BYOD: multi-faceted security needed

Bring Your Own Device (BYOD) is a reference to the use of mobile devices in the workplace (Olalere, Taufik, Ramlan, & Azizol, 2015). BYOD is a popular technology option because it reduces corporate expenditures on Information Technology (IT) and improves employee accessibility. From a security perspective, BYOD is a challenge to comprehensive control of corporate information assets given inconsistent device-level security standards. BYOD is also a legal challenge to the individual privacy and maintaining compliance with employment laws (Mavretich, 2012). Ideally, BYOD standards address a range of issues such that organizations can leverage a framework to achieve business objectives supported by more granular security-specific objectives.

The key to successful BYOD security and governance begins with moving beyond BYOD as a device-level issues. Mobile technology encompasses a collection of technologies that work collaboratively to offer a range of services in a single device. Mobile-related technologies include mobile device technology, web application technology, and cloud-related technology. Security for this distributed information ecosystem is as important as security for a single device. For BYOD, securing the ecosystem also reduces risk for businesses since there are more checks-and-balances across the systems where data is stored, processed and transmitted (Jansen, Gavrila, Korolev, Haute, & Séveillac, 2012).

Mobile Device Security. Mobile devices may serve as a comprehensive singular source of information regarding an individual, and this may include information assets belonging to an employer workplace (Olalere, Taufik, Ramlan, & Azizol, 2015). Security practices for individuals vary greatly and reliance on an individual to maintain security best practices is a moderate security challenge for organizations. This includes security, compliance, privacy and legal issues (Mavretich, 2012).

Web Application Security (Foundational Technology Adoption). Mobile devices rely upon the Internet to provide information services. Without the Internet, a mobile device is akin to a traditional laptop computer. Internet technology has significant insecurity and the delivery of strong security is dependent on the application of many technologies such as Secure Socket Layer (SSL) transmission of data to an Internet browser. BYOD security risks include Internet-related threats and vulnerabilities.

Cloud Security. Cloud security is part traditional web-application security and newer data center and Web 2.0 security. Cloud infrastructure and services empower mobile devices with powerful computing services so that mobile devices can nimbly store a plethora of applications for different services such as maps, restaurant ordering and music while not carrying the weight large software files or the related computing demands. Cloud-security covers a broad range of infrastructure options, and the challenge for mobile device security is enusuring the interfaces between mobile devices and cloud service providers are secure Probst, Sasse, Pieters, Dimkov, Luysterborg, & Arnaud. (2012). Assurance of privacy protections for sensitive information (e.g., credit card data) is also an important element shared by cloud and mobile technologies.

BYOD Security Standards

The best security standards will be a complementary set of standards that address the mobile technology ecosystem.

  • For mobile devices, security standards should address the device and device uses such as cloud-account authentication. This enables a point of origin for user activities and creates a correlation between a user and activities across a diversity of cloud-based accounts and services  Reducing the number of channels between an individual, a device and user activities streamlines controls, investigations and remediations.
  • Mobile device security should address access controls and information storage protection (Jansen, Gavrila, Korolev, Haute, & Séveillac, 2012). Access controls include the use of password and biometric authentication. Access controls also include encryption for storage. Encryption should employ layers of protection to protect data and users.
  • Web-application security should utilize traditional best practices that are adapted for mobile device technology. This includes penetration-testing standards as well as secure software coding standards (Davis, 2006). Penetration testing and vulnerability assessment should be incorporated into the software development lifecycle. For example, data should be sent over SSL for secure transmission. Mobile device application testing should account for the use of SSL. The Open Web Application Security Project (OWASP) standards provide an extensive foundation for web-application security testing and software coding best practices (OWASP, 2016).
  • The risks associated with cloud technology overlap with mobile device technology with respect the transmission of data and sharing sets of related information. As mobile devices and software are analyzed for security risks, connectivity to the cloud services and data storages should be reviewed and tested at the mobile device level to ensure reasonable security measure are acceptable and functional. Mobile device data that is stored in the cloud should be validated for confidentiality, availability and integrity of information (Probst, Sasse, Pieters, Dimkov, Luysterborg, & Arnaud 2012). Since information is shared, information storage practices should be consistent.

References:

Davis. (2006). Secure software development life cycle processes. Carnegie Mellon University. Retrieved from https://buildsecurityin.us-cert.gov/articles/knowledge/sdlc-process/secure-software-development-life…

Jansen, Gavrila, Korolev, Haute, & Séveillac. (2012). Unified framework for mobile device security. National Institute of Standards and Technology (NIST). Retrieved from http://csrc.nist.gov/groups/SNS/mobile_security/documents/mobile_devices/PP-UNIsecFramework-fin.pdf

Mavretich. (2012). Legal issues within corporate “bring your own device” programs. Retrieved from https://www.sans.org/reading-room/whitepapers/legal/legal-issues-corporate-bring-device-programs-34060

Olalere, M., Taufik, M., Ramlan, A., & Azizol Abdullah, M. (2015). A review of bring your own device on security issues. Retrieved from http://sgo.sagepub.com/content/5/2/2158244015580372

Open Web Application Security Project (OWASP). (2016). OWASP testing project. Retrieved from https://www.owasp.org/index.php/Category:OWASP_Testing_Project

Probst, Sasse, Pieters, Dimkov, Luysterborg, & Arnaud. (2012). Privacy penetration testing: How to establish trust in your cloud provider. In European data protection: In good health? (pp. 251-265). Springer. Retrieved from http://www.springer.com/us/book/9789400729025