vi

IT Risk Introduced by Bring Your Own Device (BYOD)

An Applied Research Project Presented in Partial Fulfillment of the Requirements

for the Master of Science in Digital Forensics and Cybersecurity

John Jay College of Criminal Justice

City University of New York

Robert Shullich

Spring: May 2013

vii

IT Risk introduced by Bring Your Own Device (BYOD)

Robert Shullich

This Applied Research Project has been presented to and accepted by the

Office of Graduate Studies of

the John Jay College of Criminal Justice of the City University of New York in

partial fulfillment of the requirements for the

Master of Science in Digital Forensics and Cybersecurity

Dr. Ping Ji ______________________________________________________________________Applied Research Project Advisor Signature Date

Dr. Jin Woo Kim ______________________________________________________________________Second Reader Signature Date

Dr. Richard Lovely ______________________________________________________________________ Director, Digital Forensics & Signature Date Cybersecurity Program

viii

Abstract

The price point of consumer electronics continues to drop while the performance and

capacity of these devices increases. This is creating a market of personal electronic

devices that surpass the capabilities of similar devices that are used in the enterprise. In

the past there was a clear distinction between electronics used in the home vs. those

used in business, but now these two classes of devices are becoming indistinguishable.

As electronic devices become more mobile, users want to bring their own personal

devices into the enterprise to do their daily work. These are devices that are owned,

tailored and customized to that user’s personal preferences. Users are rebelling at

having to carry multiple mobile devices, where devices are dedicated individually for

personal and business use. Users are looking for one device to do everything. However,

the IT organizations in these enterprises are being challenged by the proliferation of

these personal devices. This is creating a new paradigm in controlling the privacy and

security of data within the enterprise. The new paradigm presents a risk issue where the

organization’s digital assets are comingled with the employee’s personal information,

and on an employee owned device. This paper will describe the risks and issues that an

organization may face in the implementation of a Bring Your Own Device (BYOD)

policy, and present policies and solutions that can be used to mitigate those risks.

ix

Table of Contents

Contents 1. Introduction ................................................................................................................................................1

1.1 Early days of computers ...............................................................................................................1

1.2 Computers in the 1980’s ..............................................................................................................2

1.3 Computers in the 1990’s ..............................................................................................................3

1.4 Consumer vs. Enterprise Devices ..............................................................................................3

1.5 Convergence of Consumer & Enterprise Devices ................................................................5

1.6 Scope of this Paper .........................................................................................................................7

2. BYOD Security Issues within the Enterprise ..................................................................................8

2.1 Disruptive Technologies ..............................................................................................................8

2.2 Early Use of Personal Devices ...................................................................................................9

2.3 Company Owned Portable Devices ....................................................................................... 12

2.4 Cloud Computing and Services ............................................................................................... 13

2.5 Bring Your Own Software (BYOS) ...................................................................................... 15

2.6 Device Standardization, Support and Management .......................................................... 16

2.7 Adapting the Enterprise to Issues of Mobile Devices and Cloud Services ............... 16

2.8 Ownership ...................................................................................................................................... 17

2.9 Employee Privacy........................................................................................................................ 19

2.10 Personal Sharing of BYOD Devices ..................................................................................... 21

2.11 Application Cohabitation .......................................................................................................... 22

x

2.12 Regulatory Requirements .......................................................................................................... 23

2.13 Device Backup ............................................................................................................................. 23

2.14 e-Discovery & Forensics ........................................................................................................... 25

2.15 The Exit Strategy ......................................................................................................................... 26

2.16 Lost and Stolen Devices ............................................................................................................ 27

2.17 Mobile Device Malware ............................................................................................................ 28

2.18 Jailbreaking ................................................................................................................................... 29

2.19 Insecure Application Coding and Configuration ............................................................... 30

3. Recommendations ................................................................................................................................. 31

3.1 Establish Policies for BYOD ................................................................................................... 32

3.2 Contracts and Agreements ........................................................................................................ 34

3.3 Offer CYOD instead of BYOD ............................................................................................... 34

3.4 Secure Containers ........................................................................................................................ 35

3.5 Remote Access Terminal Solutions ....................................................................................... 36

3.6 Mobile Application Management (MAM) .......................................................................... 37

3.7 Mobile Device Management (MDM) ................................................................................... 37

3.8 Network Access Control (NAC) ............................................................................................. 38

3.9 Data Self Protection .................................................................................................................... 39

3.10 Device Behavior .......................................................................................................................... 39

4.0 Future Research ........................................................................................................................................ 40

5.0 Summary .................................................................................................................................................... 42

6.0 References .................................................................................................................................................. 45

xi

1

1. Introduction

BYOD (Bring Your Own Device) is a paradigm shift in the use of technology and

services in Information Technology (IT). A short review of the history leading up to

the use of consumer devices in IT is presented here to help the reader to understand this

shift and the subsequent consequences that it may create. Other names used in the

paradigm include BYOS (Bring Your Own Services) and BYOT (Bring Your Own

Technology). For the purposes of this paper, all three are similar in nature, and will just

be called by the one term: BYOD.

1.1 Early days of computers

Up through the 1970’s and into the 1980’s computers used in business by large

corporations were primarily mainframe computers. These computers evolved from

stand-a-lone “one job at a time systems” to batch multiprocessing systems, which could

handle multiple simultaneous users and jobs concurrently executing within a single

system. Mainframes were expensive and could cost from hundreds of thousands of

dollars into the millions of dollars. At that time they could also get physically large,

where the computer systems and their peripherals would require one or more large

computer rooms to hold these systems.

Also, in this time period, smaller systems known as minicomputers and

microcomputers also existed. Digital Electronic Corporation (DEC) manufactured a

line of minicomputers known as the PDP line, which later became the VAX line of

computers. These systems were smaller, yet powerful and in many cases were used for

2

specialized applications, such as process control. These systems were cheaper than

mainframes, yet still expensive to purchase and operate.

1.2 Computers in the 1980’s

Prior to the 1980’s, microcomputers were already in use. Computers such as Atari 400

& 800, Commodore PET, TRS-80 and the Apple II, had existed and were being

marketed (Computer History, 2013). These microcomputer systems were used more for

games and by hobbyists.

A significant change in the 1980’s, starting in 1981, was the introduction of the IBM

Personal Computer (PC) line. This was largely accepted and became very successful.

IBM competitors were copying IBM and producing PC clones that would run the IBM

operating system and provide physical connections to the same external devices, such

as printers and modems.

During the evolution of computers in the 1980’s a significant enhancement for the

personal computer was interconnectivity. Modems, which were in use before the

introduction of the PC and used to connect dumb terminals to mainframes, were used to

connect the PC to other computer systems. These systems included mainframes and

even other PC computers.

Another form of connectivity was the creation of Local Area Networks (LANs) which

allowed PCs to communicate with each other, to use shared resources such as printers

and file servers, and to even provide local connection between the PC and the

mainframe. IBM mainframes used terminals such as the IBM 3270 which was a

3

graphics terminal that had row and column coordinates addressability. This was a

common terminal in use for IBM mainframes at the time, and through the use of PC

software, the PC could emulate the IBM 3270 using a software emulator or sometimes

an emulator card.

1.3 Computers in the 1990’s

In 1995 began a major change in the use of communications: the commercialization of

the Internet. Through the remainder of the 1990’s and into the 2000’s the Internet grew

and computer systems that connected to the Internet grew as well.

PCs continued to improve in speed and capability. This included software

improvements, larger and faster computer processors, memory and disk, and

communications bandwidth also increased and transmission quality improved as well.

LAN speeds using Ethernet increased from 10 Mbps to 100Mbps, and today we have

gigabit Ethernet and faster. Cable modems for cable TV and FIOS also provide high

speeds for Internet connectivity in the 20 Mbps and higher range.

1.4 Consumer vs. Enterprise Devices

Computer components such as memory, CPU, and disk storage, which are used to build

computers, were expensive. The overall processing power and configurations of such

systems might need to be increased in order to handle business workloads. But use of a

computer system by a home user might not require as much computing power or

functionality as the business applications demanded. Extra functionality and features

were required for systems that were used in a business setting, and some of these

4

“enterprise features” that were missing from the consumer systems usually included

security controls.

In order to satisfy both the business and home users, “one size fits all” did not work as a

sales approach, and needed to be balanced with a “price performance” approach. This

created dual markets, a market targeted for the business and a market targeted for the

consumer. Systems, and in some cases software, would be advertised for the business

or home. One example was the Microsoft Windows XP operating system, which came

in an XP Professional version for business and an XP Home Edition for use in the

home. XP Home had less features, and was sold at a cheaper price.

