CMSGu2014-01 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Safe BYOD Management National Computer Board Mauritius Version 1.0 June March 2011 2014 Issue No. 41
Table of Contents 1.0 Introduction... 4 1.1 Purpose and Scope... 4 1.2 Audience... 4 1.3 Document Structure... 4 2.0 Background... 5 3.0 The Risks of Bring Your Own Device (BYOD)... 6 3.1 An Alternate Way for Malware to Penetrate the Corporate Network... 6 3.2 Hacker Threats... 7 3.3 BYOD Brings More Complexity to IT Management... 7 3.4 Corporate and Personal Data Mix on One Device... 7 3.5 Loss of Mobile Device... 7 3.6 Risks from Other Devices... 8 4.0 Mobile Device Management (MDM)... 9 4.1 What is MDM?... 9 4.2 Components of MDM... 9 4.3 Mobile Device Lifecycle Management... 10 4.4 When is MDM Required?... 11 4.5 Guidance for Selecting a MDM Solution... 12 4.6 MDM Solutions... 13 4.7 Deploying a MDM Solution... 13 4.8 Sample Mobile Device Security Policy... 17 5.0 Conclusion... 19 6.0 References... 20 Appendix A... 21 List of Acronyms... 21 Guideline on Safe BYOD Management P a g e 2
Tables DISCLAIMER: This guideline is provided as is for informational purposes only. Information in this guideline, including references, is subject to change without notice. The products mentioned herein are the trademarks of their respective owners. Guideline on Safe BYOD Management P a g e 3
1.0 Introduction 1.1 Purpose and Scope The purpose of this guideline is to give organisations an insight of the risks associated with Bring Your Own Device (BYOD) and how the adoption of a Mobile Device Management (MDM) solution could help in mitigating some of those risks. 1.2 Audience The target audience for this document includes CIOs, CISOs, information security staffs, system administrators and all other relevant parties involved in the maintenance of the IT infrastructure or safeguard of information in an organisation. 1.3 Document Structure This document is organised into the following sections: Section 1 provides an overview on the document s content, the targeted audience and the document s structure. Section 2 gives background on Bring Your Own Device (BYOD). Section 3 presents the risks of Bring Your Own Device in an organisation. Section 4 gives a description of Mobile Device Management (MDM), the recommendations for choosing one, step by step deployment of an MDM solution and a sample of a Mobile Device Security Policy. Section 5 concludes the document. Section 6 consists of a list of references that have been used in this document. Appendix A provides a list of acronyms that have been used in the document. Guideline on Safe BYOD Management P a g e 4
2.0 Background Nowadays the business environment is fast moving and companies that are able to provide their employees with rapid and convenient ways to access corporate data and systems through the use of mobile devices have the potential to boost efficiency and business agility. However, even with the significant benefits of enterprise mobility, there are security issues such as leakage of corporate data, malware infection and hacker threats that need to be address so that the business mobile access initiative does not compromise the corporate systems, data and abide by the company s policy. Since there is a growing interest in BYOD (Bring Your Own Device) whereby employees are allowed to use their own mobile devices such as tablets, smart phones and laptops, there has been a lot of focus on the additional benefits that BYOD can bring to both employers and employees. The benefits of using personally owned devices for mobile access include: There is an increase in productivity and innovation since the employees are more comfortable with their personal device and become expert in using it. Personal devices tend to be more cutting-edge, so the enterprise benefits from the latest features. Also users upgrade to the latest hardware more frequently. BYOD shifts the cost towards the user where the employees have to pay for the mobile devices and data services resulting in reduce hardware cost for the organisation. Better employee satisfaction through the freedom of choosing their own device and allowing them to do so helps them to avoid carrying multiple devices. Guideline on Safe BYOD Management P a g e 5
3.0 The Risks of Bring Your Own Device (BYOD) Usually businesses will not run their IT infrastructure without the proper security technologies in place. Unfortunately, businesses and their employees are less aware of the security risks and the issues associated with corporate use of mobile devices. People often get the impression that the only inconvenience of losing a mobile phone is the loss of a list of contact details and in no case will affect the security of their employer. But with today s fast changing technology landscape this is not the case anymore as the features of mobile devices have changed to become a small and powerful computing device with network connectivity. The list below defines the hardware and software features of a mobile device. Mobile phones have at least one wireless network interface for Internet access. The technology normally used for this interface includes Wi-Fi, cellular networking such as General Packet Radio Service (GPRS), 3G and 4G, or other technologies that connect the mobile device to network infrastructures with Internet connectivity. High capacity built-in and removable data storage. An operating system that is not a full-fledged PC operating system but still offers a lot of functionalities. Applications which are available through multiple methods such as from app stores or third parties. Features for synchronising local data with a remote location (desktop or laptop computer, organisation servers, telecommunications provider servers, other third party servers, etc.). One or more digital cameras. Microphone. 