Bring your own device (BYOD) security challenges

BYOD is a business policy which encourages employees to bring their personal devices (laptops, tablets, mobile phones) to the corporate environment and perform business tasks with them.

The advantages for the business are attractive as it allows companies saving money on high priced devices and avoid the responsibility if they are damaged, broken, lost or stolen. Moreover, it allows users to work with the technology of their choice and they feel most comfortable with, which increases productivity and makes the working experience more pleasant.

However, system administrators, network architects and security officers are facing a scenario which was unthinkable just a little time ago: introducing alien untrusted devices in the network and allowing them to connect to business resources.

This is a major challenge.

Up until now IT managers tried to configure the internal systems in a controlled manner whereby a well defined perimeter enforced logical access control on the business resources. Moreover, only authorised devices were allowed to successfully authenticate and gain access to these resources.

Obviously there is no single best line of action to overcome this challenge, as networks, systems and trusting models are different in each company. However, there is one important rule of thumb: Treat the device as if it has been already compromised, with a key-logger and a network sniffer running at all times. After all, chances are that you are right in your assumption.

The decision on how much trust the business should grant to the device depends on the appetite for risk. I would personally be inclined to grant zero trust. However, as every single decision affecting corporate security, a risk assessment should be performed and a decision made.

There are a number of obstacles that need to be overcome in this kind of deployment:

There is no magic bullet which will solve all the issues explained above. However, there are a number of approaches which can limit a potential security breach started from the device. Every approach should focus on minimizing the fact that the BYOD device may be compromised and running malicious software.

There are known risks in BYOD initiatives.

All in all, security in BYOD projects requires detailed planning which may involve significant architecture changes in the way users access business resources. It is important to understand the risks and challenges, to perform a risk assessment, identify the amount of trust granted to the BYOD devices and deploy a solution which minimizes potential compromises.