BYOD eBook Part 1 DREW

Navigating the Waters of BYOD

©2013 Drew Williams

Drew Williams

Navigating

the Waters

of BYOD

Part 1:

Piloting the Perils



2

So, you have decided that you’ve read

enough, heard enough and thought about it enough, that you’re going to do something about your organization’s dramatic rise in how mobile devices have invaded the workplace. The idea that it’s Taboo to bring devices to work is being replaced with finding ways of developing an effective use policy to address the matter.

Good news: Gaining the upper hand on BYOD requires some practical thinking, basic administrative management, and some common sense.

This little document will give you some basic guidelines on what important matters to consider when navigating the waters of mobile computing, while still providing a safe harbor for your organization’s assets.

Let’s start with what we need to know about mobile computing in general, and how the BYOD phenomenon is creating a sea of risk management concerns throughout every industry that relies on technology to communicate or advance.

“Mobile Computing” includes everything from Androids and iPhones to Kindles, iPads, laptop computers—anything that can be used to store AND transmit data.

BYOD Defined

1



Statistics can tell you anything to support any

argument.

The topic of BYOD is no different, and as a

Value-added Services provider, Condition Zebra

carries no bias toward any technology to

support or prevent the case for BYOD in the

workplace, although we do support the idea of

implementing a good risk management policy

to manage BYOD, and we think ours is the best.

Charting the Course: Statistics tell part of the story

Love-Hate Relationship

When talking about BYOD in relation to its

impact in a business, it’s almost like Mom

and Dad arguing at the dinner table about

why the kids should and shouldn’t get the

keys to the car. On the one hand, the CFO

(aka “Dad”), likes the sense of freedom and

independence BYOD brings to the

organization, and how mobile computing

actually improves overall productivity in the

workplace, which converts into greater

revenue potential.

“Mom” (the CIO), on the other hand, sees

the risks of moving too quickly, of having

too much independence and accessibility,

which translates into inconsistencies in

standard operating guidelines, poorly

defined standards, complexities in

supporting a constantly changing

environment, and unpredictable security

risks. Both are right!

Based on a poll of 1,000+ mid-sized companies throughout the U.S., Europe and Asia:

• 90% use personal devices;• 100% noted accessing IP & PI via personal

devices.• More than 1 billion smartphones used

worldwide.• More than 100 million new Androids

were sold since Q3 ’12.• 80% will budget to address “Risk”

relating to managing the usage of personal devices.

2



There are considerable (but manageable) risk factors associated with BYOD-related activities, including probably the most relevant concern: data security compromise.

There are also statistics that show how, by working with staff, employers actually create a greater sense of organization-wide responsibility for protecting the assets of the group, recruiting every individual to take up the cause.

The results: BFF’s can freely sail the same waters with FAQs and RFPs, without concern of course collisions.

Before we address how to navigate the seas of success with BYOD, however, let’s first address some of the risks you might face.

In the days of the ancient mariners, one of the most dangerous problems they faced was fog. Not being able to see the stars at night, or landmarks along the waterways during the day could mean delay or greater danger to the seafarer and his cargo.

Data theft, like the fog of old, can slip in and out of an organization, often undetected, unless monitored for and managed.

Laptop computers and mobile devices notwithstanding, smartphones—all with the ability to transmit communications exchanges between hosts—can carry between 8GB and 128+GB of storage space, include multiple SD cards, and automatically transact exchanges of critical information, without an organization even knowing what happened.

The Fog

of Data Theft

3



The ancient Greek seafarers of the Mediterranean

included stories of fair maidens who brought song

and beauty to the weary crew, only to replace both

with disorientation, and death.

Malware is a constant problem in today’s

distributed computing environments. Mobile

phones—especially Androids—are highly

susceptible to problems incurred through cross-

site scripting, which represents more than 80% of

the root cause of hostile activities behind

application security.

Old-school processes of checking system

configurations, updating system patches and even

ensuring the latest versions of the applications are

downloaded, are only a few of the reasons why

this problem continues to sing tragedy for the

unaware and misinformed.

Beware of the Shifting Songs of the Sirens of Malware

“AVAST There!” Being Boarded by Wireless Exploits

While sailing the open waterways might sound

difficult to pose a risk of gaining unauthorized

access, pirates of old ran with impunity, threatening

all trade routes, all ships and in all waters.

