Torsten George, Ph.D.
According to ISACA’s 2012 IT Risk/Reward Barometer: North America
, 72 percent of organizations in the US allow (in one way or another) bring your own device (BYOD) in the work environment. This new computing practice exposes businesses to unique risk that can threaten corporate security and reverse the productivity gains that were originally intended. Due to their portable nature and integration with public cloud applications, personal mobile devices greatly increase the risk of data theft or leakage. In fact, a study
by Decisive Analytics revealed that nearly half of the enterprises that allow BYOD to connect to their network have experienced a data breach.
Security experts believe the next wave of enterprise hacking will be carried out via mobile attack vectors. As organizations improve defenses against direct network attacks, hackers will move to a path of least resistance and exploit mobile applications to gain backdoor access to enterprise networks through BYOD. In this context, it becomes essential to manage mobile application and device risk, and control their access to trusted networks. So, what are the steps an organization can take to realize the productivity gains and cost-savings associated with BYOD, while proactively managing and mitigating the security risk associated with this practice?
The first step is to establish rigorous policies around the usage of mobile devices—whether employer- or employee-owned. A good reference framework for this process is the Guidelines for Managing the Security of Mobile Devices in the Enterprise
, Special Publication (SP) 800-124 Revision 1, from the National Institute of Standards and Technology (NIST). Establishing a mobile usage policy is the easy part. The next step involves gathering predictive risk information to determine if, when and how mobile devices should be able to connect to an organization’s trusted network. In this context, many organizations rely on tools such as mobile device management (MDM) or mobile application management (MAM).
While these tools offer rudimentary risk assessment and policy enforcement capabilities, they lack a comprehensive, real-time view of an enterprise’s mobile and BYOD risk posture. Emerging mobile trust service offerings identify vulnerabilities at each layer of the mobile stack (e.g., infrastructure, hardware, operating system, applications), correlate this data with existing threats and score risk within the context of an organization’s security ecosystem (e.g., use of security controls such as encryption, role-based access control). In turn, these risk scores can be used to determine whether to grant a device access to the network and what, if any, limitations should be imposed. Once mobile access is granted, continuous monitoring can be used to maintain updated risk scores.