White Paper on Consumerisation and BYOD

Transcription

1 White Paper on Consumerisation and BYOD What is meant by Consumerisation and BYOD? The border between enterprise and private IT use vanishes increasingly. Many systems, programmes and services are now used both in enterprise and private environments. This development is referred to as consumerisation. Examples of this include: Staff members wish to use their private smartphones and tablets for work-related s, appointments and other work-related activities. Staff members are used to programmes such as the GNU Image Manipulation Program (GIMP) in private life and also wish to use them at work. Staff members privately use Internet services such as Dropbox to store data in the cloud or tools such as Doodle to coordinate appointments and also wish to use these services professionally. Under the generic term "consumerisation", the mixture of private and enterprise use of devices, programmes and services is discussed. This white paper focuses on the consumerisation of mobile devices such as smartphones and tablets. The topic which has become known under the abbreviation "BYOD" (Bring Your Own Device) is very closely related to consumerisation of the end-user devices. This term refers to strategies pursued by institutions to encourage their staff members to use their private devices for enterprise purposes or to even create financial incentives to do so. The particular feature of BYOD is that the consumer devices are under certain circumstances subsidised by the institution, but are the property of the staff members. Consumerisation and BYOD are thus closely related topics. This white paper focuses on consumerisation and provides an outlook for BYOD at the end. This document is intended for IT-Grundschutz users with the aim to sensitise and provide information about a current topic. The question as to which solutions can be implemented in a specific institution can only be solved on site taking all aspects into consideration. This document wishes to enrich the required discussion in this respect.

2 Which positive effects does the consumerisation of end devices have for an institution? There are different methods how consumer devices can be used in institutions. Some public agencies and companies, for example, increasingly include consumer devices in the range of products out of which the staff members can choose the required IT systems. Some companies grant their staff members each year an fixed amount for purchases, allow them to choose their devices freely and to use them for private purposes under certain conditions. The advantages of the different methods include for example: The satisfaction of the staff members increases when they can use current consumer devices, for example, because they are more user-friendly or are regarded as status symbols. The motivation of the staff members increases when they can participate in the selection of the devices and when their preferences for certain products are taken into account. It is easier to contact the staff members when they can also privately use their attractive and user-friendly professional consumer device, for instance. Staff members find it convenient to carry along only a single smartphone for enterprise and private purposes instead of several devices. Several institutions also consider it to be an incentive for consumerisation that the IT purchase costs are reduced at first glance when the consumer devices are purchased privately by the staff members and are subsidised by the institution. An economic efficiency analysis, however, must also comprise the generally higher costs for additional administration and security safeguards. Challenges for information security The increasing trend towards Consumerisation presents the information security management in companies and public agencies with great challenges which can be attributed to different areas. Consumerisation removes the border between private and enterprise use of IT systems. Thus, a number of problem areas must be clarified, for example, by whom and how are the devices maintained, administered and secured, which costs and liability risks are borne by the staff members and which by the institution, and who may use the devices for what purposes. The mixture of private and enterprise use results in specific threats to information security (see below). Using devices both privately and professionally result in different legal questions which need to be clarified. This includes, for instance, data protection. As there is, of course, private personal data on consumer devices which are used privately and professionally, central administration of the consumer device by the institution might be problematic and in conflict with data protection laws. Another area which must be clarified from a legal point of view is the one of software licensing. It may be possible that the license agreements of privately purchased software do not allow any enterprise use and vice versa. This barly scratches the surface of the different legal challenges. In any case, a comprehensive legal assessment must be carried out by the institution itself. Threats to information security In addition to possible advantages, consumerisation also involves several threats to information security which need to be dealt with by the institution and must not to be neglected. A basic problem with many consumer devices is that these devices are rather optimised regarding an attractive design and easy operation. In many cases, the configuration options and the existing security functions do not correspond to the state of the art of other devices used in an enterprise environment such as laptops. Thus, the institution's security policies such as the separation of users and central administration capabilities can often not be implemented or can only be partially implemented. Version 1.2 of 27/08/2013 Page 2 of 9