When targeting the consumer, one of the marketing objectives is “quick to market” i.e.:

to be first and get to the market before a competitor. In doing so, enterprise features

(e.g. the security of the product) are usually not initially considered (except in some

cases for product safety) so consumer computer products and services don’t always get

security “baked into” the product. An example is the Apple iPhone which will be

explained in the next section.

Bifurcation of the target market is not a new concept. Having a business model or

version of an item, and selling it for more, or restricting the audience, is done for

different reasons. In some cases it is price. What a business is willing to pay for a

computer may be more than the average household can afford, but if the computer

manufacturer wants to penetrate the average household, it needs a way to make it

affordable. Training and knowledge is another factor. The cleaning supplies that a

janitor may purchase for professional cleaning may be stronger and more toxic than

5

cleaning supplies sold to the average consumer. A professional Janitor is usually

knowledgeable with the handling of professional cleaning supplies and tools that are

not normally made available to the general public, although with stores like Lowes and

Home Depot the availability aspect has changed. However, janitors probably won‘t be

shopping for their professional cleaning supplies in the local supermarket which targets

the average consumer.

So, grades can be divided into non-consumer and would include professional, business

or commercial grades and then there would be consumer grades.

1.5 Convergence of Consumer & Enterprise Devices

The Blackberry Smartphone is still popular within the enterprise. But RIM (Research in

Motion) has also penetrated the consumer market. Although there are different models

produced by RIM, any consumer can purchase the same model Blackberry as used in

the enterprise environment.

Apple’s initial market penetration with the iPhone was consumer based. Many

organizations panned the iPhone because the early versions did not have the security

features that were expected by corporate IT (Information Technology) to secure the

device. RIM provided encrypted communications and the entire device storage could be

encrypted, the equivalent of laptop full disk encryption. Encryption of the storage of

earlier iOS devices required a 3rd party vendor solution to be purchased and installed. In

answer to claims that Apple was being lax with security, they provided their “Data

Protection Feature” which provides APIs for encryption on devices that offer hardware

encryption (Apple Inc., 2011). This feature is available on iPhone 3GS and later, all

6

iPads, and 3rd Generation and later iPod Touch. Data Protection API’s are provided in

iOS V4.0 and later. Organizations are adopting iPhones and iPads in the business using

either native encryption or 3rd party software add-ons.

Laptop computers that can be purchased by the consumer are as powerful as those

purchased by enterprises. Convergence is where the consumer devices and the

enterprise devices reach a point where the difference can no longer be distinguished.

Blackberry has reached that point where consumer and enterprises can purchase and

use the same devices. Apple does not market a consumer version or an enterprise

version of its iOS devices. Originally the iOS devices were consumer based, and now

the push is to get IT in the enterprises to adopt consumer based technology for use in a

non-consumer environment.

Enterprise IT usually has limited budgets and IT equipment is expected to last within a

set lifetime. These lifetimes are determined by the organization, and are part of the

hardware standardization process. “According to a recent survey that research firm

Gartner conducted with 177 large businesses, the average life span of a desktop PC is

43 months, and only 36 months for mobile PCs” (Dunn, 2005). When working with

personal devices, and the owner is paying for the device, the time between devices may

be much shorter. With service contracts requiring signed 1 or 2 year commitments, it is

possible that personal devices coming into the enterprise may be newer and more

powerful than the devices that are being provisioned by the company. This creates a

situation that not only are personal devices becoming more adaptable to the user than a

company provided device, but personal devices may be superior and more powerful as

well. Before the enterprise had the better, newer and more powerful toys, but with little

7

or no differentiation between what the consumers can buy vs. what the business

procures, now the employee may be bringing in newer and more powerful tools.

1.6 Scope of this Paper

To implement a policy allowing BYOD within the enterprise, if not handled properly,

may lead to operational and security problems. This paper will focus on potential

security issues and addressing the risk posed by BYOD.

BYOD can produce both risks and rewards. The objective is to reap those rewards

while minimizing risk to the organization. Addressing risk begins with the inherent

risk, i.e. risk without controls, and through a reiterative and recursive set of processes,

hopefully leads to a residual risk that is acceptable to the enterprise. Five sets of

processes are defined in risk management: Avoidance, Acceptance, Transfer, Sharing

and Mitigation (NIST, 2001). The business may drive a low residual risk by avoidance,

i.e. ban the use of personal devices in the enterprise. This may work for a while, but it

might be only delaying the inevitable. A Forester study shows that 53% of employees

are already using personal devices at work, and within the next 3 years the use of

personal devices at work will be both a standard and requirement (King, 2012).

It is assumed in this paper that the organization will move towards the adoption of

BYOD. It is not the objective here to encourage or promote the use of BYOD, but to

help the organization make such adoption of BYOD safer, i.e. with less risk.

8

2. BYOD Security Issues within the Enterprise

2.1 Disruptive Technologies

“Disruptive technology is a term coined by Harvard Business School professor Clayton

M. Christensen to describe a new technology that unexpectedly displaces an established

technology.” (TechTarget, 2013). Four related disruptive technologies faced by the

enterprise are Social Media, Cloud Computing, Mobile Technology and BYOD. These

are not new problems but businesses are still struggling to address these technologies

and attempting to make them secure. Two of these technologies, Social Media and

Cloud Computing were identified by Gartner in 2008 as being in a list of the 10 most

disruptive technologies for 2008-2012. (Gartner, 2008). Williams (Williams, 2012)

identifies Technology Trends for 2013 to include BYOD, Consumerization of IT,

Mobility, Social Collaboration and Cloud. Each technology in its own right is powerful

and creates challenges within the organization, but combining them creates a perfect

storm that some businesses are not able to handle. Williams calls this interoperability

“The Hyper Convergence Effect”. KPMG predicts that these disruptive technologies,

with Big Data, will drive technology spending in 2013 (KPMG, 2013).

For example, BYOD is related to mobility in that many devices that an employee would

bring to work would be mobile devices such as Phones and Tablets, butalso include

laptops. The enterprise is already faced with a full plate of issues by just addressing the

mobile devices that are owned by the business. Integrating non-business owned

devices, software and services into the environment increases the risk and complexity

9

of protecting business assets that if not handled properly could expose the organization

to more risk and liability.

2.2 Early Use of Personal Devices

One of the early uses of personal devices for processing of enterprise data was

conducting remote computing – work at home – solutions. In this scenario an employee

could take work home and use their personal home computer to get work done. A more

common scenario is remote computing, where the employee would dial in on a modem

and connect to the company’s computer system or timeshare services. This was being

done even before the PC era, using dumb terminals to connect to mainframes to

perform remote work. Today, with the Internet and high speed connections, remote

computing is usually performed over the Internet using a VPN (Virtual Private

Network) connection.

Personal services were sometimes used by workers to be able to work at home. Without

having a remote computing connection, users would send the documents and data to a

personal e-mail service, such as Hotmail. This would leave sensitive data in a

minimally protected environment, and the organization would not even be aware of

these unauthorized copies of company data that were floating around. With cloud

storage and services, data could be moved to file lockers (e.g. Dropbox, MegaUpload,

RapidShare, Skydrive, etc.) and stored in the cloud, or to a cloud collaboration service

such as Google Apps, also leaving copies of data in the cloud. Personal USB flash

drives have been used to copy and transport corporate data between the office and

home, creating a risk should the flash drive be lost while it contained sensitive

10

corporate data. Prior to USB flash drives, this same risk was presented in the use of

floppy discs and CDROM media.

Companies realized the security risks that remote computing created. Use of personal

equipment took enterprise data outside the organization’s hardened perimeter, and once

outside – control of that data was lost. Control of that data might not have been a

priority a long time ago, but in 2002 California started to raise the bar for data

protection with its breach notification law (Calif Office of Privacy Protection, 2012).

Prior to the notification laws, organizations were expected to protect personal

information, but if they failed (i.e. the information was breached), they would quietly

fix the problem and keep it secret. Prior to this law a data breach would not normally be

publicized, and if it could be avoided, not even reported to law enforcement. If news

got out about a breach, there could be negative effects including loss of business

revenue, a negative hit on the stock price, and the brand reputational damage.

In the United States forty-six states, the District of Columbia, and some of the

territories have enacted breach notification laws. (NCSL, 2012). Different laws impose

additional requirements on the privacy and integrity of business and personal data, and

include Sarbanes-Oxley Act of 2002 (SOX), Fair Credit Reporting Act (FCRA),

Gramm-Leach-Bliley of 1999 (GLBA), and Heath Information Portability and

Accounting Act of 1996 (HIPAA). An industry regulation for cardholder data of credit

cards is controlled by Payment Card Industry (PCI) council. Banking and other finance

organizations in the USA may be under control of regulations of the Financial Industry

Regulatory Authority (FINRA). In addition to breach notification laws, there are data

11

protection laws which set minimum requirements on how certain types of data must be

protected.

