byod: implementation and security issues

Registration number: CUPB/MTECH-CS/SET/CST/2013-2014/01 CBS.504

BYOD: Implementation and Security Issues

Harsh Kishore Mishra M.Tech. Cyber Security

Centre for Computer Science & Technology Central University of Punjab, Bathinda (Punjab)

[email protected]

Abstract— Bring own device (BYOD) (also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own PC (BYOPC)) refers to the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications. BYOD has the economic advantage of the employee providing his or her own equipment, which normally results in a happier user base. The bring-your-own-device movement has enticed organizations that pursue BYOD to increase productivity, improve morale and possibly even reduce capital costs. The disadvantages are the security risks of allowing an unknown system onto the corporate network, data security, ownership and customer protection. Creating a policy to address BYOD will affect the company in several areas because all policies require review, approval, updating and awareness. Policies are auditable items that a company has to demonstrate adherence.

Keywords— BYOD, Business Privacy Issues, BYOT, BYOD

Policy, Information Security

I. WHAT IS BYOD: AN INTRODUCTION

The term BYOD was mentioned in a paper by Ballagas et al., at UBICOMP 2005. BYOD first entered in 2009, courtesy of Intel when it recognized an increasing tendency among its employees to bring their own devices to work and connect them to the corporate network Most people associate Smartphone’s with the term BYOD, but in reality BYOD comprises not only Smartphone but also employee-owned computing devices. The term is also used to describe the same practice applied to students using personally owned devices in education settings.. However, it took until early 2011 before the term achieved any real prominence when IT services provider Unisys and software vendors VMware and Citrix Systems started to share their perceptions of this emergent trend. The Bring Your Own Device model/paradigm, a side effect of consumerization, is now widely adopted to refer to mobile workers bringing their own mobile devices, with their data and applications, into their workspace for both working and personal use. Some believe that BYOD may help employees be more productive. Others say it increases employee morale and convenience by using their own devices and makes the company look like a flexible and attractive employer.[11]

II. BYOD TRENDS

A company can also see improved productivity from an employee with BYOD as it allows for the ability to easily take the device home and work. In most cases, businesses simply can't block the trend. The concept of BYOD is a topic that Business is embracing for its flexibility and cost savings.

BYOD is making significant inroads in the business world, with about 75% of employees in high growth markets such as Brazil and Russia and 44% in developed markets already using their own technology at work.[10] Many feel that BYOD can even be a means to attract new hires, pointing to a survey that indicates 44% of job seekers view an organization more positively if it supports their device. Many industries are adopting BYOD quicker than others. A recent study by Cisco partners of BYOD practices stated that the education industry has the highest percentage of people using BYOD for work at 95.25.

A study[9] by IBM says that 82% of employees think that smart phones play a critical role in business. The study also shows benefits of BYOD include increased productivity, employee satisfaction and cost savings for the company. Furthermore, 88% of IT leaders see BYOD growth and 76% consider it extremely positive.[6] What it’s also evident is that BYOD is related to some trends that make it desirable: cloud computing and work-shifting. The improvement of the bandwidth availability, mainly in nomadic environments, and the growth of cloud computing services make possible to move the work where it is desired. However, BYOD is built on devices that the company explicitly does not own. In 2011, 57 percent of North American, Asian, and European workers reported they selected and paid for their own smartphones—51 percent did so with a laptop, 48 percent with a tablet, and only 16 percent procured their own desktop computer.[1]

The reason according to which many companies are embracing the BYOD phenomenon instead of discouraging it is simple, and always the same: it improves their productivity and reduces costs. Why? Basically because employees have more opportunities to collaborate, so that using preferred devices means greater job satisfaction and a more effective utilization. Accordingly, BYOD can become the “silver bullet” in terms of productivity improvement, especially for some roles and activities where mobility is a strong enabler for the adoption of new business models.


III. BYOD ADVANTAGES

A. Increased Productivity The use of technology at work has increased significantly

over the past few years as using paper and manual processes continue to decrease. Increased productivity comes from a user being more comfortable with their personal device, being an expert user makes navigating the device easier, increasing productivity. Employee satisfaction, or job satisfaction, occurs with BYOD by allowing the user to use the device they have selected as their own rather than one selected by the IT team. It also allows them to carry one device as opposed to one for work and one for personal.

