Download - BYOD eBook Part 1 DREW
Navigating the Waters of BYOD
©2013 Drew Williams
Drew Williams
Navigating
the Waters
of BYOD
Part 1:
Piloting the Perils
Navigating the Waters of BYOD
©2013 Drew Williams
2
So, you have decided that you’ve read
enough, heard enough and thought about it enough, that you’re going to do something about your organization’s dramatic rise in how mobile devices have invaded the workplace. The idea that it’s Taboo to bring devices to work is being replaced with finding ways of developing an effective use policy to address the matter.
Good news: Gaining the upper hand on BYOD requires some practical thinking, basic administrative management, and some common sense.
This little document will give you some basic guidelines on what important matters to consider when navigating the waters of mobile computing, while still providing a safe harbor for your organization’s assets.
Let’s start with what we need to know about mobile computing in general, and how the BYOD phenomenon is creating a sea of risk management concerns throughout every industry that relies on technology to communicate or advance.
“Mobile Computing” includes everything from Androids and iPhones to Kindles, iPads, laptop computers—anything that can be used to store AND transmit data.
BYOD Defined
1
Navigating the Waters of BYOD
©2013 Drew Williams
Statistics can tell you anything to support any
argument.
The topic of BYOD is no different, and as a
Value-added Services provider, Condition Zebra
carries no bias toward any technology to
support or prevent the case for BYOD in the
workplace, although we do support the idea of
implementing a good risk management policy
to manage BYOD, and we think ours is the best.
Charting the Course: Statistics tell part of the story
Love-Hate Relationship
When talking about BYOD in relation to its
impact in a business, it’s almost like Mom
and Dad arguing at the dinner table about
why the kids should and shouldn’t get the
keys to the car. On the one hand, the CFO
(aka “Dad”), likes the sense of freedom and
independence BYOD brings to the
organization, and how mobile computing
actually improves overall productivity in the
workplace, which converts into greater
revenue potential.
“Mom” (the CIO), on the other hand, sees
the risks of moving too quickly, of having
too much independence and accessibility,
which translates into inconsistencies in
standard operating guidelines, poorly
defined standards, complexities in
supporting a constantly changing
environment, and unpredictable security
risks. Both are right!
Based on a poll of 1,000+ mid-sized companies throughout the U.S., Europe and Asia:
• 90% use personal devices;• 100% noted accessing IP & PI via personal
devices.• More than 1 billion smartphones used
worldwide.• More than 100 million new Androids
were sold since Q3 ’12.• 80% will budget to address “Risk”
relating to managing the usage of personal devices.
2
Navigating the Waters of BYOD
©2013 Drew Williams
There are considerable (but manageable) risk factors associated with BYOD-related activities, including probably the most relevant concern: data security compromise.
There are also statistics that show how, by working with staff, employers actually create a greater sense of organization-wide responsibility for protecting the assets of the group, recruiting every individual to take up the cause.
The results: BFF’s can freely sail the same waters with FAQs and RFPs, without concern of course collisions.
Before we address how to navigate the seas of success with BYOD, however, let’s first address some of the risks you might face.
In the days of the ancient mariners, one of the most dangerous problems they faced was fog. Not being able to see the stars at night, or landmarks along the waterways during the day could mean delay or greater danger to the seafarer and his cargo.
Data theft, like the fog of old, can slip in and out of an organization, often undetected, unless monitored for and managed.
Laptop computers and mobile devices notwithstanding, smartphones—all with the ability to transmit communications exchanges between hosts—can carry between 8GB and 128+GB of storage space, include multiple SD cards, and automatically transact exchanges of critical information, without an organization even knowing what happened.
The Fog
of Data Theft
3
Navigating the Waters of BYOD
©2013 Drew Williams
The ancient Greek seafarers of the Mediterranean
included stories of fair maidens who brought song
and beauty to the weary crew, only to replace both
with disorientation, and death.
Malware is a constant problem in today’s
distributed computing environments. Mobile
phones—especially Androids—are highly
susceptible to problems incurred through cross-
site scripting, which represents more than 80% of
the root cause of hostile activities behind
application security.
Old-school processes of checking system
configurations, updating system patches and even
ensuring the latest versions of the applications are
downloaded, are only a few of the reasons why
this problem continues to sing tragedy for the
unaware and misinformed.
Beware of the Shifting Songs of the Sirens of Malware
“AVAST There!” Being Boarded by Wireless Exploits
While sailing the open waterways might sound
difficult to pose a risk of gaining unauthorized
access, pirates of old ran with impunity, threatening
all trade routes, all ships and in all waters.