3 One of the greatest challenges for information security posed by consumer devices is the perforation and/or removal of the borders of the institution's information system. It begins with the fact that data of the institution worthy of protection is processed on consumer devices which, in most cases, cannot be secured as good as workstation computers. In addition to this, mobile devices are often used outside the institution's protected environment. For consumer devices, communication interfaces such as WLAN or UMTS can be switched off when they are not used. However, it is generally not possible without further ado to force that only secure network connections, i.e. by means of an encrypted VPN tunnel, for instance, are used. Moreover, users are not always informed when the VPN tunnel has been terminated unintentionally or due to an attack. VPN clients in the desktop area, however, are typically configured in such a way that a warning is displayed in such a case and the VPN tunnel is re-established automatically. Vulnerabilities in the operating system or the installed applications are a particular threat to consumer devices, since vulnerabilities on these devices are eliminated by the manufacturer with varying impetus or sometimes even not at all. There are several reasons for this: On the one hand, an update must usually be initiated by the user and does not take place automatically in the background. On the other hand, the significantly shorter innovation cycle of the consumer devices of approximately six months at the moment leads to a situation where the manufacturers' focus is rather on the introduction of new consumerdevices than on the long-term support for older devices. In addition to this, different versions of an operating system are often installed on the devices from different manufacturers used. In the case of Android, the operating system widely used for smartphones and tablets, each device manufacturer, for example, produces its own operating system version for the respective device types. Therefore, each device manufacturer must provide an accordingly adjusted patch for the respective operating system version. This can lead to the situation that consumer devices with operating systems with known vulnerabilities are used without a patch over a longer period of time. If no other security safeguard takes effect, the in-house IT operation may, in case of doubt, only lock out such devices from the institution's internal network. If many different consumer devices with different operating systems are used within an information system, it is usually not possible to implement all security requirements, as they are specified in the security policy, for instance, on all devices in the same manner. Not all consumer devices support, for example, a complete device encryption or allow the differentiated assignment of rights. Thus, there might be different security levels on devices which are actually to be used for comparable tasks. Security safeguards Security safeguards for consumerisation can be roughly separated in die aspects of organisation, technical safeguards on the device and connection to the institution's network. Organisational safeguards The level of consumerisation to be permitted in an institution is a strategic decision which must be accompanied by the Security Management in order to be able to control the risks. Important organisational safeguards include: The integration of consumer devices into the institution's information domain demands for a comprehensive strategy. As part of this strategy, the following questions must be answered: Which device types may generally be used and/or excluded from being used? Which operating systems should be used and which operating system should not be used? Which staff members may use consumer devices for what purposes? What information with what protection requirements may be processed using these devices? What information may be communicated by means of which channels? Based on these strategic decisions, concepts ensuring the secure operation of the consumer devices within the institution must be developed. When it has turned out that the protection requirements of the information to be processed cannot be secured by means of the achievable security level of the consumer devices used, the use of consumer devices must be restricted or prohibited. Version 1.2 of 27/08/2013 Page 3 of 9

4 It is necessary to specify how consumer devices are administered within the institution. Consumer devices are characterised by a high level of mobility and a wide variety of device types and operating systems. The devices should be administered centrally as far as possible. For this purpose, it is useful to use a programme for central administration, i.e. for Mobile Device Management (MDM), by means of which it is also possible to separate the private and enterprise areas of these devices from each other. When selecting a MDM system, it must be checked if the consumer devices used can be controlled by the respective MDM systems in an adequate manner and if the specified security policies can thus be enforced. Whether or not this is indeed possible depends heavily on the device and the operating system used on it. For ios, each MDM system uses, for example, the so-called "Configuration Utility". Therefore, a MDM system cannot adjust more settings than provided by this interface. For Android, an app of the MDM system is installed on the device. By means of the rights granted for this app, it is defined which specifications can be made by the MDM for this consumer device. Additional security is not ensured by the central MDM system itself, but by additional applications operating together with the MDM system. Many MDM systems offer an app which provides an encrypted container into which a separate browser, the enterprise phone directory and a separate client for enterprise s have been integrated. By selecting the specific consumer devices and the specific MDM system, it is defined which security level can be achieved using the managed devices. Theoretically, additional safeguards could