A company can also see improved productivity from an employee with BYOD as it allows for the ability to easily take the device home and work. Though technology increases overall productivity, research also shows that employees are even more productive if the device they use is their own.

In education, for example, schools have increasingly taken to using technology in the classroom by providing students with tablets and computers. Recent research has shown that this type of learning allows students to be more interactive and engaged in the learning process.

B. Lower Cost to the Company

Though the use of technology is a benefit to employers as it without a doubt makes employees more productive, the cost to companies that purchase a large number of computers or tablets is a tremendous financial commitment. Most of the technology used by organizations is only current and up to date for a certain, limited period of time and then becomes obsolete and in need of replacement. By allowing employees to bring, and use, their own devices, they can always have up- to-date technology without the company constantly incurring the costs for new models. For many, this practice has been extremely beneficial as many budgets are being cut and organizations are forced to trim spending.

BYOD shift costs from the company to the user and allows employees to use their own devices. BYOD policies also allow employees to use the technology that they are comfortable with and that they prefer, rather than what the company dictates they them. Users also may upgrade their devices to the newest features more frequently than what the company can afford to budget for on an ongoing basis.[5]

C. New Cutting edge Technology

The companies with BYOD models are requiring employees to cover all costs -- and they are happy to do so. That brings us to the second significant benefit: worker satisfaction. Users have the laptops and smartphones they have for a reason -– those are the devices they prefer, and they like them so much they invested their hard-earned money in them. Of course they’d rather use the devices they love rather than being stuck with laptops and mobile devices that are selected and issued by the IT department. There are two corollary advantages that come with BYOD as well. First, Personal devices are often more cutting edge as company

technology refreshes don’t happen as often. BYOD devices tend to be more cutting edge, so the organization gets the benefit of the latest features and capabilities. Additionally, Users also upgrade to the latest hardware more frequently than the painfully slow refresh cycles at most organizations.[3]

D. Attract and retain talent: In a 2012 survey of government employees by Forrester, 52 percent said that using their own devices for work increased job satisfaction. And 44 percent indicated they would be more likely to work for an employer that allowed them to bring their own device to work.

IV. ISSUES IN BYOD

BYOD isn’t all wine and roses, though. There are some issues to consider as well. Clearly, people today are in love with their mobile devices—and many of them want their workplace training delivered on those devices. But while BYOD (Bring Your Own Device) training is tempting, the risks can be high. By embracing BYOD, organizations lose much of the control over the IT hardware and how it is used.[3]

Fig 1: Poll results about BYOD Source: www.techweekeurope.uk

A. Security Issues When an employee attaches a personal smartphone or tablet

to an organizational network or machine (be it wired or wireless), it makes sense to worry about overall security. First, as soon as external (personal) devices are attached, malware could migrate from the personal device into the company’s machines and over the company’s networks.

In the other direction, sensitive data is likely to make its way onto the personal devices. This data could include customer information that should be kept private and company information that should be kept proprietary. When that kind of information walks out the door on a daily basis, bad things can happen, especially if the device is subsequently lost or stolen. Furthermore, the number of personal devices has gone far beyond the number of laptops or net-books that were brought into and out of the office. [1]


There’s another, less physical aspect that makes personal devices typically less secure than laptops. In particular, when the company owned the laptops, it usually enforced its security policies on those machines, requiring passwords and encrypting sensitive data. However, BYOD is built on devices that the company explicitly does not own.

When employees use their own devices without constraint, however, they are susceptible to unsecure networks, application downloads and data. They are also more likely to visit dubious websites and sometimes forget the devices in places such as on a train or at a bar, creating more BYOD security concerns. With employee-owned devices, the hardware itself may be lost or stolen, leaving company data and networks vulnerable.[2]

BYOD increases the risk of having a security breach of important data. When an employee leaves the company, they do not have to give back the device, so company applications and other data may still be present on their device. This can lead to some company data being unsecure.