The world has gotten a lot smaller in the Digital
Age, and taking advantage of a wireless
infrastructure seems to be getting more prevalent
and more common.
Risks and insecurities in WEP, for example, are so
well-known, there are even “How-to” steps
published online to describe WEP vulnerabilities.
Passive attacks on unencrypted wireless backbones
include eavesdropping, with more hostile threats, as
a result of exploiting applications, could mean
traffic floods and the all-evil Denial of Service.
Argh Matey!
4
Navigating the Waters of BYOD
©2013 Drew Williams
According to ancient Greek legend, the CyaneanRocks, which stood at the inlet of the Bosporus Sea, randomly came together to crush any unsuspecting sea-goers. The key, as fabled Jason and his Argonauts discovered, was to manage the timing between clashes and crashes, by constantly monitoring the trends in how the rocks interacted with the sea.
A top concern in BYOD security relates to the overall lack of monitoring and consistent management of access controls and privileges.
Perhaps one of the easiest preventive actions an organization can take is also the action most neglected: establishing a consistent policy for remote file access, authentication and remote privilege management.
Data, and the loss of contact, adrift and Lost At Sea
Watch Out for the Rocks!
5
Those sailors who have experienced the unfortunate demise of being adrift in open seas, and have lived to tell their tales, have said that the sheer loss of contact with the rest of the world drove some of their greatest fears.
Mobile devices are small and can be easily misplaced or lost. For many people, those devices contain everything from Grandma’s secret recipes to government secrets entrusted to device owners for safe keeping. Many people (my five daughters included), have become so dependent on mobile devices for even minute-to-minute communications, they even take them to bed with them!
The idea of encrypting mobile devices is stilla fresh concept in the category of BYOD security, and as a result, proprietary data loss is still the chief concern regarding mobile computing environments.
Navigating the Waters of BYOD
©2013 Drew Williams
Desktop Virtualization is a growing
floodgate trend for edge businesses. In fact, fewer
security issues have actually been reported
(internally) with personal mobile devices than
with corporate devices. Fact is, people take better
care of their own property.
With the interest in BYOD on the rise—often
leading from the top of the Corporate Food chain
(namely: the C-levels themselves), the trend that
is “BYOD” also often translates into innovation,
enhanced “quality of work” for employees, a rise
in productivity, and the chance for organizations
to achieve faster rates of expansion and a higher
level of achievement in goals and business
objectives.
As the tempest of technology continues to rage on
the digital horizon, organizations worldwide
continue to pursue faster, higher, stronger
methods of doing more with less.
Steering Toward
Friendlier Shores
Part 2: Sailing the Seven “C’s”
To avoid sinking in the maelstrom, perhaps
the following seven points of action can keep
the tides even for those who are advancing
toward uncharted waters:
• Collaborative Staff Effort;
• Configuration Policies;
• Continuous System Monitoring;
• Compartmentalized Virtualization;
• Coordinated Carrier Support;
• Control Systems (VPNs, Tokens);
• Clarification of Roles & Ownership.
See you next month with Part 2!
6
Navigating the Waters of BYOD
©2013 Drew Williams
Available mid-September at
www.conzebra.com
Navigating
the Watersof
BYOD
Part 2:
Sailing the Seven “C’s”
About Condition ZebraBlended from the Information Security,Defense, IT, and Software Engineeringindustries, the Condition Zebra team hasa combined skill set of more than 100years’ experience, with success historiesthat span decades of work. Our securityarchitects, engineers and criticalinfrastructure analysts have participatedwith establishing critical infrastructuresecurity and policy for the United Statesas well as having served on advisoryboards and critical infrastructurecommittees and consulting groups forforeign governments and organizationsranging from Fortune 500 entities toeven the smallest of businesses. ContactCondition Zebra today to learn how ourteam of risk management experts canhelp your business
About the AuthorDrew Williams is the founder and CEO of international risk management consulting services firm Condition Zebra, which has operating offices in the United States and Southeast Asia.
During the 1990's and into the 2K's, Drew was involved in early development of IT infrastructure frameworks and security standards, including work with the IETF on the organization of the Common Vulnerabilities Enumeration (CVE) format, the HIPAA security standard and development of some of the industry's pioneer host-based intrusion detection technologies.
Drew has produced more than 40 short documentaries on educational and economic advancement in developing nations, and he authored one of the multi-million best-selling "Complete Idiot’s Guides."