be implemented directly an den individual devices, but this increases the administrative effort to a significant extent and it cannot be ensured without further ado that these settings are not changed again by the users. Since mobile devices get lost more often than stationary systems, both preventive and reactive organisational precautions must be taken on how losses and thefts are to be prevented and/or dealt with if the worst comes to the worst. For this purpose, clear policies must be defined by the institution. On the preventive side, typical safeguards such as "full encryption" and "good password choice" and/or "lock in the event of inactivity" within an adequately short period of time have already been mentioned in the White Paper on Smartphones and/or in the IT-Grundschutz Modules Mobile Telephones and PDA. Typical reactive safeguards are remote deletion, remote locking and locating of a lost device. In general, these functions are implemented by third-party-provider applications which usually include additional security functionalities such as virus protection, secure browsing environment and firewall. When planning these safeguards, it must be ensured that these services in general require that the device is switched on and that the SIM card was not removed. If a thief has removed the SIM card, the device can only be located by means of special services using the International Mobile Equipment Identity Number (IMEI Number), but can no longer be deleted. For this reason, additional technical anti-theft safeguards should be taken on the device (see below). For each loss, the deleting, locking and locating functions should be initiated by a service centre of the institution, as this requires usually a computer with an Internet connection and browser which might not necessarily be available to the staff members. It must be decided at what times this service centre is to provide its services (for example 24/7 or 8/7) and it must be ensured that all staff members with mobile devices know the contact details of this centre. For any times at which the central service centre is not available, staff members should be able to initiate appropriate safeguards themselves, e.g. by means of a web service. In addition to this, the access of lost or stolen devices to the network of the institution should be locked. Moreover, it must be specified how recovered devices are to be dealt with. It is recommended to use special programmes to delete any data on these devices, to reset them subsequently to the factory settings, re-install them completely and to re-configure them afterwards. However, they should at least be checked thoroughly for malware. If necessary, these devices should also be examined for manipulations to the hardware. Staff members must be specially trained and sensitised for the information security for consumer devices, as the threat scenario of consumer devices such as smartphones differs from the threat scenario of business devices such as laptops. In particular, the staff members must understand why the various security safeguards are necessary so that they do not circumvent them, when they consider them to be to restrictive. The staff members must also know which types of information may be processed using these devices and what protection requirements of this information are. Furthermore, staff members must know what they have to do when the devices are lost or stolen and how the existing services by means of which a device can be locked, deleted and located, if any, are operated. Version 1.2 of 27/08/2013 Page 4 of 9

5 Technical safeguards on the device On the consumer device, private and enterprise data and applications must be strictly separated from each other. Enterprise data such as phone directories or files may not be transferred to privately used synchronisation or cloud storage services. On the other hand, the institution may not read any private information such as private phone directories, s, authentication data for web services or images of the camera without authorisation. Based on the selected strategy and protection requirements of the data to be processed with the device, a suitable MDM system (see also the publication (in German only) on cyber security on the MDM topic at and, thus, the adequate technology for the separation of private and enterprise areas must be selected. There are different options to separate private and enterprise areas which each have different advantages and disadvantages: In the simplest case, an application managing a data container with all enterprise data and accesses is installed on the devices. This application must be designed for all enterprise activities. This means that it must contain enterprise groupware ( , appointments, contacts, tasks) and a separate browser and automatically establish an encrypted connection to the institution. The separation of different applications, however, is made exclusively by the operating system. Therefore, the effectiveness of this separation depends on the operating system used and its access control options (Mandatory Access Control, MAC) and, thus, differs from system to system. For this version, it is generally not necessary to intervene in the operating system itself and it is available for different operating systems. Irrespective of the manufacturer of an application used to separate private and enterprise data, the application should encrypt the enterprise data in the container and to prevent the from being accessed by other malicious applications, if any, when using the mobile device for private purposes. It may be useful that, together with the Security Management, the IT operation prepares an exclusion list (blacklist) of applications having functions or rights which might be a threat to the information security of enterprise applications. A good starting point might be to include in this exclusion list all applications requiring certain rights which are classified as critical by the Security Management. In addition