A key part of getting bring-your-own-device (BYOD) policies right has been to ensure that organisations have the correct policies in place — but many businesses don't know the key ingredients that need to go into these policies.
Speaking at the Gartner Security and Risk Management Summit earlier this week, the vice president of Gartner's Information Security and Privacy Research Centre, John Girard, outlined the different ways in which businesses should respond to varied device use, and what considerations are needed when developing a BYOD policy.
Identifying device use
He said that access to information can be purely online, where no data is stored on the device, or alternatively offline, where data is required to reside on the device.
Similarly, he said that devices themselves can either be trusted by the company or untrusted.
Taken together, they represent four different scenarios in which businesses can choose to implement a BYOD policy. Girard said that these scenarios aren't mutually exclusive, and that businesses might find that they have devices that don't fit into just one of the four different scenarios, but they need to be aware of each in order to know what strategy to take.
In an online/no-trust scenario, Girard said that businesses can set up a simple web portal that allows them to filter the information that goes though, and prevent users from downloading information to their devices.
"It might be the case where I offer you Outlook web app ... without downloading attachments," he said, picking a simple example.
An online/trusted scenario takes the web portal another step forward, to restrict access to a set of known devices, and places some trust in the security features present on those devices.
"I may actually push down health checks on the device to say, 'Are you really the device we expected you to be? Are you the version of the device we expected you to be?'."
Girard said that this is important because older, outdated devices are typically worse in terms of the level of trust that can be relied upon, and these checks provide the business with a way of weeding them out.
However, not all applications will work purely online, so in an offline/no-trust case, Girard said that businesses should at least start thinking about the use of certificates to invite people to services such as VPN, corporate email and specific applications. He said that this is where mobile device-management (MDM) tools can play a valuable role, even though they are not popular among businesses. Frost and Sullivan's recent "Enterprise Mobility Report" showed that only 25 per cent of organisations are able to confirm that they have an MDM tool in place.
"If you're using a mobile device-management tool even at a basic level, you get a very simple console that allows you to ... specify use patterns, specify drop patterns for people that are getting access to resources by certificate."
But this implies that the device is trusted, and that its built-in features are able to provide a level of security. Girard said that the ideal solution is an offline/no-trust situation, where every service gets a signature and a certificate, and all applications on the device are secured by the use of data containers.
"What this means is that I don't even care if the operating system or the extra features I've got on the mobile device can provide encryption. I trust it at all, I do it myself. You can take that and drop that on a very untrustworthy device," he said.
"Try and move ... into situations where you don't have to trust the device, you don't really have to trust the user [and] minimise the data on the device. [People] want online access to the freshest possible data, the freshest possible view of applications. I minimise the data on the device, and I know every time you want to access it. I know when you accessed it, why you accessed it and what you accessed. It sounds like compliance, doesn't it?"
Once a business has identified how it will support devices, it's then that it can start to put together a mobile policy, he said.
Ingredients for a policy
Girard said that policies should not be built from scratch; instead, businesses should look at establishing a baseline by looking at what it has done for PCs in the past. This also means that businesses that have made mistakes or have issues that need fixing for their PC policies need to address those first, or, at the very least, at the same time that a mobile policy is being developed.
"You can't finish this job today by doing a word replacement for PC to mobile. You have to change the policies, but that's the start. [In your PC policy,] do you encrypt emails today? Do you encrypt your workstations today? Are you actually taking efforts to manage privacy for data and email? These are the important questions."
With a baseline to work from, Girard said that businesses should look at implementing three separate sets of controls for company devices, personal devices and contractors and visitors, stating that the latter category has its own challenges that warrant its own policy.
"[Contractors are] going to say, 'Hey, I work for another company. I have my own mobile device agent", or they might say, 'I work for six companies. Where am I putting yours?' You could always give them one of your devices, but that's not really the right answer, is it?"
For each of these policies, Girard said that businesses should start to define risks and the functions that are going to be allowed on mobile devices, and then make the decision on whether the business can afford to allow them.
Similarly, Girard said that a decision needs to be made about how the business will distribute applications and data, including how much data and where it will be distributed. Once that decision has been made, businesses should look at how the information will be tracked.
Girard also stressed the importance of specifying controls on user authentication and exceptions to the policies.
"Users don't even want passcodes on these devices. They complain about four numbers. Four numbers is [about] 10,000 combinations. I can break that in less than a second using an off-the-shelf tool for $79. Very simple to get into some of these devices."
He said that some C-level executives would want exceptions, joking that many are unwilling to even remember a two-digit passcode, but advised against accepting such risks.
"You really can't necessarily live with this kind of situation. If you are going to have [an] exception like that, someone has to take responsibility for it."
With that in mind, Girard said that policies need to clearly state the boundaries of liability to ensure that someone is always accountable for a breach or loss of device.
"Who's going to go to jail or who's going to get in trouble; who's going to pay for the clean-up in the event that something goes wrong? Employees and supervisors should sign the compliance policy when an employee brings a new device in. You can't hold the supervisor individually responsible for the employee, but the fact that the employee knows that the supervisor signed with them makes it a lot more real."
Lastly, he said that businesses should develop a section that outlines requirements that need to be applied to all BYOD policies.
This section should include an opt-in for some kind of MDM tool, minimum password strength and retry requirements, and a zero-tolerance statement against users to hacking, even if it's their own device.
"No jailbreaking; no rooting on devices that connect to the company."
When it comes to getting users on-board with policies, Girard said that businesses need to be as clear and concise as possible, or risk having a policy that simply won't be followed.
"I have to be able to read the first page of a device policy and have a very clear idea of what my responsibilities are, and what the company's responsibilities are," he said.
"If you lecture or preach or give tutorial information and you don't get to the point, then your policies won't work."
But simply having a policy in place doesn't mean that the job is done. Girard said that IT should be involved in keeping an eye on what is working and what isn't, in order to fine tune policies and gain insight into problems that might occur. According to him, the best way to do so is for the business to encourage communication through a self-help Wiki.
"IT can't anticipate everything that will go wrong ... so the best idea is to get them talking. They're going to talk anyway ... so get it out of the email and get them all into a Wiki. Make it real friendly, make it helpful. Put some of the key IT staff in charge of monitoring it in the Wiki. As a result, you're going to know what problem is coming next."