Another security issue caused by remote computing is the opening of an attack vector.

In information security, the old school approach was perimeter protection. This meant

putting a wall around the data center using firewalls, intrusion detection, and hardening

the perimeter to keep the bad guys out. But at least two security technologies break the

perimeter – security technologies that break security. The first is the remote access

method itself, such as modems and VPNs. Remote access just punches a hole in the

perimeter and almost negates (by bypassing) many of the protections provided by the

firewall. And then encryption was added. Encryption provides confidentiality – it

protects the data stream so unauthorized parties can’t see the data. But, in a proverbial

case of shooting one’s self in the foot, it prevents firewalls and intrusion detection from

being able to evaluate the payloads. When the bad guys use encryption against the

organization, data can be exfiltrated without being seen, and malware can be introduced

and attacks carried out without detection. In order to provide a way for employees to

gain access to the corporate network so they can work remotely, a door was also

opened for the bad guys to come in as well.

The risk mitigation for remote computing included controls such as multi-factor

authentication, endpoint protection, and in some extreme cases, to only allow company

owned devices to be used to remotely connect to the organization’s network. In this

extreme case, if a user was to work remotely, including telecommuting, a company

owned and configured device would be assigned for the employee to take home and

12

use. Another risk mitigation approach was the use of thin clients, such as Terminal

Services and Citrix, where the home access only provided a window to the corporate

data, no data was transmitted or processed on the personal device. In this scenario,

corporate data never really leaves the perimeter and is stored on the remote device.

2.3 Company Owned Portable Devices

Early portable devices were the laptop computers. They provided information on the

go, and could also be used for remote computing. To keep overall costs down, an

employee might have been assigned a laptop which would be used in the office instead

of a desktop. The use of port replicators and docking stations allowed the laptop to

easily fit in as a desktop. Being a company owned device, these devices were also

supported and managed by the IT department, with standardized company owned

software and the configuration locked down to provide security. Some larger

companies might have issued both a desktop and laptop to a single employee in some

cases.

The portability of a laptop, being a mobile device, does have drawbacks. They get lost.

Besides the cost of the lost hardware (and in some cases the lost of the software

licenses that were on the device), there is the cost of the data that was stored on the

device. If the data on the lost device was Intellectual Property (IP) that was a trade

secret, the loss could result in millions of dollars of lost competitive advantage or

expenditures in R&D. If it was personal data, such as customer data that was subject to

data breach laws, those losses could also result in millions of dollars in fixing the

problem.

13

In a 2010 USA study, Ponemon studied 45 data breaches with the most expensive to

resolve being $31 million and the lowest at $750,000, with the average cost per

customer record lost exceeding $200 (Ponemon, 2010). In a 2008 Ponemon study

(Ponemon, 2008), one of the key findings was that “Business travelers lose more than

12,000 laptops per week in U.S. airports.” In an InfoGraphic provided by Kensington

(Kensington, 2011) “1 Laptop is stolen every 53 seconds, 70 million Smartphones are

lost each year with only 7% being recovered, and 57% of those lost Smartphones were

not protected with enabling security features”. These statistics for mobile devices are

mobile devices in general, i.e. there is no breakdown or analysis of business owned vs.

personal devices. However, Kensington in the InfoGraphic did indicate that “4.3% of

Smartphones issued to employees are lost or stolen each year.”

When addressing the mobile device issue alone – even before factoring in BYOD –

data is leaving the enterprise on portable devices and many of those devices are

disappearing with the data. The problem is going to get worse as more enterprises

deploy mobile devices. By the end of 2013, 78% of enterprises are expected to have

deployed tablets. (Kensington, 2011).

2.4 Cloud Computing and Services

Cloud storage creates many challenges for the business. These include data security and

privacy, regulatory compliance, data integrity and availability, and forensics. When

corporate data is moved onto a cloud provider that has not been vetted by the

enterprise, the data may be at risk.

14

Examples of cloud storage include file lockers such as Dropbox, Rapidshare,

Megaupload, iCloud, and Skydrive. Users will use cloud storage for data backup, but

may also use these facilities as an intermediary for transferring corporate data to either

another corporation or for home access. If inadequate security controls are

implemented, cloud services may be breached by hackers and data stolen. If an

employee leaves the organization, the existence of these extra copies may be unknown

to the organization which lacks knowledge and control of rogue copies of its data. The

ex-employee would then have access to this data and the breach can be harmful to the

business. It is common for these services to be used by an employee who wishes to

work with the data at home and uses these services to bypass security controls put in

place by the organization for the purpose of preventing the data from leaving. The

employee had good intentions and just wanted to get their work done but they find the

security restrictions inhibiting and so find a way to circumvent the controls.

Another use of cloud services is in the Social Media space. Although Social

Networking is part of Social Media, Social Media includes tools such as instant

messenger, chat, streaming presentations (e.g. WebEx) and collaboration tools (e.g.

Google Docs, Office 365). These tools provide a method of exfiltrating corporate data.

For example, a user may wish to use Google Docs for creation and editing of

documents because they prefer using that tool over the current corporate standard or

they are technically familiar with it. .

15

2.5 Bring Your Own Software (BYOS)

Microsoft Windows has approximately a 90% market share for the desktop market.

(NetMarketShare, 2013). The remainder includes Mac OS and Linux. There are many

other choices in Information Technology (IT) such as browsers (e.g. Internet Explorer,

Firefox, and Chrome), Search Engines (Google, Bing), Computer Languages (C, C++,

C#, Basic, COBOL), and E-Mail Clients (Outlook, Lotus Notes).

BYOS is about a choice by the user to use what they may already know and what they

are most comfortable with. Instead of learning new tools (the corporate standard) they

use and implement the tools with which they are most familiar.

Then there is the choice of using software or tools to which the organization may have

blocked access. This may include tools, as mentioned above, in the cloud services.

However, the user may also wish to use social networking software or sites such as

Twitter, Facebook, and Youtube. These sites may be part of the employee’s personal

life and there is no current business requirement for the software or services.

If a user has a personal device, then these services and tools may already be installed on

the personal device. An organization can block installation and access on corporate

owned devices but how will personal devices be handled and managed? BYOD devices

and services – which occur on personal devices – will require a policy and management

strategy to address how these devices and services will be used (or not used) with

corporate data and applications.

16

2.6 Device Standardization, Support and Management

Large enterprises that purchase equipment try to standardize on a limited amount of

suppliers, vendors, models, software and configurations. This minimizes the variables

that need to be evaluated in performing root cause analysis when resolving hardware

and software failures. If a support issue arises, the probability of the current help desk

staff at successfully resolving the problem is higher. If the organization standardizes on

Microsoft Windows and does not provide support for MAC OS then a user with a MAC

may receive limited support from inside the organization due to a lack of expertise. In a

BYOD scenario, the support center (help desk) could be faced with resolving user

problems on a variety of hardware and software, because without standards – anything

could show up. Some organizations that allow BYOD provide limited help desk support

for personal devices, in other words: “you are on your own”. In a Corner study, “For

each type of device, over 40 percent of companies that allow employees to supply their

own devices require the employees to contact the vendor directly.” (Rains, 2012). A

possible solution for the organization may be to outsource the helpdesk function for

support of personal devices.

2.7 Adapting the Enterprise to Issues of Mobile Devices and Cloud Services

The enterprise is most likely faced with addressing mobile and cloud technologies by

themselves. BYOD only adds another layer of complexity to the overall problem.

Regardless of whether a mobile device is company owned or personally owned, these

devices are prone to being lost or stolen.

17

2.8 Ownership

BYOD devices may have hardware and software comingled. As an example, suppose

an employee brings in a personal device to be used for business use. As a piece of

hardware, ownership of the personal device may be simple, the hardware belongs to the

employee because the device is personally owned. What happens if the personal device

is not adequate, and requires an upgrade? Common examples are increases in memory,

increases in storage, and increases in processing power (e.g. add an additional CPU). If

the employee pays for the upgrade out of pocket, then the device is still most likely a

“personal” device. What happens when the organization pays for the upgrades? Now

there is a comingling of company owned parts imbedded into the employee’s personal

device. If the organization reimburses the employee for upgrading the device (i.e. allow

the employee to expense the cost) who owns the upgrade since it is company paid?

What if the cost of the entire device is reimbursed?

Software may be a more common example. If the personal device requires additional

software for the employee to perform their job, who will buy and pay for the software?

If the organization pays for the license, will the organization be able to reclaim the

license when the personal device is no longer used (e.g. employee is terminated)?