Fig. 2: Security is crucial BYOD Challenge

In May 2012, IBM banned its 400,000 employees from using two popular consumer applications over concerns about data security. The company banned cloud storage service Dropbox, as well as Apple’s personal assistant for the iPhone, Siri. Siri listens to spoken requests and sends the queries to Apple’s servers where they are deciphered into text.[8] There are also certain compliance regulations that businesses have to follow, such as HIPPA or GLBA, which are difficult to enforce when a device is not owned by the company The U.S. government addressed these and other challenges in 2012, issuing a BYOD "toolkit" for federal agencies.[2]

B. Privacy Issues

Although security seems to be the major concern when discussing BYOD and BYOT, the issue of privacy seems overlooked and potentially the more important. Mobile devices contain a wealth of data that a user might deem private, and if personal data is co-mingled with the employer data on the same device, how are the barriers implemented between personal and employer data?

Currently, little attention has been paid to this issue, but that’s a problem that will need to be addressed if BYOD and

BYOT become adapted widely, particularly if companies begin to mine the data available on their employee’s personal devices. Likewise, a government-maintained registry of all smartphones and tablets incurs potential and significant privacy implications should it become breached or overtaken without warrant.[1]

Organizations have an obligation to safeguard their sensitive data, but they have to be careful not to violate employee privacy when doing so. Employee behavior on corporate-owned devices and networks can be monitored, but the same measures may raise privacy and security concerns if employees are using their own devices. Similarly, remote wiping of lost or stolen personal devices "becomes complicated from a legal and cultural point of view," Gartner researchers noted in a 2012 study. If a user hasn't authorized personal data to be wiped, the organization could face liability. Selective wiping may create less of a privacy red flag, but Gartner found that it "is proving to be difficult in ensuring that all business data, and only business data, has been deleted from the device." When users are given the option of participating in a BYOD program, Gartner recommends that they be required to give explicit, written consent to data deletion in the case of a lost, stolen or compromised device.

C. Implementation Issues

1) Infrastructure Issues: Different types of devices operate at different speeds and with different operating systems. This can be difficult for an IT department to set up and maintain infrastructure to support different device needs. Also, if employees are able to bring their own devices, there will be many more devices used than what would be if the company was providing them. Employees might bring all of their phones, tablets and computers to work, meaning there will be much more strain on the company’s Wi-Fi and network.[5]

2) No control over what is on device: Organizations have no control over what types of applications are put on the device, which makes it very difficult to enforce security. Though employees probably would not download games or other entertainment applications on their work computer, in the case of BYOD, since the device is their own and also used for pleasure, they will certainly download numerous types of personal applications on the device.

3) Support of many different devices: Since it is not one standard device that everyone is using, the IT department will need to support many different types of devices and operating systems. This makes it very difficult to mitigate an issue with a device when the user needs assistance.[5]

V. BYOD SECURITY POLICY

In BYOD environments, the network needs the intelligence to: • Automate enforcement of access policy, based on the

context, including who is making the request, when, how they are accessing the network (wired, wireless, or VPN), and with what device.


• Automatically detect and mitigate web-based threats, which can lead to security breaches or degrade wireless network performance.

• Make sure that private information, such as grades, tests, and salary information, is not compromised if a personal device is lost or stolen.

• Minimize management overhead by unifying policy definition on all networks, and providing ready visibility into the activity of all devices currently connected to the campus network.

• Protect the IT infrastructure, whether it’s physical, virtualized or in the cloud.[4]

Fig 3: BYOD Trends (source: www.tuinnovates.com)

The first and best defense in securing BYODs begins with the same requirements you apply to devices that are already on your network. These security measures include:

Enforcing strong passcodes on all devices Antivirus protection and data loss prevention (DLP) Full-disk encryption for disk, removable media and

cloud storage Mobile device management (MDM) to wipe sensitive

data when devices are lost or stolen One should always extend encryption to both data in

transit and data at rest. Protecting your devices with strong passwords means you make it incredibly difficult for someone to break in and steal data. But if somehow your device-level password is compromised, encrypting the data stored on the device provides a second level of security a hacker must get through in order to steal your data.