The world has gotten a lot smaller in the Digital

Age, and taking advantage of a wireless

infrastructure seems to be getting more prevalent

and more common.

Risks and insecurities in WEP, for example, are so

well-known, there are even “How-to” steps

published online to describe WEP vulnerabilities.

Passive attacks on unencrypted wireless backbones

include eavesdropping, with more hostile threats, as

a result of exploiting applications, could mean

traffic floods and the all-evil Denial of Service.

Argh Matey!

4



According to ancient Greek legend, the CyaneanRocks, which stood at the inlet of the Bosporus Sea, randomly came together to crush any unsuspecting sea-goers. The key, as fabled Jason and his Argonauts discovered, was to manage the timing between clashes and crashes, by constantly monitoring the trends in how the rocks interacted with the sea.

A top concern in BYOD security relates to the overall lack of monitoring and consistent management of access controls and privileges.

Perhaps one of the easiest preventive actions an organization can take is also the action most neglected: establishing a consistent policy for remote file access, authentication and remote privilege management.

Data, and the loss of contact, adrift and Lost At Sea

Watch Out for the Rocks!

5

Those sailors who have experienced the unfortunate demise of being adrift in open seas, and have lived to tell their tales, have said that the sheer loss of contact with the rest of the world drove some of their greatest fears.

Mobile devices are small and can be easily misplaced or lost. For many people, those devices contain everything from Grandma’s secret recipes to government secrets entrusted to device owners for safe keeping. Many people (my five daughters included), have become so dependent on mobile devices for even minute-to-minute communications, they even take them to bed with them!

The idea of encrypting mobile devices is stilla fresh concept in the category of BYOD security, and as a result, proprietary data loss is still the chief concern regarding mobile computing environments.



Desktop Virtualization is a growing

floodgate trend for edge businesses. In fact, fewer

security issues have actually been reported

(internally) with personal mobile devices than

with corporate devices. Fact is, people take better

care of their own property.

With the interest in BYOD on the rise—often

leading from the top of the Corporate Food chain

(namely: the C-levels themselves), the trend that

is “BYOD” also often translates into innovation,

enhanced “quality of work” for employees, a rise

in productivity, and the chance for organizations

to achieve faster rates of expansion and a higher

level of achievement in goals and business

objectives.

As the tempest of technology continues to rage on

the digital horizon, organizations worldwide

continue to pursue faster, higher, stronger

methods of doing more with less.

Steering Toward

Friendlier Shores

Part 2: Sailing the Seven “C’s”

To avoid sinking in the maelstrom, perhaps

the following seven points of action can keep

the tides even for those who are advancing

toward uncharted waters:

• Collaborative Staff Effort;

• Configuration Policies;

• Continuous System Monitoring;

• Compartmentalized Virtualization;

• Coordinated Carrier Support;

• Control Systems (VPNs, Tokens);

• Clarification of Roles & Ownership.

See you next month with Part 2!

6



Available mid-September at

www.conzebra.com

Navigating

the Watersof

BYOD

Part 2:

Sailing the Seven “C’s”

About Condition ZebraBlended from the Information Security,Defense, IT, and Software Engineeringindustries, the Condition Zebra team hasa combined skill set of more than 100years’ experience, with success historiesthat span decades of work. Our securityarchitects, engineers and criticalinfrastructure analysts have participatedwith establishing critical infrastructuresecurity and policy for the United Statesas well as having served on advisoryboards and critical infrastructurecommittees and consulting groups forforeign governments and organizationsranging from Fortune 500 entities toeven the smallest of businesses. ContactCondition Zebra today to learn how ourteam of risk management experts canhelp your business

About the AuthorDrew Williams is the founder and CEO of international risk management consulting services firm Condition Zebra, which has operating offices in the United States and Southeast Asia.

During the 1990's and into the 2K's, Drew was involved in early development of IT infrastructure frameworks and security standards, including work with the IETF on the organization of the Common Vulnerabilities Enumeration (CVE) format, the HIPAA security standard and development of some of the industry's pioneer host-based intrusion detection technologies.

Drew has produced more than 40 short documentaries on educational and economic advancement in developing nations, and he authored one of the multi-million best-selling "Complete Idiot’s Guides."

BYOD eBook Part 1 DREW

Documents

Transcript of BYOD eBook Part 1 DREW