Solving BYOD with MDM solutions



By Paul Rummery, Securenet Consulting

Summary: In this article we aim to deliver a light ‘how to’ for management wanting to consider and plan a BYOD (Bring Your Own Device) and MDM (Mobile Device Management) solution. We look at some of the risks, consideration and key points to high light before embarking on such a project. Underlining it is essential to implement controls to protect data utilising user-identity and device-based access control.


Back in 2000 I wrote my dissertation on the future development of mobile data communications and its impact for the workplace – It’s great to see these predictions coming true today, and being in a position to work with companies of all sizes to realise the power and potential of technologies like wireless, BYOD (Bring Your Own Device) and MDM (Mobile Device Management), enabling centralising security and control.

Whilst at University, I did a work placement with Motorola as a network admin. I was taken with the utopia of the ‘mobile work force’ (deduction of commuting to centralised office hubs in the city, flexible working, hot desks and reduction of pollution... all made possible by secure remote network access and working using VPN clients software). So when I got my first mobile phone, and I could communicate with friends and colleagues via text messaging without having to run to a computer lab to access my emails or ICQ account, it felt like an exciting time even back then. 

Mobile data networks across the world were converging, bandwidths expanding and devices from manufacturer developing and before available into the consumer market at a fast rate. Being a bit of a techie nerd and film geek, it was all about owning the Nokia 8110 from the 'Matrix' movie (not a pretty device by today’s standards, but nice and pocket sized compared to some of the later more feature rich devices that followed e.g. Nokia 9000, which looked like they had time warped back to the 80’s style bricks). 
Then came the palm PDA devices which you could organise your diary and send emails!…but you were still left with two separate devices (a mobile phone and the PDA). It wasn’t long before battery and screen technology caught up and the birth of the combined smartphones and hand held tablets arose, to what we see and use today. In a way I guess people experiencing and getting to use these new devices today are just as excited to explore and utilise the potential of their new devices and the sea of mobile apps.

The point here being that technology rapidly develops and people are drawn to the path of least resistance to whatever makes their daily lives easier, faster… whilst looking good doing it (consumerisation). Trouble is, this all often happens faster than businesses can adapt and change to implement solutions and policies in order to protect corporate or personal data.

There is no sense pretending it isn’t happening or saying, “We don’t let our employees do that.” The truth is, they are doing it already and will continue to use noncompliant devices on your network, within the workplace with or without your permission.

Forrester’s study show a high percentage of employees are doing something with technology before formal permissions or policies are instituted.

You might have already seen the signs of what happens when this is ignored – data theft, data espionage, data loss, data leaking, companies fined for breaching compliance, existing wired and wireless network infrastructures slowing down, user complaining about application latency, increased work load and fire fighting for IT administration departments, struggling network technologies not working or failing to deliver functionality to users for which they were never designed for originally….

How will you support work force desire to use personal apps and devices while allowing them to be productive in a secure environment that protects corporate data?





Because Securenet Consulting’s core values lay in data protection and security, we look into and present a solution to simplify and secure a productive mobile environment.


First off, although we are excited and can see the productivity and efficiency benefits of BYOD, it is important to review and understand the business risk in adopting Bring Your Own Device program to the organisation. Once understood, these risks can be mitigated.


The following are a listed of reported security breaches, due to employee device access to the network (these risks are not forecast to go away, as the number of mobile operating systems and smart devices will only grow into the future);


Jail-broken devices – Infected devices target other jail-broken devices connected to local networks. It does so by scanning for IP addresses then logging in and installing the malware package into target devices.


Adobe Flash Player - Vulnerabilities that affect Adobe Flash Player in earlier Android OS versions can potentially allow a remote user to take full control of affected devices.



Trojanised apps: can insert malicious code into apps that can infect devices.



SMS, social media, and email links: Links embedded in SMS, social media posts, and emails can potentially redirect users to websites that host malicious files.



Third-party app stores: Some third-party app stores may host malware that can potentially harm devices, systems, and networks.


