BYOD Policy Essentials: Trust But Verify

Posted in BYOD, Mobile IAM, NetFlow Security, Security on September 17th, 2012 by Adam Powers
BYOD Policy Essentials: Trust But Verify

BYOD policy assessment The IT Consumerization or “Bring Your Own Device” (BYOD) movement is already well underway and the iPhone5 launch will see even more employee sourced devices hitting the enterprise network. Even if you’re lucky enough to work for a company that provides iPhones to their employees, you probably don’t want to wait for IT to upgrade your iPhone now do you? You’ll want to BYOD.

So in support of iPhone5 users everywhere, here are three essential components of a BYOD-ready company: Policy, Education, Technology. Let’s discuss…

UPDATE: Just noticed this bit of rather enjoyable irony regarding Melissa Mayer, new CEO at Yahoo! Mrs. Mayer is taking BYOD to the far extreme. Not only can you have any smartphone you want but you explicitly can’t have a Blackberry. How the mighty have fallen. From the article:

“As of today, Yahoo is moving off of blackberries as our corporate phones and on to smartphones in 22 countries. A few weeks ago, we said that we would look into smartphone penetration rates globally and take those rates into account when deciding on corporate phones. Ideally, we’d like our employees to have devices similar to our users, so we can think and work as the majority of our users do.”

Policy: Lay Down the Law

The written BYOD corporate policy  is the foundation on which everything else hinges. It sets the guidelines for both employees and the employer on how devices will be handled and who will do what. This policy will include a variety of components such as:

  • A BYOD Acceptable Use Policy (BYOD AUP) that is reviewed and signed by the user.
  • Assurance that a remote wipe facility exists and is enabled on the device, especially if company confidential information will be stored on the device.
  • Creation and maintenance of an “authorized BYOD device list”. Employees wishing to bring new devices should submit a request for addition.
  • Policies regarding MiFi access while at the office. Users should not use a MiFi to bypass corporate access control such as proxies, IPS, and firewalls.
  • Verification that the user’s device is set to auto-lock and data stored on the device is encrypted (if possible).

Education: What They Don’t Know Will Hurt Them

Once we’ve created our BYOD AUP, process documentation, and other materials,  we absolutely must let the user community know about it…

  • Set up classes to review BYOD acceptable use policy. A “certificate of completion” for BYOD Policy Education is always nice. This helps reinforce that “you have been warned”. Make this a requirement prior to device authorization.
  • You’re device is subject to search. Let the users know what their responsibilities are and where the line between privacy and business need is drawn. Most employees assume that because it’s their device it’s somehow “off limits” to the enterprise. This is not the case. Once they begin storing company confidential information on the device, it and everything on it, becomes accessible to the business.
  • Beware children use. If you’re like most of us, your kids will often play games and make use of your phone or tablet, ask employees to educate their children on safe browsing and reiterate that “this is mommy/daddy’s work phone, be careful!”
  • Continued education against weak lock codes such as “1111″ or “1234″.

verify BYOD policyTechnology: Trust But Verify

Once we have our BYOD policy drawn up and have educated the user community, we’ve got to verify that employees are following the rules and that BYOD devices are behaving. This involves actual technology and it revolves around the internal network, in particular monitoring the “access layer”.

  • VDI (Virtual Desktop Infrastructure). Now that the iPhone has 4G LTE this might be a realistic solution for many organizations. VDI allows the company to display email, documents, and other information via a virtual desktop on the user’s phone. This prevents any actual company confidential data from being stored on the phone. Very cool if properly implemented. Citrix VDI is one example and is quite popular.
  • From a technology design perspective it’s important to understand that the BYOD network is “untrusted”. John Kindervag’s Zero Trust Model is the way to go here. The idea is that just because the user is “internal” doesn’t mean they are trusted. Is network segmentation a “technology”, well no not really. It’s more of a design philosophy. But you need tech to make it happen.
  • Take a look at “NAC 2.0″ technologies. Early NAC was often quite proprietary and simply lacked a purpose in the enterprise. The rise of BYOD has given new life to Network Access Control and infrastructure vendors have stepped up to deliver technology that is interoperable and (surprise!) actually works. Examples include the Cisco Identity Services Engine and Enterasys Mobile IAM.
  • NetFlow or IPFIX-based network security monitoring is an excellent addition to a NAC 2.0 deployment. Cisco calls this NetFlow Data Export (NDE) and it’s available on a wide variety of switches and routers ranging from the Internet edge all the way down to the individual access-layer switch ports where the BYOD devices live. Check out this example showing Enterasys IAM working in conjunction with Plixer’s Scrutinizer NetFlow and IPFIX Analyzer

monitor BYOD policy

So there it is. BYOD essentials include a written policy, education process, and technology to verify it all. If you want more information aboout Enterasys IAM, Scrutinizer, or NetFlow network monitoring in general contact us. Or download Scrutinizer for free to try it out for yourself.

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.
Tags: , , ,

Leave a Reply

You must be logged in to post a comment.