to this, users should have to authenticate themselves successfully before accessing the container. Any connections to the network of the institution must be secured cryptographically. Any solutions which do not support such security safeguards do not offer adequate protection and, thus, should not be used. Another option to protect the information of the institution is to also leave this information on the servers of the institution during processing. In this case, merely an user interface is provided on the client which serves the application to process the information on a server of the institution by means of a secured network connection. The corresponding programme on the consumer device must be configured in such a way that the data cannot be stored locally. These thin clients or server-based solutions have also been used in the desktop area for a long time. In order to ensure that a server-based solution works, however, an Internet connection with the required bandwidth must be available at each time of use. Moreover, the service must be adjusted to the general requirements of a smartphone or tablet (touch screen instead of mouse and keyboard). Pure groupware applications can also be provided without an own thin client application by means of a web service for the browser in the smartphone or tablet, which can only be accessed from the internal network via VPN. Another option to separate private and enterprise areas on consumer devices is to operate these areas as different virtual machines on a single device. Unlike the first solution, the private and enterprise area is not separated on the application level for the virtualisation, but on the level of the operating system. The interfaces which are made otherwise available by the operating system with its existing access control mechanisms between applications are removed by this method. Any data between the two virtual machines can only be exchanged by means of the underlying virtualisation layer in the form of the hypervisor (also referred to as Virtual Machine Monitor, VMM). In addition to this, own applications can be installed and operated separately in the individual virtual areas. Thus, the users' needs to install and use their own apps can also be taken into account. In this case, an exclusion list for applications is usually not required, as the applications only work in a virtual machine and, thus, applications in the private area cannot access data and applications in the enterprise area. Version 1.2 of 27/08/2013 Page 5 of 9

6 Which of the security solutions presented above is considered appropriate depends on the specific use case. In general, however, the following can be said regarding the presented solutions: A virtualisation solution provides given the appropriate quality of the hypervisor a higher level of security than a container solution. On the other hand, virtualisation solutions have the following advantages: The intervention in the operating system is very deep or it is even necessary to replace the operating system. This is prohibited by many device manufacturers or disabled by means of technical safeguards. As a general rule it can be said that for all device manufacturers, the warranty for the consumer device voids with such an intervention in the operating system. In general, a virtualisation solution increases the power consumption significantly in such a way that the rechargeable battery discharges considerably faster as compared to a device without virtualisation. A virtualisation solution cannot be realised on all consumer devices, since several device drivers are not available. A container solution offers a lower level of security than the virtualisation solution, but, in turn, the intervention in the operating system is less deep so that the warranty for the consumer device does not usually void. Both for the container and for the virtualisation solution, private data might be included unintentionally by the institution when performing data backups. For the virtualisation solution, this is less likely than for the container solution, as the separation between the private and enterprise area is implemented more strictly for the virtualisation solution. For the thin client solution, however, this is excluded, as no enterprise data is stored on the consumer device and, thus, do not have to be secured either. A thin client solution needs a permanently available Internet connection with the required bandwidth. This cannot be guaranteed throughout Germany and high costs usually arise abroad due to data roaming charges. Short-term connection failures might interfere with the applications on the server and data might be even destroyed. Furthermore, the permanent data connection increases the power consumption considerably reducing the service life to the next re-charging. In addition to the solutions above to separate private and enterprise data, other concepts are also being discussed at the moment. For example, a completely new operating system could be installed on the consumer device, which is equipped with a particularly hardened kernel and realises the separation between private and enterprise data by means of more restrictive and stronger access control mechanisms. Moreover, a dual-boot solution is being discussed, for which a second, specifically secured operating system is started from a separate memory card whenever needed. How good the actually provided security of the concepts referred to above is, however, cannot be estimated in advance and, in addition to the promising idea, depends on the specific implementation. Apart from these technical safeguards to securely control the consumer devices in the information system of an institution and to separate the private and enterprise area, there is still a whole range of other technical safeguards which have already been the listed in the IT-Grundschutz White Paper on Smartphones (in German only) and should be implemented. Depending on the public agency's or company's level of security requirements or other requirements, it might occur that there is too high risk for information security despite the safeguards taken. In this case, the use of consumer devices in the institution's information domain must be adequately restricted or prohibited. Safeguards for the secure connection to the institution's network In order to counteract the threats to information security when connecting consumer devices by means of insecure networks to the institution's network, the following safeguards should be taken: The connection between the consumer device and the institution must be encrypted, e.g. by means of an encrypted VPN tunnel. This is the only way to prevent that it is possible to eavesdrop on the information from the data connection. Version 1.2 of 27/08/2013 Page 6 of 9

