Harpeeet is an experienced IT consultant with strong strategic, analytic, architectural and leadership skills. His has broad experience in IT management, architecture and has lead teams in various projects. He specializes in IT architecture, Program governance, IT roadmaps and strategy.
He is positive, results-driven and innovative individual with proven success in balancing operational synergies and business growth with client satisfaction, offering over 13 years’ experience in management and architecture positions in world-class organisations within the IT industry.
He is presently working as Program Architect for Department of Attorney General & Justice. He has been involved in architecture road map for the overall design and is working to establish synergy between various programs to be hosted in cloud environment.
Harpreet has passion for IT Strategy and Architecture, Adventure Sports and Travelling. He can be contacted on firstname.lastname@example.org
Estimates suggest that in by 2020, the number of mobile devices will be about 10 billion — 1.5 for every man, woman and child on the planet. With mobile devices increasingly embedded into all parts of our personal lives, organizations are finding that their employees increasingly want to use their own personal mobile devices to conduct work (often alongside corporate-provided devices), and many are reaching out to corporate IT to support this. Employers have concluded that they can’t physically stop the use of mobile devices for both work and personal agendas, but they need to know how to control it.
An employee IT ownership model, typically called brings your own device (BYOD), presents an attractive option to organizations. BYOD significantly impacts the traditional security model of protecting the perimeter of the IT organization by blurring the definition of that perimeter, both in terms of physical location and in asset ownership.
With personal devices now being used to access corporate email, calendars, applications and data; many organizations are struggling with how to fully define the impact to their security posture and establish acceptable procedures and support models that balance both their employees’ needs and their security concerns.
How we got here – The BYOD boom
The ability to get—and share—information anywhere and at anytime has become ensconced in 21st century life, both personal and professional. This didn’t happen overnight, and it represents a confluence of multiple technological trends: miniaturization of components, wireless technology, social networking, and cloud computing, among others. Perhaps the most important of these trends: ease of use.
Over the last 20 years, technology has evolved from the command-line interface to drop-down menus to applications that look simple on the surface but mask a lot of complexity. The upshot is more people have a higher level of comfort in using technology than ever before. For corporate IT, this means addressing new demands from employees who want corporate applications to reflect the same kind of simplicity as Facebook and Flickr—also known as the consumerization of IT. It also means addressing their demands for accessing corporate data without forcing them to carry two different mobile devices, one for work and one for personal use.
The BYOD boom can be traced to two converging trends: the desire for employees to be responsive to customers and colleagues in a global, always-connected world still wrestling with time zones; and the desire to save money by not replicating a device employee may already own. Mobility brings a significant advantage to productivity, but as with many advantages, there are tradeoffs.
Issues to consider in your BYOD deployment
The risk landscape of a BYOD mobile device deployment is largely dependent on these key factors for any organisation:
• The organization’s risk profile – As for all information security risks, how the organization defines and treats risk plays a key role in choosing the type of security controls the organization should employ.
• Current (and future) mobile use cases – Organizations should take into consideration the types of data and functionality that are exposed through the deployment.
• The geographic deployment of the devices – International deployments increase risk levels not only because of the geographic distribution of the devices, but also as a function of unclear and regionally applicable legislation in certain geographic areas. Considering these factors at an early stage in the BYOD
planning process is key for a secure and successful rollout.
Defining the BYOD Risk
With the issues of risk profile, usage and geography to consider, an organization can begin to define the BYOD risks and what impact they would have. The risk introduced by BYOD tends to be an expansion of the current risk profile rather than introducing completely new risks, it has the potential to amplify and increase certain risk.
• Securing mobile devices – BYOD fundamentally changes this architecture as users bring in their own devices of various makes and models. These devices are often designed to exist in their own “walled gardens” with little seamless interaction with an enterprise environment and management utilities. In addition, end users often have more than one device and would like to connect multiple devices to the organization’s infrastructure, which increases the net number of devices that must be secured. As a result, basic security controls may not be consistently and effectively implemented across the collection of devices. Risks relating to securing mobile devices are categorized into five basic concerns:
a. Lost and stolen devices.
b. Physical access to corporate data.
c. The role of end user device ownership.
d. Always on with increased data access.
e. Lack of user security awareness.