Comingling business assets with an employee’s personal assets may make it difficult to

determine who owns the assets. Some enterprises have strict policies that forbid

personal use of business assets. Other organizations may allow the reasonable personal

use of business assets. An example is the telephone where the employee may be

allowed to make limited personal phone calls during business hours. Surfing the

18

Internet and making online purchases at work may be allowed by some organizations as

long as productivity is not affected (e.g. during lunch hour) and the activity does not

affect other users. Employees may use their business e-mail to conduct personal

business. This is actually not rare as in the early days of e-mail, many employees did

not have personal e-mail accounts and relied on being able to use their business e-mail

addresses. This comingling of business and personal e-mail can create issues for the

organization.

Sometimes separation between business and personal use must be maintained, and in

the case of mobile devices there are users that carry two or three cell phones to

maintain that separation. (Rice, 2012) There would be personal phones with personal

phone numbers and business phones with business phone numbers. What happens in a

BYOD environment where a single personal mobile device (e.g. Cell Phone) is used for

both personal and business usage? Who owns the phone number? With the current

technology phone numbers for personal devices are carried from job to job, and now

even from home to home – we take the number with us. If a salesperson uses a personal

mobile device to manage clients, and that salesperson moves on to another job

(different company), how does the business prevent its customers from calling the

salesperson at the salesperson’s new job? The customers know the salesperson’s phone

number, and that may be the phone number they call not knowing that the salesperson

is now working for someone else. This issue has already occurred in social media,

specifically with AOL Instant Messenger (AIM). Salespersons from one company were

communicating with their clients over AIM, one of the salespersons became employed

by a competitor, and by taking the AIM account with him, the salesman effectively

19

took his client base with him. The bottom line is that “Phone number transfer and

ownership” creates issues and an organization needs to determine up front how it wants

to address the phone number ownership, otherwise a sales rep could walk off with sales

leads. (Harris, 2012).

2.9 Employee Privacy

If an organization becomes involved in litigation the contents of personal devices used

for business may be subject to discovery. (Garlati, 2012). Because personal data may be

comingled with the company’s data, personal data such as browser history, chat logs,

personal e-mails, photos, financial account numbers, and private documents stored on

the phone may be exposed. Personal data and privacy become collateral damage to a

discovery request. There has been recent legal activity regarding an employee’s

“expectation of privacy” when using company issued devices for personal reasons.

(Navetta, The Security, Privacy and Legal Implications of BYOD (Bring Your Own

Device), 2012). Switching it around (company data on personal devices) will be just as

complicated, if not worse.

If an organization provides for the backup of the personal device, there are three likely

scenarios that may occur: 1) Only the company’s data is backed up, 2) the company’s

data and some of the personal data is backed up, and 3) the entire device is backed up.

In the latter two scenarios personal data is being stored somewhere, and a copy of that

data is taken out of the possession and control of the owner. Is that data being

protected? Can other employees, who may have a need to know for the business data

that was on that personal device, also have the ability to see and view the employee’s

20

personal data? Is privacy maintained for personal data that is on the device when the

device is brought to the IT department for support?

Mobile devices, such as phones and tablets may have GPS capabilities, and can be used

as personal trackers. Can the organization track the employee’s location, where they are

and where they were? What are the consequences for the employee if this information

is voluntarily handed over to law enforcement?

One of the data protection controls used to mitigate the exposure of lost devices is a

wipe capability. In a remote wipe, a signal is sent to the device, and the device erases

itself and destroys all of the data on the device. A device wipe can also be initiated

locally by actions on the device itself, such as entering the wrong password into the

device a successive number of times. In some devices this number is fixed, in other

devices this number can be configured. In an Apple device that runs current releases of

IOS (e.g. iPhone, iPad and iPod Touch) the device can be configured to automatically

wipe itself after 10 successive failed passcode attempts. (Apple Inc., 2012). Wiping a

device can backfire on the organization and result in legal issues. (Lui, 2012) (Narisi,

2012). A software company wiped a former employee’s personal device and was

successfully sued by the employee for damages. “In Germany it is illegal for companies

to wipe personal data from an employee-owned device.” (Guerra, 2012). Wiping a

device destroys the data and in a discovery case could result in spoliation. (McAfee,

2011)

21

2.10 Personal Sharing of BYOD Devices

Sharing of personal devices could potentially expose corporate data to unauthorized

persons. When a device is a business issued device, the boundaries are usually clear as

to who may use the device. In a situation where personal information and corporate

information are comingled, the boundaries may not be as clear, and could be very

vague. A cross exposure of confidential information may occur, exposure in either

direction. For example, confidential business information, which may include personal

data of customers, could be exposed to other family members who do not have a “need

to know” of that data. What if the data on the personal device is customer medical or

financial data? Does access by a family member represent a breach of that data? It is

definitely unauthorized disclosure.

Exposure in the other direction may occur as well. Suppose personal family data was

stored on a personal device that is used in BYOD, but also shared by family members.

If the device is subject to a discovery proceeding then the personal data could be

exposed. This is a reiteration of the employee privacy concern mentioned above. But

now it is not just the employee’s privacy, it is the employee’s family’s privacy being

exposed as well. If the employee’s spouse uses the device for their personal e-mails,

then if the device is handed over for discovery or forensics, then the employee’s

spouse’s personal contents (e.g. e-mails) are exposed.

The sharing issue is not a new problem. Prior to BYOD, the use of personal devices for

remote tele-working access produced some of the same risks. Usually those personal

devices were the family computer system that was shared by the other family members.

22

2.11 Application Cohabitation

Mobile devices such as Smartphones and tablets use applications that are acquired and

installed differently than software installs for Desktop systems. Apple created its

iTunes store for APP delivery. Blackberry has its APP World for its applications, and

Google Play is an APP store for the Android market.

Apple in January 2013 had 775,000 applications and claimed 40 billion downloads, and

an estimated growth of 641 new applications per day. (Rowinski, 2013). Google Play

which distributes Android apps is close to Apple’s growth, but is approaching at a

faster rate and will soon pass Apple’s figures. At 600+ applications per day, which

exceeds 19,000 applications per month, is anyone going to evaluate and vet each

application for bugs and malicious code? Apple supposedly does a good job at this, but

some rogue applications still get through. In 2012 Google Play (the official app store of

android apps) introduced a service called Google Bouncer which is an automatic

scanning tool that scans submitted apps and tries to determine if they may be malicious.

The scanning includes runtime behavior analysis to determine if the application is

acting in a malicious manner. (Hou, 2012). Security researchers have already analyzed

the behavior of Bouncer and were able to get malicious applications past Bouncer.

Sensitive corporate data can be put at risk if unregulated 3rd party applications are

stored on the mobile device. (Phneah, 2013). The user of the device usually assumes

that the application is safe to install and use, and does not realize the security

implications inherent in these applications (Phneah, 2012). The malicious code in these

applications makes many of them a completely packaged Trojan. Unless the enterprise

23

can vet the software and control the installation of applications, a bad application can

breach the entire contents of the device, including the corporate data stored and

processed on that device.

To complicate matters, Websense predicts for 2013 that the problem will get worse. In

their 2013 Predictions, “Legitimate mobile app Stores will host more malware in

2013”, and predict “Malicious apps will increasingly slip through validation processes.

They will continue to pose risks to organizations enabling bring your own device

(BYOD) policies. We will see an increased volume of malware hosted in legitimate

mobile app stores. In addition, jail-broken/rooted devices and non-sanctioned app stores

will pose significant risk to enterprises as more allow BYOD” (Websense, 2012).

2.12 Regulatory Requirements

Most regulatory requirements, including government (e.g. HIPAA, GLBA, FCRA) and

industry (e.g. PCI) address the privacy of the data. Privacy involves data access (Who,

When, Where, Why and How) and the controls put in place to control access. One of

those controls is data encryption, and may include full disk encryption technologies.

In the case of mobile devices, either the device or the container holding the data may

need to be encrypted. Protection of the data may be required for both “at rest” and “in

motion” states.

2.13 Device Backup

If the mobile device is wiped out, the data may need to be recovered. It is in the best

interest of the business to backup the data to prevent permanent data loss, but it is also

24

in the best interests of the owner of the personal device to perform backups. The wipe

operation is a security feature that must be enabled and configured manually, and when

activated the entire contents of the mobile device are made unreadable. Activation is

usually initiated by a remote command to the device (remote wipe) but can be triggered

in other ways. One of those other methods is when multiple successive invalid passcode

attempts are made. For example, an Apple iPad can be configured to have a passcode,

and if there are 10 invalid attempts to enter the passcode, the device can be configured

to self-wipe. In BYOD, this is a personal device, and if one of the employee’s young

children takes the device because they want to play Angry Birds and can’t figure out

the passcode, they could end up causing the device to self-wipe. In any case, a wipe

destroys all the data, and then what does the employee and business do – since they

both have data on that device that may be needed?