7 The consumer devices should be placed in their own network segment which is separated from the network segments of the other workstation computer. This separation should be designed in such a way that the consumer devices can only communicate with the necessary components in the network (for example, the groupware server). This is the only way to prevent that consumer devices, which are more insecure as a matter of principle, compromise the other workstation computers. All server services which must be included in the information domain of the institution due to the consumer devices should also be placed in their own network segment as far as possible. The data transmission to other servers and clients in the information domain and to the Internet should be restricted to the minimum necessary and monitored as far as it is possible in accordance with the data protection laws in order to ensure that information worthy of protection cannot leak to unauthorised parties. Only consumer devices permitted to be used for this purpose should be allowed to connect to the network of the institution. This is the only way to ensure that only approved devices have access to the institution's network and that access is denied for any lost or stolen consumer devices. It should be documented in an understandable manner at which time which consumer devices were connected to the network of the institution. For consumer devices, too, the devices must include an up-to-date virus protection (which is currently not possible for ios) and the approved operating system updates. It must be possible to check that the devices comply with these and all other security policies specified by the institution. Any devices which do not meet these policies, may not be granted access to the institution's network or must be placed in a separate quarantine network. As a general rule, there have already been possibilities for institutions to establish a connection to the institution's own network via VPN which can also be expanded to also integrate the new consumer systems to be connected taking the network segmentation into account. Special security instructions are included in the Module 4.4 VPN of the IT-Grundschutz Catalogues. In general, today's consumer devices are VPN-capable and, in most cases, even allow a certificate-based authentication for network access control. The other recommendations above can be implemented by means of network access control and the selected MDM system. In general, network access control consists, apart from the authenticator and authentication server, of another server service checking whether the consumer device complies with the safety policies. In addition to this, this server service can react to any violations and, for example, lock an unpatched consumer device in a specific quarantine network segment and, thus, keep the risk for other consumer devices in the institution's network at a minimum. In order to check whether a consumer device complies with the security policies specified by the institution, the consumer device must be either scanned from the outside or equipped with a so-called agent checking the device locally and providing the server with the required information. This agent is either a part of the MDM system or a part of the operating system and can configure the consumer device in the event of deviations in such a manner that it complies with all security policies. More detailed information on the topic of network access control can be found in the IT-Grundschutz white paper on network access control (in German only). Bring your own Device (BYOD) Bring your own Device refers to strategies for which staff members are allowed to bring and use their own IT devices in the institution. As compared to consumerisation, BYOD also permits the use of consumer devices in the information domain of the institution, which do not belong to the institution. All threats to information security referred to in this white paper are basically also relevant when a BYOD strategy is implemented in the institution, since IT devices from the private customer area are used in an enterprise environment both for consumerisation and BYOD. However, it is significantly more difficult to implement security safeguards for BYOD, since experience has shown that many users are not willing to accept any restrictions regarding the use of their own devices or to allow their employer to access the device. Especially security safeguards requiring any intervention in such a way that the warranty for the device expires can usually not be implemented. In addition to this, the heterogeneity of the consumer device park increases when a BYOD strategy is implemented. Version 1.2 of 27/08/2013 Page 7 of 9