• Addressing application risk – Applications (apps) have accelerated the integration of mobile devices within our daily lives. From mapping apps, to social networking, to productivity tools, to games — apps have largely driven the smart phone revolution and have made it as significant and as far-reaching as it is today. As the organization enables employees to bring their own, the need for using the same devices to access work-related data inevitably presents itself.
This presents mainly two security risks:
a. Malicious apps (malware): the increase in the number of apps on the device increases the likelihood
that some may contain malicious code or security holes.
b. App vulnerabilities: apps developed or deployed by the organization to enable access to corporate
data may contain security weaknesses.
• Managing the mobile environment – BYOD increases the organization’s management effort, both for maintaining an accurate inventory of the mobile devices, keeping mobile operating systems’ software up-to-date and supporting the increasing number of device types. Due to the accelerated device turnover and high rate of new user adoption, organizations often struggle with maintaining an accurate inventory of enrolled mobile devices. Additionally, within the hardware life cycle, there are often multiple upgrades to the operating system, which can be customized by individual cellular carriers at their own discretion and pace, and initiated by the end users. While not a direct security risk, unmanaged devices form a hidden security problem as they may lack corporate security controls and patch management.
Another hidden cost is related to reimbursement of data plans — organizations see a significant spike in data usage, especially when rolling out tablets. Setting tiered data caps and providing secure and cheap connectivity options for mobile workers are effective means to control this cost. This is especially important for global firms with employees that frequently travel internationally.
So how do we mitigate BYOD risk?
• Secure your employee’s devices
1. Evaluate device usage scenarios and investigate leading practices to mitigate each risk scenario.
2. Invest in a mobile device management (MDM) solution to enforce policies and monitor usage and access.
3. Enforce industry standard security policies as a minimum: whole-device encryption, PIN code, failed login attempt actions, remotely wiping, etc.
4. Set a security baseline: certify hardware/operating systems for enterprise use using this baseline.
5. Differentiate trusted and untrusted devise access: layer infrastructure accordingly.
6. Introduce more stringent authentication and access controls for critical business apps.
7. Add mobile device risk to the organization’s awareness program.
• Ways to counter application risk
1. Use mobile anti-virus programs to protect company issued and BYOD malware-prone mobile operating systems with mobile anti-virus.
2. Ensure security processes cover mobile app development and leverage tools, and vendors to bridge assessment skill gaps.
3. Manage apps through an in-house app store and a mobile app management product.
4. Introduce services that enable data sharing between BYOD devices.
5. To increase productivity and security, continually assess the need for new apps.
• Managing support for BYOD devices
1. Create and enforce an appropriate BYOD support and usage policy.
2. Revamp existing support processes to include secure provisioning and de-provisioning (wipe) of devices, and an increased level of self-help.
3. Create a patch education process to encourage users to update their mobile devices.
4. Introduce a social support mechanism to augment the existing IT support team.
5. Implement a wiki/knowledge base employee self-service support solution.
What are the options for Chief Information Officer (CIO)
The CIO is usually responsible for the formation of a formal BYOD strategy and is likely to face pressure to deliver from both the workforce and C-level executive. In current world most of the organizations are implementing a BYOD strategy either through a structured way or ad-hoc rollout. As a result, rationalization of existing pilots and makeshift BYOD practices is often one of the first tasks for those formulating a prescribed approach.
• Tolerate unmanaged BYOD growth
Some organizations may consider that the risks of an unmanaged BYOD environment are acceptable. However, it is likely that small to medium size enterprises are unhappy with the current way a BYOD footprint has been established in the organization. The solution to this problem is to undertake a comprehensive risk assessment to take an informed decision. In this way the organization can mitigate the risk in a managed way rather than getting caught with the risk of data loss, privacy issues etc.
• Attempt to clamp down
Some organizations such as government departments may conclude that any BYOD program would pose an unacceptable risk to security. Restricting BYOD creates an opportunity for underground BYOD program that represent a greater risk to the organization and introduces a far greater level of uncertainty.
