Apple and Android devices are everywhere and nearly everyone owns one or the other. Of course, many own both types of devices. So, let's discuss the pros and cons of allowing users the ability to use their own device for work activities. Of course, our discussion is slanted towards the concepts of security.
Most employees are in favor of the concept of providing their own device for work, for a few reasons. First, they already own a device and are familiar with it. Most users have become very tainted when it comes to constantly having to change desktops and operating systems. Most users feel that they can be more productive with a device which they constantly use for both work and personal use. Second, most employees are not satisfied with the approach to device lockdown that most organizations take. When a device, typically a Windows desktop or laptop, is delivered to an employee, the device is restricted in many ways. This might include limited access to the Internet, the inability to install applications, and many other restrictive controls. Third, users are constantly saying that they want to have control over the devices they work on. This includes work and personal activities. Users say they want to check email one minute, and play Angry Birds the next.
According to many research organizations, employees are more willing to look at companies that allow them to bring their own device to work. Also, the younger the employee, the more likely they are going to accept a job that allows for an employee owned device to be used at work.
There are many views within the organization on this subject, as at each level within the organization there are different concerns.
At the top level, cost is a major concern. With desktops and laptops being refreshed at an interval today, not having to refresh the desktop or laptops is a huge cost savings. Executives and decision makers at this level love the fact that the organization will not have to pay for the hardware and software required to have the user perform their duties. Of course, there will be some software that the organization must provide, but the OS and potentially the Microsoft Office suite can now be provided by the employee.
At the lower levels, such as helpdesk and support, there is also support for employees bringing their device from home to work. Usually the device can be supported or sold by the company or by a third party service which can support the multiple platforms that employees might be bringing into the organization. The helpdesk will now potentially be responsible for the internal applications, logons, authentications, network resources, and email. The other requirements to support hardware and OS related issues can be offloaded.
In the middle lies IT. IT is typically not all that happy about the employees bringing their devices from home. IT is fully aware of the cost savings and potentially offloading of the support, but they are also aware of the other issues that might, and most likely will, arise from a foreign device trying to work within the confines of the corporate network. IT is most likely concerned about security above all other concerns. The security concerns that IT has is not only valid, but a major threat. First, if employees are bringing their devices from home, which policies will be enforced on the device? Second, if the employee will be checking corporate email on the device, which policies and settings will be protecting the access to the device and the email? Third, if the employee is in control of the device, who will dictate the control access policy (this includes logon password, locking, etc.). Finally, who is to say that an application that the user uses on the device (such as Angry Birds, Words with Friends, Facebook, etc.) is not riddled with a virus or worm?
Controlling Employee Supplied Devices
There will, obviously, need to be some mandated controls over devices that employees use for work related tasks. There have been some documented suggestions, but the list is still growing and morphing to adapt to the newly exposed and less obvious issues that arise. Here is a list of some security controls you can put on these devices:
- Minimum password requirements to meet those of the corporate network.
- Encryption of all data that is stored on the device.
- Minimum lockout policy for idle time.
- Tethering of devices if a user moves to far away from device, an alarm will sound.
- Physical security cases for devices.
- Auditing of activity on device for forensics.
- Remote wipe, in case device is lost.
- Firewall configurations to restrict obvious malicious code and applications.
- Virus, malware, spyware, and worm protection software.
Employees' being able to bring their own device to work is a very hot topic. Organizations are thinking that the costs savings for this infrastructure is something worth evaluating. Often, the executives and IT in the organization are the guinea pigs for this evaluation. Although this might seem like the ideal groups for the evaluation, the consequences of the devices not being secured might be more than a company wants to accept. Money should not be the only deciding factor, support and security should also be included with the factors. For example, if the company is a Windows shop, but employees start to introduce Apple and Droid devices, these devices might not be compatible with the existing applications. Also, these devices might cause other interoperability issues with the network infrastructure such as printers, routers, firewalls, etc. At the forefront of your decision for these devices should be security. If an executive were to lose a device which has key intellectual property for a "deal" which is not to be publicized due to legal reasons, this could cause significant issues for the organization. It happened to Apple within months of the iPad being released, so it can happen to your organization too. In the end, your organization needs to consider the overall benefit and risk for allowing devices like these to be introduced. Considering all policies, procedures, and security controls will go a long way in your final decision.