BYOD is a business policy which encourages employees to bring their personal devices (laptops, tablets, mobile phones) to the corporate environment and perform business tasks with them.
The advantages for the business are attractive as it allows companies saving money on high priced devices and avoid the responsibility if they are damaged, broken, lost or stolen. Moreover, it allows users to work with the technology of their choice and they feel most comfortable with, which increases productivity and makes the working experience more pleasant.
However, system administrators, network architects and security officers are facing a scenario which was unthinkable just a little time ago: introducing alien untrusted devices in the network and allowing them to connect to business resources.
This is a major challenge.
Up until now IT managers tried to configure the internal systems in a controlled manner whereby a well defined perimeter enforced logical access control on the business resources. Moreover, only authorised devices were allowed to successfully authenticate and gain access to these resources.
Obviously there is no single best line of action to overcome this challenge, as networks, systems and trusting models are different in each company. However, there is one important rule of thumb: Treat the device as if it has been already compromised, with a key-logger and a network sniffer running at all times. After all, chances are that you are right in your assumption.
The decision on how much trust the business should grant to the device depends on the appetite for risk. I would personally be inclined to grant zero trust. However, as every single decision affecting corporate security, a risk assessment should be performed and a decision made.
There are a number of obstacles that need to be overcome in this kind of deployment:
- The deployment of BYOD initiatives are specially challenging due to the fact that businesses have no control on the device and very little means to know whether the integrity of the operating system has been compromised.
- Additionally, system administrators can not enforce business security policies on the user’s devices, such as running applications under a low privileged context, deny installation of potentially dangerous applications, prevent the device from interacting with other devices, etc.
- Another key challenge is that given the scenario where the business requires installing an application on the user’s device, a number of rules should be followed to ensure that the privacy of the user is not compromised. After all, it is a personal device.
There is no magic bullet which will solve all the issues explained above. However, there are a number of approaches which can limit a potential security breach started from the device. Every approach should focus on minimizing the fact that the BYOD device may be compromised and running malicious software.
- Authentication mechanisms should be based on one time passwords. If the device is running a key-logger, the attacker would only get a password which can not be reused.
- Enforce a strict network segregation on the device, where only an intended front-end is accessible and all other traffic is filtered. Limiting the network access from the device will in turn limit the attacker’s vectors of attack to only on system.
- Don’t trust the device at any stage. Don’t store information on it or rely on it at any stage.
- Run a penetration test on the solution. Two approaches should be considered. The first one is from an uninformed perspective, where the attacker has no knowledge of the environment and has not valid credentials to log-on to the network or front-end. The second is from an authorised perspective, emulating the scenario of a compromised device logged-on to the environment or a malicious user.
There are known risks in BYOD initiatives.
- It is certainly possible that the attacker can set up a network tunnel using the device as a pivoting system. Depending on the level of trust from the network perspective, the attacker would be granted network connectivity to a number of systems, which could then be subject of potential attacks.
- Additionally, confidentiality is difficult to preserve, as an attacker could potentially hook the devices browser or operating system, disclosing the information even if it was encrypted in transit.
All in all, security in BYOD projects requires detailed planning which may involve significant architecture changes in the way users access business resources. It is important to understand the risks and challenges, to perform a risk assessment, identify the amount of trust granted to the BYOD devices and deploy a solution which minimizes potential compromises.