One should encourage users to think of the extra layers of security as helpful tools that give them the ability to use their own devices within the workplace. By password protecting

devices, a user acknowledges accountability and responsibility for protecting their data.

In addition to applying passcodes and antivirus prevention to your devices, you should apply a custom level of application control to BYODs. If applications are available to employees on the internal network, they should be able to access them offsite through VPN or email software.

Your company’s security and BYOD can co-exist. And it starts with planning. Here’s how [7]:

1. Identify the risk elements that BYOD introduces Measure how the risk can impact your business Map the risk elements to regulations, where

applicable.

2. Form a committee to embrace BYOD and understand the risks, including:

Business stakeholders IT stakeholders Information Security stakeholder

3. Decide how to enforce policies for devices connecting to your network

Mobile devices (smartphones) Tablets (e.g., iPad) Portable computers (laptops, netbooks, ultrabooks)

4. Build a project plan to include these capabilities: Remote device management Application control Policy compliance and audit reports Data and device encryption Augmenting cloud storage security Wiping devices when retired Revoking access to devices when end-user

relationship changes from employee to guest Revoking access to devices when employees are

terminated by the company

5. Evaluate solutions Consider the impact on your existing network Consider how to enhance existing technologies prior

to next step

6. Implement solutions Begin with a pilot group from each of the

stakeholders' departments Expand pilot to departments based on your

organizational criteria Open BYOD program to all employees.

7. Periodically reassess solutions Include vendors and trusted advisors Look at roadmaps entering your next assessment

period Consider cost-saving group plans if practical.


VI. CONCLUSION

The concept of BYOD is a topic that Business is embracing for its flexibility and cost savings. Delivering a corporate BYOD policy will be the foundation for further BYOD initiates and allow the company to remain competitive. The reason according to which many companies are embracing the BYOD phenomenon instead of discouraging it is simple, and always the same: it improves their productivity and reduces costs. The BYOD policy initiative was a small project that produced a Deliverable that the company will use to spawn other projects. Projects should be temporary endeavors with a defined start and end date, along with an objective.

A successful BYOD program allows your users to be productive outside of their scheduled work hours while also giving them the flexibility to do the things they like to do when they’re not working—like update their status or enjoy playing an interactive game. Whatever decision you make for your BYOD policy, be sure that it’s enforceable and enables IT to deploy software remotely.[7]

REFERENCES

[1] K. W. Miller, J. Voas, G. F. Hurlburt, BYOD: Security and Privacy Concerns, 2013

[2] L. Phifer, Contributor in http://searchsecurity.techtarget.com, BYOD security strategies: Balancing BYOD risks and rewards, Jan 28, 2013

[3] T. Bradley, Pros and cons of bringing you own devices to work, PCWorld, Dec. 20, 2011, Accessed on Nov 28 2013.

[4] White paper, BYOD Security Challenges in Education: Protect the Network, Information, and Student, Cisco, 2012

[5] D. Wiech, The Benefits And Risks Of BYOD, Jan 28, 2013. [6] A. Scarfò, New security perspectives around BYOD, IEEE 978-0-

7695-4842-5/12, 2012 [7] G. Eschelbeck, BYOD Risks and Rewards , A Sophos Whitepaper,

2013 [8] "IBM: Sorry, Siri. You're Not Welcome

Here”,http://www.informationweek.com/news/security/mobile/240000882, InformationWeek, Accessed on Nov 27, 2013

[9] IBM BYOD -- Bring Your Own Device -- United States http://www.ibm.com/mobilefirst/us/en/bring-your-own- device/byod.html, Accessed on Nov 28, 2013

[10] 10 myths of BYOD in the enterprise. http://www.techrepublic.com/blog/10-things/10-myths-of-byod-in-the-enterprise/, TechRepublic, Accessed on Nov 28, 2013

[11] Happiness Is ... Bringing Your Own Computer Devices to Work. <http://www.retailwire.com/discussion/16188/happiness-is-bringing-your-own-computer-devices-to-work> Retailwire, Accessed on Nov. 27, 2013

[12] SearchCompliance.com's IT Compliance FAQ series, Oct 25 2013, Accessed on Nov 27, 2013.