Recovery of that lost data can be minimized by backups. But who is responsible for

taking the backup? What about the backup image itself? iTunes can be used for Apple

devices to take a backup of the device during synchronization of the device and the

backup can be stored on the workstation or in the cloud (iCloud). If the entire device is

backed up, then both personal and corporate data will be stored in the backup file. In

these scenarios additional copies of corporate data are created outside of the mobile

device. If these backups are not encrypted then the backup file is vulnerable to data loss

if they are compromised. The backups are probably not within the scope of a remote

wipe that may be initiated at employee termination. If an employee is terminated, the

organization may decide that continued possession of the data by the (now ex-)

employee is a major risk and issues the remote wipe command to destroy the data. If

25

the employee has backups of the device data, including the company’s data, then the

remote wipe would not be completely effective.

2.14 e-Discovery & Forensics

If an employee is arrested, the mobile device in that employee’s possession may be

subject to search. (Rasch, 2011). In United States 4th Amendment case law, this

exception to the warrant requirement is called a “search incidental to an arrest”. If this

occurs, with a device that contains business data, then there is a potential that the data

may be disclosed. This is not just a BYOD issue; it is also a risk even with corporate

owned devices.

As previously mentioned, information on the devices can be discoverable, and a

business may be required to provide the contents of the device as part of a discovery

request. This could cause the personal information of the employee to be disclosed

depending on degree of separation on the device of business vs. personal data. If the

discovery request is not complied with due to lost, damaged or destroyed data

(spoliation) the failing party could be sanctioned for not providing the requested data.

The judge can assume that the destruction was intentional.

An organization may need to establish a “Right to Seize” of personal devices if those

personal devices may contain corporate data and those devices need to be imaged and

analyzed for a corporate investigation. Without initially establishing this right in

advance could inhibit acquiring the device from the employee. Otherwise the employee

could just refuse to turn over the device and the organization may have limited

recourse.

26

2.15 The Exit Strategy

Organizations may sometimes enter into business arrangements without taking into

consideration steps to be taken when that relationship terminates. This also includes

contingency planning when the service is unavailable. Evaluation of these arrangements

may lack the performance of due diligence before the execution of a contract. But an

exit strategy should be designed and be put into place before the engagement begins

and should provide for an orderly departure should termination of the contract occur.

As an example, couples will get married but most don’t plan on a divorce because they

expect the marriage to work out and last forever. Yet there are a few who plan, just in

case a divorce does happen, and one exit strategy may include a prenuptial agreement.

When the employee’s relationship with the company is terminated, there are usually a

standard set of requirements that make up the exit strategy for the company. These

include the return of corporate assets and reaffirmation of confidentiality and non-

competition agreements. However, in the case of BYOD, the device is the employee’s

and does not belong to the corporation. Some of the data on that device does belong to

the corporation, and may even include software purchased and owned by the

corporation and installed on the personal device. A Forester study states: “Thirty

percent thought there wasn’t enough separation between consumer and corporate data

on mobile devices” (PC World, 2010).

This information, and software, is comingled on the personal device and leaves the

employer with two options: Divest the data and software, i.e. figure out which is

corporate data and corporate assets (e.g. software) and remove it – leaving the personal

27

data intact. The other option, one that may be easier for the company, is to completely

wipe the device of all data. These options assume that the data and assets are

comingled, but if the data is distinctly separated via some method of partitioning, then

wiping corporate data may be easier. Part of the exit strategy will be solving the

problem of how to keep corporate data separate from personal data on the personal

device allowing an automatic selective wipe of corporate data.

2.16 Lost and Stolen Devices

Losing a mobile device can be a nightmare for an enterprise. If sensitive corporate data

is on the device at the time the device is lost, the expense of addressing a data breach of

the device’s contents will far outweigh the costs of the physical asset. In a 2011

Ponemon Cost of a Data Breach Study found: “Nearly 40% of organizations in the

study had a data breach resulting from a lost or stolen mobile device, including tablet

computers, Smartphones and USB drives that contained confidential or sensitive data”

(Walker, 2012) . Mobile devices may be protected by remote wipe and self destruct

failsafe mechanisms, but that assumes proper configuration and handling. Yet the same

study also found that 39% of data breaches in the U.S. involved employee negligence.

This might indicate that proper configuration and handling was not occurring.

Configuration of the device assumes that protection mechanisms are available, either by

the manufacturer or an add-on that provides security features for the device.

28

2.17 Mobile Device Malware

Security Endpoint Protection (e.g. antivirus, antimalware, and antispyware) is still in

catch-up mode. Mobile device malware may be more profitable to the attacker than

desktop infections when considering the number of mobile devices that are now online.

In the earlier days of Smartphone usage, enterprises used devices from Research in

Motion (RIM) which carried the Blackberry brand. Blackberry devices came out in

2002, and were the first Smartphone’s that were optimized for wireless e-mail use (The

National Cyber-Security Advisory Council (CNCCS), 2011). These devices were

accepted by corporate IT departments and were considered secure, and RIM became the

standard for corporate Smartphones. Even in a 2012 nCircle survey, when asked

“Which mobile devices carry the greatest security risks?” the response was: 36%

Android, 24% Apple iOS, 10% RIM, and 18% Windows (nCircle, 2012). This indicates

that the IT security professionals responding to the survey still consider Blackberry to

be a safer bet than Android or Apple, or even Windows phones. RIM also provided

software to be used for the security management of the Blackberries, called Blackberry

Enterprise Server (BES). With BES, device configurations for the blackberries could be

automatically pushed to the devices.

Although malware attacks for mobile devices were seen as early as 2004, endpoint

protection focused on desktop systems. Endpoint protection, such as antivirus, was

rarely seen for a Smartphone. With the proliferation of the iPhone, with its popularity

and quick gain of market share in the Smartphone arena, the attackers now have a new

attack vector worth exploiting. The mobile device market continued to grow with the

29

introduction of the iPad tablet and the introduction of Android Smartphone and tablets.

“Gartner predicts that by 2014 Android will be the most popular platform and

Smartphones will outsell PCs by 2013” (The National Cyber-Security Advisory

Council (CNCCS), 2011). Malware protection for these devices now exists, although in

some cases still considered immature, and is not in widespread use. This provides a ripe

target for cybercriminals because the gates to the devices are wide open and no one is

guarding these gates.

2.18 Jailbreaking

Jailbreaking an Apple iOS device (e.g. iPhone, iTouch, iPad) is a process of gaining

root access to the underlying device operating system and removing controls and

limitations of the device (Wikipedia, 2013). When an iOS device has been jailbroken it

can be used to shop for non-sanctioned apps in non-sanctioned app stores (Websense,

2012). These unsanctioned “Mobile Marketplaces” are repositories for pirated

applications that are infected with malware and pose a significant risk to the user and

the organization if the infected app is installed and allowed access to corporate data.

Since Jailbreaking provides the user total control over the device, i.e. root access, any

application installed on the device can be compromised, including controls added to the

device to protect data. Configuration applications such as MDM and MAM may be

bypassed or overridden, and virtualization container solutions can be compromised.

Any lockdown of the device would be difficult, if not impossible, if the user of the

device held root access to the device (or in the case of a Microsoft Windows device –

Administrative rights). In the case of a virtualization solution that sits on the device,

30

root access to the iOS provides control of the hypervisor, which provides almost

unrestricted access to the virtual machine guests.

2.19 Insecure Application Coding and Configuration

No one can code a bug-free application. And there are no testing tools that can detect

all possible defects in program code. If there were such a testing tool, then it would

contradict Alan Turing’s “Halting Problem”. While these theories hold, there will

always be risk within an application that the code can be exploited and compromised,

i.e. all applications will never be 100% secure. This is where risk management enters

the mix, since we can’t be 100% secure, what would we consider “secure enough”, and

is it realistic to achieve a residual risk which is “secure enough” and acceptable to the

business?

Can a PC, workstation, server, or mobile device be configured securely? Organizations

expend great amounts of resources to try to figure out what the optimum mix of

security and operational settings should be. This is hard to achieve because “one size

does not fit all”. If it did, then the manufacturer of the software would set the options at

the factory and that would be it. But there is a triangle of three variables that

organizations attempt to balance: Security, Performance and Cost. It takes a lot to

achieve the balance, and sometimes within a single organization this balance may vary

depending on the usage and location of the equipment.

If an organization has to expend all these resources to figure out how a device should

be configured, then an individual user will probably not get involved with setting

security configurations, most users will just use the device out of the box “as is”.

