BYOD security is a frequent topic among IT security experts. This, my third BYOD post this year, focuses on the mobile market. (Post one, Always-on Access Brings Always-Threatening Security Risks, June 25, 2015; Post two, Device Settings that Help Prevent Unauthorized Information Disclosure, July 13, 2015.)
The mobile market continues to be very dynamic. Just a few years ago many companies started to adopt a BYOD strategy, but in many cases, companies chose to adopt policies that provided guidance to employees but avoided imposing technical controls. Too often Mobile Device Management (MDM) was applied to corporate owned devices, but direct control of personally owned devices was not imposed.
Such policies may have been acceptable when employees were simply using personally owned devices for PIM, and only demanding email, calendaring, and contact management. Today employees have either already found a way to use the devices for more, or they are demanding access to richer application functionality. At the same time users are increasingly using mobile devices in conjunction with Bluetooth connected devices that include watches, health monitors, and other sensors.
Bluetooth profiles may introduce additional risks that few users understand. A quick look at the program for the 16th IEEE International Conference on Mobile Data Management held this past June mentions presentations titled, “A Risk Assessment Framework for Wireless Sensor Networks in a Sensor Cloud ” and “Mobile Data Management in Large Healthcare Applications.”
In order to offer and support the capabilities that user and demanding, and those they may be unintentionally introducing, enterprises should be willing to, and mandating, the use of MDM on personally owned devices.
Enterprises should be able to manage the following functions on personally owned devices:
- Provisioning devices for use and compliance
- Configuring the auditing and tracking capabilities
- Defending enterprise data by configuring access controls, data encryption, and the ability to revoke access and wipe enterprise data without impacting personal data
- Provide remote support and the ability to perform a remote inventory of installed applications and enterprise data
Enterprise that don’t have these capabilities are vulnerable to data leaks and loss. They may also potentially be vulnerable to breaches.
If an enterprise isn’t using MDM to manage personally owned devices it should take the time to familiarize itself with the capabilities of current MDM suites for enterprises, and start revising its current BYOD policies.