8 Therefore, for BYOD considerations, it must be first clarified whether such a strategy is compatible with the security requirements of the institution and which general requirements would have to be complied with and whether the staff member still accept BYOD when these general requirement are to be complied with. When a BYOD strategy is not compatible with the security requirements of the company or of the public agency and/or the necessary general requirements are not accepted by the staff members, it is usually not possible to implement BYOD in this institution. From a security perspective, BYOD may neither mean that any desired consumer devices may be used without any restrictions. Typical and often implemented solutions include: Restriction to selected consumer device types: Only a few institutions will be able to administer unlimited numbers of different consumer device types, operating systems and applications and to keep an eye on their security. Therefore, the type of the approved consumer devices should also be restricted for a BYOD strategy, depending on the resources of the IT operation. Identification of user types: The different user types should also be identified. Not all staff members wish to use their own devices by all means and the motivation to wish to do so can also vary greatly. Therefore, it might be useful to create rules which are specifically adjusted to different groups of people. IT-affine people can, for example, also implement security safeguards requiring explanations and for which they have to become active themselves. Many staff members often wish to only check their appointments or to work on the Internet. For this purpose, solutions in accordance with the security policies can be easily found in most cases. Wishes to be able to execute administrative remote access using a smartphone are considerably more difficult to be satisfied from a security perspective. By means of a BYOD strategy, the staff members are assigned a high level of responsibility not only for the security of the consumer devices, but also for the overall security of the institution. This loss of control must be outweight with a valid confidence of the institution in the staff members' sense of responsibility. Grounded on this confidence, clear regulations must be agreed upon by the staff members and institution. Here, the staff members must assure that up-to-date virus protection programmes (where available) are used on the consumer devices, all security patches are installed promptly, each consumer device is only used by the respective staff member, the access to the consumer devices is protected adequately, e.g. by means of strong passwords, and all locally stored data are encrypted. Other aspects taken into account in this agreement should be as follows: The staff members must report immediately when consumer devices which were also used for enterprise purposes have become lost. Such a report should also be sent even if an consumer device cannot be found only for a certain period of time. The institution should find out whether staff members can be motivated by means of the institution's own provided service to delete, lock and locate consumer devices to report any losses quickly. It should be clarified which applications may be run on the consumer device and which are explicitly excluded. For this purpose, there could be a list in the Intranet, for instance. Many MDM solutions offer functions to allow and/or exclude special applications. Moreover, there should be a process adding and/or removing applications to and/or from these lists. It must be explicitly prohibited that the users root the consumer devices or execute a jail break or any other deeper intervention in the device. It must be specified which data the staff members may synchronise with other devices or services on the Internet. Here, a strict separation of private and enterprise data must be ensured. The institution should obtain the permission to carry out automated scans of the consumer devices as part of network access controls in order to be able to check that the consumer devices comply with the security policies. It must be specified how enterprise data is processed on the consumer devices when they are no longer used for enterprise purposes or when a staff member leaves the institution permanently. Version 1.2 of 27/08/2013 Page 8 of 9

9 In addition to this, the institution must define in such an agreement that it informs the staff members at regular intervals on current threats caused by mobile consumer devices as well as on any required security safeguards. Conclusion The increasing enterprise use of consumer devices from a private environment due to consumerisation and BYOD results in great challenges not only for information security, but also for data protection. This must be considered as a strategic challenge and organised by the administration/management level of each institution in a sensible way. As described in this white paper, technical safeguards alone are not sufficient, but must be accompanied by organisational safeguards complying with the overall strategy of the institution. In doing so, the responsibility for the information security increase due to consumerisation must be adequately taken into account for the staff member in this overall strategy. It should always be questioned whether or not the business processes and their protection requirements allow using consumer devices such that the associated information are processed securely, inconformity with the law, economically and in an easy-to-handle manner. Depending on the given general requirements, this may also mean that consumer devices cannot be used within the institution or can only be used in the information domain of the institution in a restricted manner. Further IT-Grundschutz publications on the topic White Paper on Smartphones (in German only) White Paper on Network Access Control (in German only) The BSI is often addressed regarding wishes for IT-Grundschutz Modules which cannot be realised promptly for several reasons. In most cases, specific security recommendations are required for current new approaches, technologies or applications, by means of which security concepts based on IT-Grundschutz can be expanded in a quick and flexible manner. These white papers intend to promptly present solutions on current topics. If you have any comments and suggestions, please contact: grundschutz@bsi.bund.de Version 1.2 of 27/08/2013 Page 9 of 9