31

Obviously the industry has not learned from its prior mistakes. With the majority of

Microsoft Windows XP workstations on the Internet, in an always on/always connected

mode, these machines became the choice of cyber criminals to attack, infect, and turn

into zombies or bots. It was becoming so bad that Microsoft attempted to reduce the

attack surface of Windows XP systems in Windows SP2 (Service Pack 2) by turning on

the Windows built-in firewall by default. Since one size does not fit all, turning on this

feature did break some applications, but it was considered an improvement that reduced

many attacks that were being launched against those systems. Now with mobile

devices, we are faced with these same issues again for as mobile devices are not

configured secure out of the box, they are not “secure by default”.

A problem with so-called Secure Application Coding is education/training. It is not

until recently that programming classes in the university and vendor training classes

included application security. Students learned how to program – how to write code but

security was not usually taught as part of programming and, thus, was never considered

or it was expected that the student would pick that skill up somewhere else. In some

curriculums, application security is provided by separate security courses, which if not

taken, will still leave the student lacking security knowledge. This is a bolt-on

approach, and not really integrated. The result will be application coders that continue

to write insecure code because they lack the methodology of secure coding practices.

3. Recommendations

The recommendations made here are not meant to be complete, exhaustive, or mutually

exclusive. They attempt to address some of the issues shown in Section Two of this

32

paper. Keep in mind that BYOD is part of a much bigger issue, and even if BYOD is

not addressed, the underlying problem of mobile devices will most likely need to be

addressed. Many of the issues mentioned above exist in mobile devices that are owned

by the enterprise. BYOD suffers from the same problems and issues as business owned

mobile devices. The “mobile device” problem itself requires a solution and is the bigger

problem to be considered regardless of who owns and manages the device.

3.1 Establish Policies for BYOD

The content of actual policies is beyond the scope of this paper and would be left for

further research. But policies for mobile devices are required and needed. BYOD

policies need to be developed and put into place regardless of whether BYOD is

adopted or banned by the organization. Policies are needed even if BYOD is not

adopted as a contingency in handling incidents where personal devices manage to slip

in. Something as simple as a USB flash drive can cause havoc unless policies are in

place.

Policies are usually administrative in nature, but can be enforced using the three main

security control types: Administrative, Technical and Physical. Policies must be backed

up with training to inform the users of the policie’s existence and contents. This is

usually accomplished via security awareness training. In some organizations the

employee is required to sign an acknowledgement form indicating that the employee

has read and understands the policies.

Having a policy and putting it out there is not enough. In a survey of 547 IT

Professionals performed in 2nd Quarter 2012, 71% answered “Yes” to the question:

33

“Does your organization have a mobile device security policy?” (nCircle, 2012). This is

an increase since the survey showed that 58% answered “Yes” back in 2010. In the

same survey a question was asked whether the organization enforced that policy, with

85% responding “Yes” in 2012 (up from 65% in 2010). 85% is a high number, but

policies are not always effective unless they are enforced. Policies should be

implemented and they should be enforced. Overall security policy enforcement,

according to the survey is lower, where the question was: “Does your organization

adequately enforce adherence to its internal security policy?” which was answered

“YES” by 68% in 2012, down from 71% in 2010.

A properly written and enforced policy is an organizations first line of defense.

Policies must communicate how devices will be managed by the IT department, and the

access required by the business to their devices in order to protect corporate data and

assets (Apperian, 2011).

Citrix recommends these areas to be covered in a BYOD policy (Citrix, 2012):

• Eligibility

• Allowed Devices

• Service Availability

• Rollout

• Cost Sharing

• Security

• Acceptable Use

• Support and Maintenance

34

3.2 Contracts and Agreements

Contracts and agreemenst can be an extension of policies but may need to be

individualized. Although an organization may do this through a policy, there may be

advantages of having an employee explicitly agree to certain terms of mobile device

usage, especially when the device is owned by the employee.

Two examples are seizure and wiping. In the case of seizure, if data belonging to the

enterprise is stored on the employee’s device, the organization may need to retain the

right to seize the device from the employee for eDiscovery and forensics investigation

purposes. In the case of wiping, the organization may retain the right to wipe the device

without liability due to the loss of personal information on the device. Wiping may be

required when the device is lost/stolen or at employee termination. “Employees must

also understand the consequences of conditions that might dictate the need for a

complete wipe of a device” (Apperian, 2011) . Just in these two examples there may be

global implications of what may be allowed with and without an agreement, and the

contents of agreements and policies should be worked out with legal counsel.

3.3 Offer CYOD instead of BYOD

An organization may retain better control of mobile devices with a “Choose Your Own

Device” strategy instead of “Bring Your Own Device”. In CYOD, the organization will

continue to purchase and own the device, but the employee chooses the device. If the

employee prefers an Apple iPhone instead of a RIM Blackberry phone, the employee

can pick the iPhone and the company will purchase, configure, and support the device.

In this scenario, the device is not completely forced onto the employee, there is some

35

choice – creating middle ground on device selection. When the employee relationship

terminates, the equipment may either be returned or some companies will provide a

buyback program where the employee can buy the device from the company.

3.4 Secure Containers

“Containerization refers to a solution that creates an encrypted data store or container

on a device” (Faas, 2012). This concept may also be called a “secure bubble”. The

encryption and authentication to the container is independent of the device settings. The

entire device might not be encrypted and the device might not have a passcode, but the

container is a secure repository in itself. All the corporate data can be stored in one

place and segregated from personal data. This dividing line can prevent or limit the

comingling of corporate and personal data and should make it easier for the corporate

data to be wiped at a later time without destruction of personal data.

At some point in time the data obtained from the container will need to be unencrypted

into clear text so that the application can use and process the data. Attacks on the

communications channel between the container and the application could be vulnerable

to eavesdropping or main-in-the-middle attacks so this channel needs to be secure. The

application that processes the data in clear text form could be vulnerable to an attack,

such as a man-in-the-middle application, where the clear text form of the data is

extracted from the application’s working data store, such as stacks and registers.

Modification of the executable could be made in a way that adds rogue program code to

store or transfer corporate data off the device.

36

Storage of corporate data in a container may be safe while the data is stored, but the

security of the access by the application to the data will depend on how well the

application is protected. The segregation can make the exit strategy easier because it

can reduce or solve the comingling problem.

Containerization may also be called sandboxing and virtualization. The concept of a

hypervisor may exist within the firmware (bare metal) or run under the mobile device’s

operating system like VMWare (Cocking, 2012). Apple provides sandboxing for 3rd

party applications installed on iOS devices (Apple Inc., 2012). These 3rd party apps are

isolated from the other apps and the operating system, and can only communicate via

supplied APIs. 3rd party iOS applications are those installed from the APP store, but

Apple’s preloaded applications are stored in the root folder and are not subject to the

same restrictions of a sandboxed application (Zdziarski, 2012). If the iOS device is

jailbroken then pirated applications could be installed outside of the sandbox and into

the root folder, allowing the application to run commands that would otherwise have

been restricted.

3.5 Remote Access Terminal Solutions

Citrix’s approach is desktop virtualization which is accessed via a secure SSL

connection (Citrix, 2012). In this scenario, the applications and the data reside on a

virtualized desktop, and the mobile device runs either an application or a web browser

to remotely access the desktop. Remote access is accomplished via a “thin client”

running on the mobile device with the intent of keeping a small footprint on the device.

This provides device independence because the customized application is not running

37

on the device. The data is protected inside the corporate perimeter and the data never

leaves the safe confines of the data center.

This concept could use any desktop virtualization solution, such as VDI (Virtual

Desktop Infrastructure) as provided by VMWare View. In a remote access solution the

mobile device acts as a remote terminal and all the heavy lifting is done at the remote

desktop. This solution assumes that the device is connected to a network and the remote

desktop is available. Offline processing may be impossible if the remote connection is

not operational.

Because all the data is in the data center, the risk of a lost device is minimized. No data

is on the device. If the employment relationship is terminated, there is no data on the

device. In either of these cases the employee’s credentials that access the remote

desktop must be disabled to prevent remote access after device loss or employee

termination, but once disabled then the data should be safe.

3.6 Mobile Application Management (MAM)

“Mobile application management is the delivery and administration of enterprise

software to end users’ corporate and personal smartphones and tablets” (TechTarget,

2013). MAM focuses on application delivery while MDM focuses on device

provisioning.

3.7 Mobile Device Management (MDM)

In Gartner’s Magic Quadrant for Mobile Device Management Software, MDM is

defined as: “Enterprise mobile device management (MDM) software is primarily a policy

38

and configuration management tool for mobile handheld devices, such as smartphones

and tablets based on smartphone OSs” (Basso, Girard, & Redman, 2012).

