Bring Your Own Device Security Strategies – Part 4
Additional costs, implications, and best practices of BYOD
The implementation of BYOD introduces new variables in the organisational, legal, and cost domains of the enterprise.
Allowing the employees to use their own devices will increase the variety of hardware and software combinations which will in return entail increase support costs.
- More different types of devices
- More different operating systems that need patching and be kept up to date
- Responding to security incidents related to an increased variety of devices and operating systems
The enterprise must decide how it will handle the issue of repairs of BYOD devices should the need arise. Having a device repaired by the user carries the possibility of unauthorised access to corporate data by the repair service – will all corporate data have to be permanently removed from the device before repair or will repair be done (and paid for?) by the enterprise.
Data protection & partner agreements
From a legal perspective, the responsibility for protecting information rests with the data controller, not the device owner. As such, the enterprise should be aware of laws relating to its business data depending on the relevant jurisdiction.
In addition, any commercial and partner agreements need to be checked for potential restrictions to running business software or accessing business data on personally owned devices.
BYOD good practices
BYOD should be used for a limited set of defined tasks that fall within the risk assessment of the enterprise.
Both the BYOD users and the enterprise must be informed and aware of their respective obligations.
To protect against data loss with BYOD, the following good practices should be followed
- Only the necessary minimum set of services and data should be accessible to the BYOD users like that of the Least Privilege principle.
- Use of strong authentication methods such as Multi-Factor Authentication (MFA), Single Sign On (SSO), or Passwordless.
- Authenticate the device, if possible – such as the initial connection of a personal device to be executed from a verified location.
- Implement risk-based authentication and access control, if possible – authentication based on the combination of meta-identity factors such as device, location, and resource request.
- Monitor and log the service and data being accessed: event times, source IP addresses, device/user agents, failed and successful authentication, authorisation, resources requests, etc
- Assess, understand, and manage the risks – assume that the device used cannot be fully trusted and focus on securing the data and services.
- Have processes and procedures in place that clearly define what the enterprise expects its employees to do and how are they expected to do it. This should include the minimum expected security standards required for a device to be considered as ‘compliant’.
In next week’s blog, we will look at deployment approaches for BYOD.