The silver lining in this seemingly dark cloud is that MDM enables an organisation’s security team to see and control each and every device that accesses the corporate network and corporate data.

So, what next?  Here are some steps and key points to consider when planning your BYOD / MDM project.

  1. Create Policy
  2. Planning
  3. Simplify enrolment for users
  4. Configure devices over-the-air
  5. User Self-Service
  6. Protect end-user data
  7. Separate corporate and private data
  8. Monitoring and reporting
  9. Manage data usage / costs

 
1.    CREATE YOUR BYOD POLICY

Before doing anything, the business needs to decide policies for mobile device usage and access to the network and data, in line with any industry compliance. The policies you draft affect more than just IT; they have implications for HR, legal, and security — in fact any part of the business that uses mobile devices in the name of productivity. Since all lines of business are affected by BYOD policy, it can’t be created in an IT vacuum. With the diverse needs of users, IT must ensure they are all part of policy creation.



One thing to consider is to Map information access to roles. Too many organisations have a sprawl of information resources, then wonder why data leaks. Don't give users access to sensitive information they don't need. Policy considerations should include;


Compliance: What regulations govern the data your organisation needs to protect? For instance, the Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS) requires native encryption on any device that holds data subject to the act.



Security: What security measures are needed (passcode protection, jail-broken/rooted devices, anti-malware apps, encryption, device restrictions, iCloud backup)?



Applications: What apps are forbidden? IP scanning, data sharing, Dropbox?



Agreements: Is there an acceptable usage agreement (AUA) for employee devices with corporate data?



Services: What kinds of resources can employees access — email? Certain wireless networks or VPNs? CRM?



Privacy: What data is collected from employees’ devices? What personal data is never collected?


Devices: What mobile devices will be supported? Only certain devices or whatever the employee wants?


2.    PLANNING

Understand the current scope of mobile devices presently within your environment. Detect all the devices connected to your corporate network. All mobile devices need to be incorporated into your mobile initiative, and their owners need to be notified that new security policies are swinging into action.

You will want to consider how you want to control devices and the processes involved in managing such a solution;

  • Remote device management
  • Application control
  • Policy compliance and audit reports
  • Data and device encryption
  • Augmenting cloud storage security
  • Wiping devices when retired
  • Revoking access to devices when end-user relationship changes from employee to guest
  • Revoking access to devices when employees are terminated by the company
  • Evaluate solutions - Consider the impact on your existing network and consider how to enhance existing technologies prior to next step.


3.      SIMPLIFY ENROLMENT OF YOUR BYOD PROGRAM FOR USERS

Test, test, test….

Nothing breeds noncompliance faster than complexity. Once you identify devices to enrol, your BYOD program should leverage technology that allows for a simple, low touch way for users to enrol. The process should be simple, secure, and configure the device at the same time.

Begin with a pilot group from each of the stakeholders departments, when you are happy, expand the pilot to your departments.

Ideally, users should be able to follow an email link or text that leads to an MDM profile being created on their device — including accepting the ever-important AUA.


From an IT perspective, you want the ability to enrol existing devices in bulk or for users to self-enrol their devices. You also need to authenticate employees with a basic authentication process such as a one-time passcode or use existing corporate directories such as Active Directory/LDAP. Any new devices trying to access corporate resources should be quarantined and IT notified. This provides IT with flexibility to block or initiate a proper enrolment workflow if approved, ensuring compliance with corporate policies.


4.       CONFIGURE DEVICES

If there’s one thing your BYOD policy and MDM solution shouldn’t do, it’s bring more users to the help desk. All devices should be configured over-the-air to maximise efficiency for both IT and business users alike.