One of the objectives of MDM is to manage security settings over a heterogeneous span

of mobile devices making the settings device independent. Through security settings

the IT department can distribute policy and configuration to the devices and enforce

security policy. One set of configuration settings may force the activation of a password

(or passcode) to be used on the mobile device, and set a minimum password length,

with complexity and aging requirements for the password. The MDM should be able to

set and modify any configuration setting on the device that a user can set, and the

MDM may be able to prevent the user from disabling or changing that setting back. The

Jailbreaking process could interfere with the MDM’s processes and result in a insecure

device in violation of the organization’s security policy.

The Blackberry Enterprise Server (BES) has the features of a MDM, but is mainly

homogeneous and usually applies to RIM devices. However RIM is moving forward

with a commercially available MDM platform called Mobile Fusion.

3.8 Network Access Control (NAC)

Controlling and monitoring access to corporate networks will require access control. In

a report by Dell it was reported that BYOD will drive the need for NAC to accomplish

this (Dell Sonicwall, 2013). Mobile devices connected directly to the corporate network

will usually be via a Wi-Fi network (wireless LAN). The three A’s (AAA) of security

(Authentication, Authorization and Accounting) are provided and enforced via access

39

control to the wired or wireless network, and network access control is provided using

NAC.

NAC can control who may, or may not, connect to a network and can be configured to

force the device to comply with security standards before allowing access. For

example, NAC can be configured to prevent connection of a device if the device has

security vulnerabilities such as lack of patching or endpoint protection software.

3.9 Data Self Protection

Data may be protected by using a self-protection mechanism such as information rights

management (IRM) or sometimes called digital rights management (DRM). The data,

usually in the form of a document, has built-in access control that works with

encryption technology to control access to the document. This is also called MCM

(Mobile Content Management), and the idea is to focus on protecting the data while

disregarding perimeter protection. (e.g. The Philosophy of the Jericho Forum).

3.10 Device Behavior

Many of the mobile devices contain location awareness, especially devices that have

built in GPS capabilities. The behavior of the mobile device could be tied into the

location of the device when the data is being accessed. This is called geo-fencing

where data access is restricted to a specific location, and the data may be removed or

made inaccessible when the device leaves the location.

40

4.0 Future Research

The issues provided in this paper do not cover every issue nor does it really go into

depth on each issue. Issues discussed can be further researched with the researcher

going into a more detailed deep dive of the issue. The scope and focus has been on risk

and security, but BYOD and mobile have implications in the area of operational issues

and return on investment (ROI). There are different opinions by the experts as to

whether BYOD really saves the organization money.

Mobile device malware, and anti-malware solutions, are topics of future research.

Endpoint protection may be required, but there is also some thought that an individual

mobile device doesn’t hold that much data and the risk might not be that great. If the

mobile device is connected to the corporate network, it becomes a threat as it provides

an attack vector past the perimeter. The connection of the device to the network

requires an integrated suite of software providing MDM on the device working hand in

hand with network access control (NAC) and the objective is to provide and enforce

Authentication, Authorization and Accounting (AAA) protection.

Configuration of a mobile device is important, and can be automated via a MDM

solution. But the question that needs to be answered is what should the settings be? One

size does not fit all, but a recommendation on what settings should be configurable, and

the pros and cons of each setting would be a separate piece of valuable research.

Support of mobile devices may require beefing up the wireless infrastructure, including

bandwidth increases. 802.11(ac) is a standard in draft state that may provide Gigabit

Wi-Fi in 2013 (Cox, 2013). Although cellular enabled devices (e.g. 3G, 4G, 4G LTE)

41

would connect through the Internet and come in via the firewalls, using Wi-Fi features

of the devices will allow the devices to connect to the corporate WLAN (Wireless

LAN).

Near Field Communications (NFC) is a feature that can be enabled in the phone, and

one of the uses is for wallet applications for electronic credit card payment. But

research is in progress to use the NFC feature for a new kind of proximity access card

such as a employee ID badge used to open security doors. Today, employees in the

enterprise may have an electronic ID card with either a magnetic stripe, a bar code, or a

proximity radio signal. When the employee relationship terminates, the ID card is

deactivated and usually collected from the employee. If the NFC of a personal phone is

used as an ID badge, will de-provisioning of the device be handled differently? This

feature and how it is used should be evaluated and considered.

Research can be done on the question of who pays for the device and other

compensation. Some organizations have taken the position that the employee pays for

the device and the services (tel-co charges). Some organizations will pick up the entire

tab, while there are some that will split the cost. There are different reimbursement

models and implications of each, which could be made part of the ROI examination.

File sharing presents an issue to be examined. The mobile devices are used for

collaboration and when an employee is using 3 or more devices – they want the data to

be up to date and in sync with each of those devices. This requires a way to share the

files across different mobile and desktop devices and may require replication and

synchronization services.

42

Legal and privacy laws were only touched on, and there is opportunity for research into

the different legal and privacy regulations, especially on an international level.

Regulatory compliance, with its international and cultural differences needs to be

examined.

5.0 Summary

BYOD is a current trend that is moving fast. In a business strategy survey of 1,000

TechRepublic and ZDNet members, 44% currently allow BYOD and another 18%

expect to move to BYOD by the end of 2013 (TechRepublic, 2013). In 2012 Forrester

published a report that showed 53% are using their own technology for work purposes

(King, 2012). Organizations are faced with supporting BYOD, and it is a technology

that continues to grow. Combining BYOD with other disruptive technologies such as

Cloud Computing, Social Media and Mobile devices are creating a perfect storm that is

sweeping the enterprise. Given companies are challenged to support mobile by itself,

BYOD just adds another layer of complexity on top of mobile device support.

A challenge with mobile devices, regardless of the owner of the device, is that a single

user may have multiple devices and each device represents an endpoint with its own IP

address. Originally the IT department had to support one endpoint per user, usually the

user’s desktop. Then this expanded when laptop was added for select employees. This

may have been manageable in the past; however, today a single employee could be

easily equipped with four or more devices when adding a phone and a tablet. Most of

those devices would be capable of connecting to the corporate network infrastructure,

with the potential to access sensitive corporate data. “With the rapid adoption of

43

BYOD, the reality of multiple devices per user, and growth of cloud-based services, the

era of managing security capabilities on each endpoint is over“(Cisco, 2013).

A driver for BYOD is the young, future workers. These “millennial” workers, who

have grown up with the technology, come to work with their own personal devices, and

expect the organization to accept and support those devices. Security is not their

concern, they expect the company to enable using their devices without putting the

enterprise at risk, and all they want is anytime/anywhere access in order to be able to

get their work done (Cisco, 2011).

Organizations are embracing the BYO (Bring Your Own) phenomenon in hopes of

reducing cost. It allows the organization to get out of the ownership game, and convert

CapEx (Capital Expenditure) to OpEx (Operational Expenditure). Forrester discusses

an approach scenario as “own nothing, control everything” by using a zero-trust model

where all endpoints are treated as hostile (Jaquith, 2010). While there are claims of

BYOD providing a good return, there are also claims that the “control” part consumes

most of the cost savings. The ROI of using BYOD were not addressed in this paper and

left for future research.

BYO includes devices, software and services. It involves access to both corporate and

personal assets that include hardware, software, and data. One major issue is caused by

the comingling of corporate and personal assets, and presents challenges of how to

provide protection to those assets. The “exit strategy” is required to determine how to

recover corporate assets from a personal device when the employment relationship is

terminated. The numbers of endpoints per user that require protection are increasing,

44

the corporate perimeter is vanishing, and a holistic approach to data protection needs to

focus on directly protecting the data. The concept of de-perimeterization was

introduced by the Jericho Forum.

Before the BYOD issues can be resolved the enterprise must fix the mobile device

problem. If it is a corporate issued device, then the employee will probably put personal

data on the device, (e.g. use corporate e-mail for personal mail, perform personal web

surfing on the mobile device). Many organizations allowed the employee to do this in

the past with corporate desktops that were not locked down while the risks were not

well known at the time. If a personal device is used, then the employee will probably

put corporate data on that device. One of the largest risks in mobile device technology

is the loss of a device that has sensitive corporate data on it. It doesn’t matter who owns

the device, the issue is what is on the device.

The organization should come up with a strategy, and then develop policies for use of

mobile and BYOD in the enterprise. This strategy may be dictated or affected by the

corporate culture. The objective should be worker enablement while corporate assets

are protected within the risk appetite of the enterprise. The strategy and policies should

be planned as a complete lifecycle that includes provisioning of the device, software

and services and carried through to the de-provisioning process. This includes having

an exit strategy for asset recovery at the end of the relationship.

The use of mobile devices will impact other parts of the infrastructure. The use of

mobile devices within the organization may require an expansion of the wireless

45

network. How the organization saves money may also depend on how expenses are

paid and who will be responsible for expenses.

