Hidden Costs – compliance, ownership and the strategic mismanagement of BYOD

Mobile working has transformed the way we work, allowing the user to access the corporate network and sensitive data while on the move. But keeping pace with advances in handset design and processing power has always been a challenge for the enterprise. Bring your own device (BYOD) and more recently Choose your own device (CYOD) seem to have addressed this problem, and mobile computing has continued to flourish. No longer tied into long replenishment cycles, organisations are able to reap the benefits of advances in communications while reducing ownership and maintenance costs.

Yet BYOD has brought with it other problems: the thorny issue of how to secure corporate data over a third party device. Efforts have been focused to date upon channelling access and protecting data and many have sought technological solutions to these problems. Scant regard has been given over, however, to how we strategically integrate BYOD and the legal or regulatory repercussions of riding the airwaves.

Game-changer
BYOD is a game-changer that takes the mobility strategy to the next stage. Shifting the IT landscape in such a monumental way can be hugely detrimental if you get it wrong. Security - specifically availability and confidentiality - must be at the forefront of the IT manager’s mind closely followed by integration but there are often additional aspects that can be overlooked as the organisation makes the transition to a mobility solution. From regulatory and legal ramifications to the value of sharing data over these platforms, and the impact on the user; mobility is more than just an additional mode of access and requires careful management.
Of course, technology has to be a prime consideration. Managing devices in the field and securing the data that traverses those systems and underlying technologies is paramount. An effective way of managing BYOD deployments is with integrated security mechanisms which simplify and reduce the cost of security and service management whilst reducing the margin for error in disparate security mechanisms. By ensuring that not only service management is integrated with the mobile service or provider but also the security mechanisms, organisations reduce the risk of introducing new vulnerabilities and additional security overheads. One, seamless authentication scheme is safer and easier to manage than two disparate systems.

Technology versus strategy
However, BYOD is more than just a technological problem, although it is sometimes seldom seen as such by IT professionals who can tend to dominate the discussion. Governance and compliance are also essential aspects, although they are often overlooked. BYOD is fundamentally a business-driven project: ultimately the aim is to harness a technology to enhance the business and so its important to address this as a form of change. The right people need to be involved from day one, so as well as IT you need representatives from the legal department and those that deal with policy. The prime initial concerns should be how to secure business data, device ownership and the legal aspects of both. It’s only then that it becomes feasible to find a technological fit and begin to address other concerns, such as geographical location, connectivity mechanisms, and intentions.

Even then, there are strategic decisions to be made in order to determine the right technology for the job. Take separation of data, for instance. The majority of products out there are offering assured separation that allows users to use their own equipment and separate critical business assets from private use. But how far should you go with separation? Are you content with an element of sandboxing where your files are allowed to go off-site and reside on that particular device with some device management or is the asset too sensitive, in which case you may opt for a solution that sanitises the device before it is allowed to go off-site, for example.

There are many devices, software vendors and hosting partners to choose from. Picking the right one based on where you are today and what you want to achieve are the key considerations. If it’s BYOD an organisation is pursuing, there are big name solutions but also agile alternatives: all claim to do things differently. For example, some are agentless, cloud-based or on-premise server based. Some favour secure Cloud based DaaS or SaaS services via a centrally managed 'sandboxed' mobile device in combination with joined-up security mechanisms.

It’s also advisable to pursue commercially astute contractual negotiations for both staff and suppliers. Managing the devices via an MDM solution whilst minimising the impact of data loss and system outage through the use of highly available geographic agnostic cloud hosting also works well. This must be done while considering how to maintain any IDS/IPS capability, the need to federate authentication/authorisation and integrate service and incident management.

Policy equals prevention
One of the most common areas organisations fail to address is compliance and adherence to licensing terms. Stay legal. Consider your existing ISMS and policy stack and try to tie those policies into the BYOD project. For example, data retention and deletion should be considered as part of data loss prevention (DLP). Some information assets such as those that contain personal information may contravene the retention periods for the policy. It’s not just a technological project and data retention is an example of that. Similarly, users accessing apps on an app store may be in breach of licensing conditions, so that needs to be tied into the organisation’s licensing structure.

When it comes down to it, any legal infringement will regard device ownership as being at the heart of the matter. Who has ownership and rights over the device in the event of investigation or litigation? Incident Management (IM) is invaluable in this regard, but is again often overlooked. It plays a key part as it acts as an extension of your environment. You need to make sure your IM policies and procedures include devices that don’t necessarily belong to the organisation as part of IM. We recently developed a co-connection (or usage policy) and spent two to three weeks just discussing with the project team a paragraph that stated to the user they had right over that device if they suspected it had been used for malicious purposes or part of an ongoing investigation. Our advice is to make sure the user understands and it is made explicit to them from the word go what will happen if the device is required for an investigation. This has to be made clear prior to use and should feed into the forensic readiness aspect.

Another top issue that can often be sidelined is will posture validation interfere with the device’s native use? If selected as a control, the project team often asks what do we do if the posture validation locates a piece of software on the device we don’t agree with? Removing that piece of software off the device or asking to do so stops the user from using the device, potentially causing disruption. The organisation should assess this within the context of the risk appetite and stick to it. Deviation from that could see software permitted and brought onto the information estate that is inherently insecure, potentially compromising other data assets or even the organisation itself.

Get it in writing
Crossing the i’s and dotting the t’s is vital. Have you covered all aspects of how data is treated at rest and in transit? We recently conducted a review of a CRM supplier which included a contractual assessment of both Human Resources and the organisation’s suppliers. Although they had considered the integrated security mechanisms to ensure data at rest and in transit for both mobile devices and hosted applications, they had missed two critical elements. The had neglected to state in the BYOD strategy that the device must be made available for sanitisation once employment is terminated and we also discovered the file-sharing platform in use gave the supplier the right to utilise the data as they wanted to. This proves that while IT is a very important wheel in the mobile machine, mobility must remain a business strategy not an IT strategy.

Consider also the type of data you are allowing users to travel with. Is it permitted in the country of destination? Even if the data itself is accepted, you may find that the software or encryption methods you are using are not legal elsewhere. Is it in the interests of your organisation to let that data travel abroad? If it’s not essential, restrict access to/the movement of that data. And protect your back legally. It is often worth widening out your policies to include these considerations to avoid litigation.
BYOD empowers users and the organisation but to avoid being crippled by compliance, end-user confusion or mismanagement, BYOD requires balanced and business-led governance. This must include central device management, business wide policy development involving HR, ICT, Legal teams etc, cradle-to-the-grave clear and comprehensive usage policies, effective non-intrusive endpoint security (that is not too restrictive otherwise the user can become frustrated and the BYOD project may stall) and a better understanding of the sensitivity of data through the data classification policy. BYOD is more than the sum of its parts, and anyone treating it as a purely technological issue risks encountering these and other hidden costs.
Jamal Elmellas can be contacted at jamal.elmellas@aurigaconsulting.com.