Once users have accepted the AUA, your platform should deliver all the profiles, credentials, and settings the employee needs access to, including:

  • Email, contacts, and calendar
  • VPN
  • Corporate documents and content
  • Internal and public apps

5.     USER SELF-SERVICE


You want to optimise help desk time. A robust self-service platform lets users directly:

  • Reset PINs and passwords in the event that the employee forgets the current one
  • Geo-locate a lost device from a Web portal, using mapping integration
  • Wipe a device remotely, removing all sensitive corporate data

Security, corporate data protection, and compliance are shared responsibilities. It may be a hard pill for employees to swallow, but there is no chance of mitigating risk without their cooperation. A self-service portal can help employees understand why they may be out of compliance.


6.    PROTECT END USER DATA


BYOD policy can’t just be about protecting corporate data; employee personal data needs to be considered too. Personally Identifiable Information (PII) can be used to identify, contact, or locate a person. Some privacy laws prevent businesses from even viewing this data. Helpfully, the UK Information Commissioner's Office (ICO) recently published BYOD guidance for employers on how to comply with the UK Data Protection Act 1998.

Communicate the privacy policy to employees and make it clear what data you cannot collect from their mobile devices. For instance, an MDM solution should be able to communicate what information it can access and what it cannot, such as:

  • Personal emails, contacts, and calendars
  • Application data and text messages
  • Call history and voicemails

Or let users know what you collect, how it will be used, and why it benefits them.

Using your MDM solution, you can utilise your privacy policy to effectively enforce a privacy setting to hide the location and software information on a device from IT administrators (e.g. people who are not on a ‘need to know basis’). This helps companies meet Data Protection and PII regulations, providing added comfort for employees by preventing the viewing of personal information on smartphones and tablets. For example:

  • Disabling app inventory reporting to restrict administrators from seeing personal applications
  • Deactivating location services to prevent access to location indicators such as physical address, geographical coordinates, IP address, and Wi-Fi SSID

Transparency and clarity are important watchwords. There’s much less resistance to BYOD policies when everyone knows the rules.


7.    SEPARATE CORPORATE AND PRIVATE DATA


Corporate apps, documents, and other materials must be protected by IT if the employee decides to leave the organisation, but personal email, apps, and photos should be untouched by corporate IT.

Not only will users appreciate the freedom of this approach, but so will IT, whose life will be infinitely easier as a result. With this approach, IT can selectively wipe corporate data when an employee leaves the company. Depending on the circumstances, if an employee loses the device, the entire device can be wiped. But only a true MDM solution can give you the choice.


8.    MONITORING AND REPORTING

Devices should be continuously monitored for certain scenarios, and automated policies should be in place. Is the user trying to disable management? Does the device comply with security policy? Do you need to make adjustments based on the data you are seeing? From here, you can start understanding any additional policies or rules to create. Periodically re-assess the solution, include vendors and trusted advisors.


9.    MANAGE DATA USAGE / COSTS

Implemented properly, a BYOD program can reduce cost while increasing productivity and revenue.

Companies still need to help employees manage their data use in order to avoid excessive charges.

If you pay for the data plan, you may want a way to track this data. If you are not paying, you may want to help users track their current data usage. You should be able to track in-network and roaming data usage on devices and generate alerts if a user crosses a threshold of data usage.


You can set roaming and in-network megabit limits and customise the billing day to create notifications based on percentage used. We also recommend educating users on the benefits of using Wi-Fi when available. Automatic Wi-Fi configuration helps ensure devices automatically connect to Wi-Fi while in corporate locations.

While BYOD shifts responsibility for purchasing devices to employees, it’s worth considering the big picture and long-term costs for your organisation. As you’re writing policy, consider how that policy will impact ROI. That includes comparing approaches, as shown in the following table:

Corporate-owned model
BYOD
How much you’d spend on each device
The cost of a fully subsidised data plan
The cost of recycling devices every few years
Warranty plans
IT time and labour in managing the program
The cost of a partially subsidised data plan
The eliminated cost of the device purchase
The cost of a mobile management platform
One size never fits all, but a carefully crafted BYOD policy arms you with the direction you need to manage mobile devices effectively and efficiently.

---------------------------------------------------------------------------------------------------------------

WANT TO LEARN MORE? Contact Securenet Consulting