6.0 References

Apperian. (2011). Protecting Corporate Data in the "BYOD" environment. Apperian.

Apple Inc. (2011, October 28). iOS: Understanding data protection. Retrieved from Apple Support: http://support.apple.com/kb/ht4175

Apple Inc. (2012, May). IOS Security. Retrieved from http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf

Basso, M., Girard, J., & Redman, P. (2012). Magic Quadrant for Mobile Device Management Software. Gartner.

Calif Office of Privacy Protection. (2012, January). Recommended Practices on Notice of Security Breach Involving Personal Information. Retrieved from http://www.privacy.ca.gov/business/recom_breach_prac.pdf

Cisco. (2011). 2011 Cisco Annual Security Report. San Jose: Cisco.

Cisco. (2013). 2013 Cisco Annual Security Report. San Jose: Cisco.

Citrix. (2012). Best practices to make BYOD simple and secure - A guide to selecting technologies and developing policies for BYOD programs. Citrix.

Cocking, L. (2012, May 11). Mobile Device Sandboxing 101. Retrieved from Fixmo: http://fixmo.com/blog/2012/05/11/mobile-device-sandboxing-101

Computer History. (2013, March 12). 1979 - Computers. Retrieved from Computer History Museum: http://www.computerhistory.org/timeline/?year=1979

Cox, J. (2013, January 2). Technologies to watch 2013: Gigabit Wi-Fi . Retrieved from Network World: http://www.networkworld.com/news/2013/010312-outlook-gigabit-wifi-265254.html

Dell Sonicwall. (2013). IT security trends in 2013. Dell.

Dunn, D. (2005, June 20). The PC Replacement Decision. Retrieved from InformationWeek: http://www.informationweek.com/the-pc-replacement-decision/164900387

46

Faas, R. (2012, November 7). New trend in BYOD security: contain the data, not the device. Retrieved from CITEWorld: http://www.citeworld.com/mobile/21036/mobileiron-and-good-break-new-ground-secure-enterprise-containers-mobile-devices?page=0

Garlati, C. (2012, January 31). The Dark Side of BYOD – Privacy, Personal Data Loss and Device Seizure. Retrieved from Trend Micro: http://consumerization.trendmicro.com/consumerization-byod-privacy-personal-data-loss-and-device-seizure/

Gartner. (2008, May 28). Gartnew Newsroom. Retrieved from Gartner Newsroom: http://www.gartner.com/newsroom/id/681107

Guerra, D. (2012, December 3). Bring your own device, but who owns your data? Retrieved from Exact Trak: http://www.exacttrak.com/bring-your-own-device-but-who-owns-your-data/

Harris, R. L. (2012, February 27). Lessons Learned from a Bring Your Own Device Project. Retrieved from Avena: http://www.avema.com/mobile_device_management_blog/byod/lessons-learned-from-a-bring-your-own-device-project/

Hou, O. (2012, July 20). A Look at Google Bouncer. Retrieved from TrendLabs: http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-google-bouncer/

Jaquith, A. (2010, January 22). Own nothing – control everything: five patterns for securing data on devices you don’t own. Retrieved from ComputerWeekly.com: http://www.computerweekly.com/feature/Own-nothing-control-everything-five-patterns-for-securing-data-on-devices-you-dont-own

Kensington. (2011). Cost of Stolen or Lost Laptops, Tablets & Smart Phones. Retrieved from http://blog.kensington.com/wp-content/ktg/docs/m1_iphone_theft_banner.pdf

King, R. (2012, June 13). Forrester: 53% of employees use their own devices for work. Retrieved from ZDNet: http://www.zdnet.com/blog/btl/forrester-53-of-employees-use-their-own-devices-for-work/79886

KPMG. (2013, February). Special Edition: 2013 IT Spending Predictions Consensus. Retrieved from KPMG: http://www.kpmg.com/TR/tr/Issues-And-Insights/ArticlesPublications/Documents/2013-IT-Predictions-Consensus.pdf

Lui, S. (2012, December 6). BYOD can put companies in legal bind: analyst. Retrieved from ZDNet: http://www.zdnet.com/au/byod-can-put-companies-in-legal-bind-analyst-7000008396/

47

McAfee. (2011). Employee Use of Personal Devices - Managing risk by balancing privacy and security. Retrieved from McAfee: http://www.mcafee.com/us/resources/solution-briefs/sb-employee-use-of-personal-devices.pdf

Narisi, S. (2012, July 18). 7 ways BYOD could get you sued. Retrieved from IT Manager Daily: http://www.itmanagerdaily.com/byod-policy-legal-issues/

Navetta, D. (2012, March 28). The Security, Privacy and Legal Implications of BYOD (Bring Your Own Device). Retrieved from Information Law Group: http://www.infolawgroup.com/2012/03/articles/byod/the-security-privacy-and-legal-implications-of-byod-bring-your-own-device/

nCircle. (2012). nCircle 2012 BYOD Security Trend Survey. nCircle.

NCSL. (2012, August 20). State Security Breach Notification Laws. Retrieved from National Conference of State Legislatures: http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx

NetMarketShare. (2013, January 01). Desktop Operating System Market Share. Retrieved from NetMarketShare: http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0

NIST. (2001, September). SP800-30 Rev 1: Guide for Conducting Risk Assessments. Retrieved from NIST: http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf

PC World. (2010, May 27). Forrester report finds most data breaches are caused by employees. Retrieved from PC World: http://www.pcworld.com/article/2010527/forrester-report-finds-most-data-breaches-are-caused-by-employees.html

Phneah, E. (2012, August 3). Mobile apps pose biggest threat. Retrieved from ZDNet: http://www.zdnet.com/mobile-apps-pose-biggest-threat-7000002093/

Phneah, E. (2013, February 04). Five security risks of moving data in BYOD era. Retrieved from ZDNet: http://www.zdnet.com/five-security-risks-of-moving-data-in-byod-era-7000010665/

Ponemon. (2010, January 25). Ponemon Study Shows the Cost of a Data Breach Continues to Increase. Retrieved from Ponemon Institute: http://www.ponemon.org/news-2/23

Ponemon, L. (2008, June 30). Airport Insecurity: The Case of Missing and Lost Laptops. Retrieved from Dell: http://www.dell.com/downloads/global/services/dell_lost_laptop_study.pdf

48

Rains, J. (2012, March). Bring Your Own Device (BYOD): Hot or Not? Retrieved from HDI Research: https://news.citrixonline.com/wp-content/uploads/2012/04/BYOD-Hot-or-Not.pdf

Rasch, M. (2011, October 31). People vs. Diaz Fails to Consider Enterprise Data on Mobile Devices. Retrieved from CSC News: http://executiveviews.wordpress.com/2011/10/31/people-vs-diaz-fails-to-consider-enterprise-data-on-mobile-devices/

Rice, J. (2012, May 29). Bring Your Own Device to Work – The IT Dilemma. Retrieved from The Business Cloud Blog: http://blog.intermedia.net/2012/05/29/bring-your-own-device-to-work-the-it-dilemma/

Rowinski, D. (2013, January 8). Google Play Will Beat Apple App Store To 1,000,000 Apps. Retrieved from ReadWrite.com: http://readwrite.com/2013/01/08/google-play-to-hit-1-million-apps-before-apple-app-store

TechRepublic. (2013). The Executive’s Guide to BYOD and the Consumerization of IT. TechRepublic.

TechTarget. (2013, February 04). Definition: Disruptive Technology. Retrieved from What-is.com: http://whatis.techtarget.com/definition/disruptive-technology

TechTarget. (2013, February 21). Definition: Mobile Application Management (MAM). Retrieved from SearchConsumerization: http://searchconsumerization.techtarget.com/definition/mobile-application-management

The National Cyber-Security Advisory Council (CNCCS). (2011). SmartPhone Malware. Spain: Panda Security.

Walker, R. W. (2012, March 27). Negligent Employees Cause Most Data Breaches; Mobile Is Key Factor. Retrieved from AOL Government: http://gov.aol.com/2012/03/22/negligent-employees-cause-most-data-breaches-mobile-is-key-fact/

Websense. (2012). 2013 Security Predictions. Websense Security Labs.

Wikipedia. (2013, February 19). iOS Jailbreaking. Retrieved from Wikipedia: http://en.wikipedia.org/wiki/IOS_jailbreaking

Williams, G. (2012, December 11). 2013 Tech Trends: The Hyper-Convergence Effect. Retrieved from Avanade Blog: http://www.avanade.com/blog/business-of-technology/2013-tech-trends-the-hyper-convergence-effect/

Zdziarski, J. (2012). Hacking and Securing iOS Applications. Sebastopol: O'Reilly Media Inc.

49