• Provide a managed BYOD program
A managed BYOD program can offer a reasonable compromise between user experience and security. Such solution assists an enterprise to achieve its boarder business objectives like boosting productivity, enhancing employee satisfaction and improving customer understanding through familiarity with customer devices and ways of using them. The challenges that organization faces is to support heterogeneous device environment, adapting IT environment and educating employees on an acceptable usage.
Governance and Compliance for BYOD
As the usage scenarios of mobile devices evolve and mature, guidance around what an organization needs to do to remain compliant is often inconsistent. Additional compliance complexity is introduced in a BYOD environment when employees own the device and use it for personal data.
• Privacy governance
As organizations design BYOD security controls, these may interfere with personal expectations of privacy. In order to stay ahead of this concern, organizations are currently addressing privacy concerns in a BYOD policy. A well-formed BYOD policy should include defined, clear expectations on privacy-impacting procedures. In certain geographical regions, organizations may also be forced to provide employees with a non – BYOD alternative, potentially decreasing the savings potential of the overall BYOD program.
• Data protection
The organization also must undertake a risk assessment of the risks associated with the processing of data. If data is processed by a third party, it is important that the data be protected by a data processing agreement with the third party. With the transference of data, the responsibility of protecting that data also should be transferred and compliance verified.
• Monitoring (privacy at work)
There is a wider variety of laws and requirements around monitoring, wiping and data protection in Europe and certain other countries. Labor laws vary by country and restrict an organization from viewing personal employee information. This may limit a company’s ability to monitor and control the content delivered to mobile devices for security purposes. These monitoring requirements are further complicated when, for instance, an employee hands their device to a child to watch a movie. In order to avoid these privacy pitfalls of monitoring controls, a product should be selected that allows for the ability for monitoring to occur exclusively around work-related mobile activities.
• Breach investigation and notification
As digital investigations on personal devices in the wake of breaches may be regarded as a privacy invasion, it is important for the organization to retain the right to examine employee devices when an incident occurs. If no such right is reserved in the agreed-upon BYOD usage policy, the organization may face legal challenges and delays when investigation of data on personal devices is needed.
The current trend for new and future legislation is beginning to address data breach notification, with exceptions around notification if certain data protection criteria are met. The organization should prepare for these legislations by keeping an active inventory of the devices, the data on them, and the security controls in place to protect that data.
• Data ownership and recovery
The shift from corporate laptop to personal devices has repercussions for data recovery when a device is damaged or lost/stolen. To mitigate unclear responsibilities for data recovery in a BYOD scenario, the organization should have a clear policy stating who owns what data, and whose responsibility it is to maintain backups of data, corporate as well as private. The policy should also cover liability of loss, state whose responsibility it is to retain data recovery when it is needed, and the privacy implications of such recovery operations.
How to secure and improve BYOD environment
1. Create a business and IT strategy with a business case and a goal statement
2. Involve stakeholders early through the formation of a mobile solution group
3. Create a support and operations BYOD model
4. Risk analysis for BYOD engagement in the organisation
5. Create and regularly maintain a BYOD policy
6. Secure device and applications that close IT loopholes
7. Test and verify the security of the implementation
8. Regular audit of the BYOD policy and measure success.
One of the ways CIOs can best master the BYOD phenomenon is to be proactive. Users are going to bring mobile devices into the organization and are going to demand connectivity and support. Contrary to how they may seem to IT, they want to be more productive in their work. It’s incumbent upon IT then to be ready when those requests start to stack up. When users see IT understanding and accommodating their technology needs—especially now, when they also see the value that mobility provides— it can go a long way to improving relations between the business units and IT.
By leveraging industry leading practices, integrating a thoughtful BYOD policy and adopting strategies that are flexible and scalable, organizations will be better equipped to deal with incoming (sometimes unforeseen) challenges to their security infrastructure posed by the use of employees’ own devices. The introduction of appropriate procedures and regular testing will help organizations become smarter and make their employees more aware of the challenges that the use of personal devices poses for the entire enterprise.