Bring your own device (BYOD) security challenges


BYOD is a business policy which encourages employees to bring their personal devices (laptops, tablets, mobile phones) to the corporate environment and perform business tasks with them.

The advantages for the business are attractive as it allows companies saving money on high priced devices and avoid the responsibility if they are damaged, broken, lost or stolen. Moreover, it allows users to work with the technology of their choice and they feel most comfortable with, which increases productivity and makes the working experience more pleasant.

However, system administrators, network architects and security officers are facing a scenario which was unthinkable just a little time ago: introducing alien untrusted devices in the network and allowing them to connect to business resources.

This is a major challenge.

Up until now IT managers tried to configure the internal systems in a controlled manner whereby a well defined perimeter enforced logical access control on the business resources. Moreover, only authorised devices were allowed to successfully authenticate and gain access to these resources.

Obviously there is no single best line of action to overcome this challenge, as networks, systems and trusting models are different in each company. However, there is one important rule of thumb: Treat the device as if it has been already compromised, with a key-logger and a network sniffer running at all times. After all, chances are that you are right in your assumption.

The decision on how much trust the business should grant to the device depends on the appetite for risk. I would personally be inclined to grant zero trust. However, as every single decision affecting corporate security, a risk assessment should be performed and a decision made.

There are a number of obstacles that need to be overcome in this kind of deployment:

There is no magic bullet which will solve all the issues explained above. However, there are a number of approaches which can limit a potential security breach started from the device. Every approach should focus on minimizing the fact that the BYOD device may be compromised and running malicious software.

There are known risks in BYOD initiatives.

All in all, security in BYOD projects requires detailed planning which may involve significant architecture changes in the way users access business resources. It is important to understand the risks and challenges, to perform a risk assessment, identify the amount of trust granted to the BYOD devices and deploy a solution which minimizes potential compromises.

You may also be interested in...

April 3, 2014

Reverse Engineer Router Firmware – Part 1

This series will follow the process of reverse engineering router firmware with the purpose of discovering any vulnerabilities that could be used either remotely or locally to compromise the router. In this section I will mainly be covering how to extract/download the firmware alongside a very b

See more
June 2, 2020

Server Side JavaScript Injection

With the appearance of NodeJS, JavaScript gained very significant popularity as a server-side, back-end powering language. This turned some client slide data injection vulnerabilities into server side vulnerabilities such as XSS into Server Side JavaScript Injection.

See more