BYOD Policy, Risks & Strategies

The defining characteristic of any technological artefact is its utility. For information networks, utility is almost analogous to flexibility and indeed, somewhat antithetical to security. Against this, the notion of Bring Your Own Device (BYOD) creates a push-pull. A push in qualitatively facilitating utility via ANY device and a pull demanding policy constraints in the name of security are observed. In opening a network to ANY device, which is essentially what the concept of BYOD means, we balance these contending priorities by judiciously redefining where our trust boundaries1 lie and subsequently pivoting to an adaptive posture which has the capability to flex when needed.

To facilitate this examination lets consider the two very different BYOD use cases of classroom and office. In the case of the classroom, BYOD democratises value and enhances inclusivity and, in the office, it amplifies productivity and facilitates agility. Each of the use cases considered demonstrates a different resultant in the trade-off between the contending arenas of the people process and technology trilemma presented in Palanisamy et al2,3

Looking first at the classroom, as alluded to previously, the calculus of threat adopts a specific posture in response to the gamut of socio technical factors at play such as the ages, capabilities and ideology of people, the rigour of overarching process and the limitations in terms of technology. It must also be noted that the worst credible outcome is reasonably limited in scope in this environment. It is reasonable to conclude that the desire to afford students a level and inclusive playing field in terms of the gains which BYOD brings to their educational experience moves the needle towards less rigour and more openness.

Conversely, in a corporate environment, the demands in terms of policy, education, and process are likely to be significantly more restrictive. Indeed, as described in Belanger et al4, they tend to dissuade the user from enjoying the additional facility BYOD can provide due to their concerns about self-efficacy.5 Additionally, their ability to bring a device that meets the narrower definition of what is acceptable in terms of the technology of hardware and software, further challenges. In this situation, the stakes are higher, the worst credible outcome more forbidding, whilst the people are likely to be more compliant to policy, receptive to education and the technology more restrictive.

Looking a little more closely at the realm of the technical challenges to BYOD, we must focus first on the temporal nature of a threat surface. Keeping devices updated is fundamental to a coherent and effective security policy. The threats that a failure to do this can expose resources to, can manifest themselves in two ways. First, the timely and regular patching of all software in use on our devices is essential to attain and retain a protected threat surface. Vulnerabilities are being discovered all the time and unless software is patched with fixes as they are developed and promulgated, simply standing still subjects a device to an ever-increasing pool of potential exploits to which it is vulnerable. Indeed, the vulnerability to an exploit becomes amplified once the exploit has been discovered, announced and patched. Second, the generational nature of hardware means that it is typical for step-changes in hardware to be accompanied by step-changes in the software which runs on it. Practically this can mean that certain devices of a given obsolete hardware are simply not capable of being patched with software which is being kept up to date.

In addition to this issue the simple numbers of new models appearing in common use by the average user has increased exponentially and continues to grow. Palanisamy2 states that, “Today, employees and their mobile devices are inseparable and very much part of their daily lives”2 The proliferation of devices and use cases makes it more challenging to negotiate policy space such that processes can cover the maximum if not all the devices which may appear at the site. Most BYOD devices are wireless but not all and this too presents further complexity.

Looking next at the practice of password management, effective password management governed by stringent policies forcing users into restrictive practices of renewal and complexity is superficially sound but Zhang, Montrose et al6 demonstrate that the argument is far more nuanced than most discourse reflects. They call into question the continued use of expiration and complexity as a metric and, in the longer term, provide evidence to facilitate a move away from passwords altogether. Given however that passwords will be a component of our defence in depth for quite some time yet, the necessity to co ordinate the requirements with the likely weaker behaviours observed when users are managing their own devices becomes stark.

Logging also described in7 as an integral part in the jigsaw of defence in depth and likely to be barely used in BYOD devices is worth consideration. In a network comprised of corporate hosts under comprehensive management, logging of events to a central repository will be highly recommended but the achievement of a comparable level of protection in terms of accounting presents a significant challenge. Fortunately, off-the-shelf solutions exist for mobile device management (MDM) and mobile application management (MAM). Such services eg Microsoft Intune8, provide an overarching technological and policy framework to ensure that rigour is applied to a BYOD network without the need for a piecemeal approach. Specifically, to the above considerations, it makes the access of BYOD devices contingent upon running an approved combination of hardware and software and ensures that password policy is applied without exception. Furthermore, by maintaining a record of devices connected and maintaining enhanced logging over many aspects of their activity, the question of a lack of logging is also addressed in such a way as to tie the activity tightly to the host. This system too however is at the mercy of its own currency of patching and can, if allowed to lapse, present a system with new vulnerabilities.

REFERENCES

  1. Shostack, A. (2014) Threat modeling. 1st ed. Indianapolis: Wiley.
  2. Palanisamy, R., Norman, A.A. and Mat Kiah, M.L. (2020) ‘BYOD Policy Compliance: Risks and Strategies in Organizations’, The Journal of computer information systems, pp. 1–12. doi:10.1080/08874417.2019.1703225.
  3. Schlarman, S. (2001) ‘The People, Policy, Technology (PPT) Model: Core Elements of the Security Process’, Information systems security, 10(5), pp. 1–6. doi:10.1201/1086/43315.10.5.20011101/31719.6.
  4. Belanger F, Crossler RE. Dealing with digital traces: understanding protective behaviors on mobile devices. J Strateg Inf Syst. 2018;28(1):34–49. doi:10.1016/j.jsis.2018.11.002.
  5. Bandura, A. (1995) Self-efficacy in changing societies. Cambridge: Cambridge University Press.
  6. Zhang, Y., Monrose, F. and Reiter, M. (2010) ‘The security of modern password expiration’, in Proceedings of the 17th ACM conference on computer and communications security. ACM, pp. 176–186. doi:10.1145/1866307.1866328.
  7. Gilbert, J., Diogenes, Y. and Mazzoli, R. (2016) Enterprise Mobility with App Management, Office 365, and Threat Mitigation: Beyond BYOD. Pearson Education.
  8. Microsoft (2021) Microsoft Intune is an MDM and MAM provider for your devices. Available at: https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune (Accessed:02 Dec 2021).

Comments

Leave a Reply

You must be logged in to post a comment.