Security Think Tank: MDM is no BYOD silver bullet

With BYOD and personal cloud at work, what measures can IT take to ensure security of enterprise data and does MDM really have a role?

Bring your own device (BYOD) is a subject that has been on many people's lips of late and much has been written and presented on the subject. Some helpful, some not and some quite confused.

One thing is certain and that is BYOD is here to stay and security professionals had better get used to the idea. That does not mean that every enterprise will embrace BYOD and certainly many enterprises will adopt it only in a limited way.

BYOD also needs to be viewed in the light of other developments, such as mobile working, home working and have your own device (HYOD), which is where an enterprise either gives an employee a sum of money together with some guidance and/or standards so they can buy their own device or the enterprise gives an employee a choice of devices.

There are issues associated with BYOD, some arising from dual use – such as the device being used for personal and business use – and some arising from legal and regulatory requirements that apply to the enterprise.

These issues cannot be dismissed lightly and may, in some cases, be a deal breaker if BYOD cannot be embraced by an enterprise because of legal and/or regulatory requirements placed on the enterprise.

Protecting sensitive data

Generally one of the first forays into BYOD is allowing the use of personal smartphones to access corporate email and most smartphones these days make a pretty good job of integrating with enterprise email systems.

Using this example, we can see that if the smartphone is a BYOD device, we have enterprise information stored on it (emails and potentially email attachments). Being a personally owned device, it is very unlikely that any enterprise information can be protected from the many applications that can run on a smartphone. 

If enterprise information leaked from the device would the enterprise itself could become liable (because of its BYOD policies) or would the employee become liable; that liability could arise legally due to contracts held by the enterprise or from legislation such as the Data Protection Act.

Consider if a rogue application on a BYOD smartphone captured the log-in information used by the email process and then transmitted that information back to some third party with malicious or criminal intent.

The log-in information for many enterprise email systems is the same as that used to log onto the enterprise network. If such a third party were able to use such captured log-in information to gain access to an enterprises network, would the employee be liable and if so, to what extent?

The conditions for remote wiping

If a BYOD smartphone is lost, then does the enterprise have the right to remotely wipe the device and would an employee really want to use their own smartphone for work if they had to agree to the enterprise demanding to be able to remotely wipe the device. 

When an employee leaves one enterprise for another, would they agree to their device being wiped and potentially losing all their personal data? 

Again, consider if a BYOD device were lost and a remote wipe initiated but, due to human error, the wrong BYOD device were wiped. In the process, a lot of data personal to the owner of the device were lost, what is the liability on the enterprise? Would the terms of a contract allowing remote wipe actually hold up in law for this situation? 

Mobile device management (MDM) in the context of BYOD and smartphones is pretty much limited to email use, remote wipe of the device, formal signed user procedures and a change to an employee’s contractual terms and conditions.

GPS device tracking is something that could also be included, but might be deemed too intrusive for an employee. Adding tablet devices to the mix opens the possibility for BYOD to do more than email, but is risking the enterprise in requiring quite invasive access to the device in order to ensure controls are in place to adequately satisfy legal and regulatory requirements.

Putting in place context-sensitive security, (on a BYOD or enterprise device; internal or external access) and web or terminal services type presentation to a BYOD table (or PC for that matter) can help with legal and regulatory compliance but will not let an enterprise off the hook.

The enterprise will still need to undertake a level of due diligence with an employee’s BYOD such as formal signed procedures, contract changes and the ability to initiate a remote wipe.

Bottom line is that a move to BYOD requires careful thought and a very good understanding of the legal and regulatory requires placed on the enterprise.

MDM while it can help with addressing the legal and regulatory issues with BYOD, it cannot eliminate them.

Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.

Read more on Endpoint security