A recent survey conducted by ISACA on proliferation of the BYOD (Bring your own device) culture at the Indian workplace, raised serious concerns regarding the implications for security. The survey establishes that a majority of security incidents arise from employee use of IT assets, be it using personal devices on the company network or using company IT assets for personal use. The rising affordability of these feature-packed devices is opening up a Pandora’s box of security problems, industry experts believe.
Each industry vertical in India has its own set of BYOD related demons to contend with. While organizations in the BFSI and IT/ITES sectors are more concerned with client privacy, other sectors have their hands full with protecting proprietary data. However, issues such as data theft, network breaches and financial damages from this new vector are at the top of the agenda for every security leader.
The BYOD security nightmare
Each vertical is dealing with BYOD security in its own way. While integration is allowed based on the organization's specific risk profile, experts across the industry agree that while these devices can be great enablers of productivity, securing them can be a nightmare.
Raja Vijay Kumar, vice president & global information security leader at Genpact, is no exception. As the person in charge of security for this BPO of 40,000 employees — with a majority in the age bracket of 25-30 — BYOD security has definitely been a challenge. Issues range from legal liability to a need to secure sensitive environments.
Genpact is also evaluating the business case for employees working from anywhere using their own devices. One of Kumar’s unique challenges is to bring clients on board for such initiatives, given the sensitive nature of Genpact’s business and compliance frameworks.
For Satish Das, chief security officer and VP (ERM - Enterprise Risk Management) at Cognizant Technologies, a leading global player in IT and managed services, it is not so much a question of how, as of when. That said, Das feels that the fact that the devices are not owned by the organization brings in legal liabilities and other privacy issues into the equation. Employees have also become more demanding, and are well aware of their rights.
According to Deepak Rout, CISO Uninor, the productivity that these devices bring to the table is undeniable. But the organization has to be wary of what data they allow onto these devices. He states that it boils down to the kind of device and its usage.
Most organizations need to have email available on the go, with some providing ERP/CRM applications for smart devices. With every application, as long as no sensitive data can be accessed from the device — or such sensitive data can be controlled — it becomes simply a question of integrating another entry point on the network.
Emerging technologies today are allowing for fine, granular control for BYOD security, says Rout. For instance, Microsoft Exchange Server 10 SP2 now provides for read-only attachments, a feature that even the BlackBerry platform has yet to implement. In case a compromised device becomes an entry-point for staging an attack against the organization, as long as there is a hardened, well-defined perimeter in place, such attacks can be easily thwarted.
So what are the top dogs doing to keeps BYOD security threats in check? Answers range from a blanket ban to more forward looking philosophies.
Says Kumar of Genpact, “Other than smart-phones, Genpact doesn’t currently allow other devices to be used for business purposes.” While Genpact has brought smart-phones into the fold, adequate controls to minimize exposure have been put in place, he says.
Kumar says that the “work with own device” initiative cannot go forward without the clients’ consent, and complete transparency is required, wherein Kumar and his team share the design and the controls for BYOD security to gain the complete confidence of clients. With thin client and VDI technology, he expects it may one day even be possible for employees to work completely from home, without compromising organizational security. He however says that he will wait for the technology and BYOD security to mature before attempting to extend it to cover production work from home.
Cognizant's Das is much more cautious, since he believes that the level of security required for such devices is not fully in place presently. Like others, Das also agrees that the decision to go ahead with BYOD is determined by the organization's risk profile. The more the risk, the less likely management will be to authorize technologies that might expose the organization to attack.
Essar Group CISO Manish Dave says that smart devices in his organization are not permitted access to the corporate network, to ensure BYOD security. Aside side from a protected platform such as BlackBerry, where regulation is possible, Dave does not believe that it would be a smart move to let these devices into the corporate network, since there is no way to ensure complete compliance to the organization’s security policies.
Hence, presently at Essar, only BlackBerry devices are allowed. To ensure robust BYOD security, the organization exerts granular control on these devices by disabling features such as saving of attachments. Other personal devices such as laptops are not allowed into the corporate networks unless they adhere to the information security policy.
Dave says that while newer devices such as the iPad 2 or iPhone 4 come with stricter control mechanisms, there is still a long way to go before BYOD security is seamlessly integrated into the rest of the IT infrastructure. According to Dave, Essar is presently considering Sybase’s Afaria solution for comprehensive mobile device management.
As part of Uninor’s BYOD security strategy, Rout does not allow sensitive access when a remote access request comes in. “As a best practice, all employees should not be allowed to have remote access. Full access must remain only with company installed and maintained hardware, where the environment can be controlled and accounted for,” says Rout.