GRC Geek

Bring Your Own Device (BYOD) and Relevant Concerns

1. Objective and Convergence of BYOD According to PCWorld definition; BYOD —also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own PC (BYOPC)—refers to the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications. [1] Gartner defines a BYOD strategy as "an alternative endpoint deployment strategy that allows employees, business partners and other users to use a personally selected and purchased client device to execute enterprise applications and access data. It typically spans smartphones and tablets, but the strategy may also be used for PCs. It may or may not include a subsidy.[4] By 2016 over 30% of BYOD strategies will leverage personal applications, data and social connections, for enterprise purposes.[2] Using personal equipment by the organization employees may result in end-user cost saving but can impose serious risks of information disclosure, security breach, intellectual rights and more to the organization. Therefore it should be adequately sized and studies according to organization context before being effective. In the opposite view, bringing personal devices may keep the employee satisfied and increase her productivity while both capital costs –for purchasing equipment- and operational costs –for maintenance- are visibly reduced. The point is with current technologies which a virtual machine can be presented to the client with robust policy enforcement capabilities, some sort of issues are already addresses and satisfied. Therefore the personal devices can connect to network and only “see” authorized information, in case of demand for private information it can be done through “terminal” window to the thin client. 2. Treat Spectrum of Mobile Devices Bring your own device, or BYOD, is a disruptive phenomenon where employees bring non-company IT into the organization and demand to be connected to everything – without proper accountability or oversight.[2] All kind of mobile devices have management overhead in regard to calculating the risk and countermeasures of being stolen, misused, lost or other cases. In fact bringing a personal laptop inside the perimeter is not something new to everyone, the point is clearly “see” the subject and properly plan for reducing the risk with appropriate countermeasures and plans. If we do authorize entrances of personal device we have to be confident that an intruder have a “controlled” access to certain systems which store no sensitive information unless it is properly authorized. Zoning the network is a general practice. In modern technologies, network port authorization technologies such as IEEE802.1X, Network Admission Control or Identity Service Engine[3] may assist the organization to first check the unknown device for unauthorized software, updated virus protection and other specific security policies, before granting a privileged access; unless the personal device will remain at the public zone. Figure 1 - Impacts and Top Recommendations for BYOD Strategies for IT Leaders [4] 3. Industry Acceptance and Response Half of enterprises say they intend to move exclusively to BYOD for smartphones in 2017, eliminating their employer-supplied option (see Figure 2). A slightly smaller percentage expect this policy for tablets, while very few anticipate going all-BYOD for their PCs. Almost 40% of organizations worldwide are actively encouraging "bring your own" (BYO), while about 20% are actively discouraging it. There is a wide variation by country and region. In general, employers in EMEA tend to be less aggressive with BYO than other parts of the world, especially as compared with the United States.[4] Trends of mobile device growth and communication technology advantages such as 3G and LTE high speed networks enforce organizations to shift. This is a paradigm change, it is developing story, and we should chose to manage the change or just ignore it. In opposite direction, if we try to take this as an opportunity to utilize it, while employees are using their own devices it means that they are available everywhere. It means more productivity and responsiveness for the organization. 4. Possible Mitigation and Controls An effective mitigation returns to security structure of organization. Most recent security management system are revised to support be risk-based approaches. Proper risk assessment, managing, responding plan can produce some level of trust and confidence. By design and manage network entry controls and apply appropriate mobile device policies for checking interested laptops at the entrance moment, in case of failure it would be a systematic failure not that human. Below there are some list of possible controls and mitigations: • Implement network zoning. • Implement network port authorization. • Utilize client virtualization technology (thin client) • Policies and procedures. • Technical manual security checks, if needed. • Proper awareness to end-users about security associated with BYOD. • Revise relative portions of documents.
You must sign in to rate content.


There are no comments yet for this post.

Leave a Comment

You must be logged in to post a comment.