3.1 An Alternate Way for Malware to Penetrate the Corporate Network Businesses are likely to have implemented security that protects all endpoints within their corporate network including firewalls that prevent unauthorised external access to corporate systems. Allowing smartphones and other mobile devices to access business systems and data mean that these devices will bypass the firewall. In case that those devices are infected with viruses or Trojans, that will introduce security issues within the corporate network. Guideline on Safe BYOD Management P a g e 6
3.2 Hacker Threats Hackers are always on the lookout to exploit unpatched vulnerabilities within operating systems and commonly-used applications, in order to gain control of mobile devices and steal sensitive data such as passwords or corporate propriety data. In the event that employees connect their mobile devices to their corporate desktops or laptops there are risks that data might be stolen. 3.3 BYOD Brings More Complexity to IT Management Nowadays, an employee may be using two or three mobile devices for accessing the corporate network. The challenge for the IT and security departments are to implement strategies to manage mobile security across wide range of devices and operating systems, such as: Android ios Windows Phone Blackberry Symbian 3.4 Corporate and Personal Data Mix on One Device There is always a possibility of security risks when personal data and corporate data are stored on the same mobile device. For example, a user may be downloading an infected game app for personal use and this could infect corporate data found on the mobile device. Another example is when an employee leaves the company; it can be difficult for the business to remove corporate data from the device without affecting the employee s personal data. 3.5 Loss of Mobile Device The greatest strength of mobile devices is also one of its major weaknesses. Since smartphones and tablets are so small and lightweight, they are convenient to carry around for easy access to corporate data. However, their size and weight also means the devices can be loss easily or fall into the wrong hands of criminals or thieves. Guideline on Safe BYOD Management P a g e 7
3.6 Risks from Other Devices Another risk in a company that is operating a BYOD scheme is when some employees will be syncing their mobile devices with their home PCs or Macs. This can introduce an additional risk of data leakage. Even though the employee is only interested in backing up his/her personal files and photos, they could also be downloading corporate data and passwords from their mobile device onto their computer as part of the sync process. In case that the employee s home computer has already been infected by Trojans or spyware, this could compromise the security of corporate data. Moreover, if the computer is not properly protected and patched, cybercriminals could easily access the mobile data stored onto the computer regardless of the security software that is actually running on the mobile device. Guideline on Safe BYOD Management P a g e 8
4.0 Mobile Device Management (MDM) As previously mentioned in section 3 the loss or theft of a device is a major risk factor, given the relatively weak control that an organisation may have over a device that is own by an employee. Therefore for the successful deployment of BYOD steps should be taken in advance in order to ensure some sort of data management on the employees personal devices. The proliferation of different mobile platforms brings about more complexity and using a software known as Mobile Device Management (MDM) can give some assurance about the confidentiality of data stored on the device and provide monitoring features. This section considers different aspects of MDM by first giving an explanation on what is MDM, how a MDM operates, recommendations on choosing a MDM solution, step by step implementation of a MDM and lastly a sample of a Mobile Device Security Policy. 4.1 What is MDM? According to Gartner, Mobile Device Management (MDM) includes software that provides the following functions: software distribution, policy management, inventory management, security management and service management for smartphones and media tablets. MDM functionality is similar to that of PC configuration life cycle management (PCCLM) tools; however, mobile-platform-specific requirements are often part of MDM suites. 4.2 Components of MDM There are currently two basic approaches to Mobile Device Management, the first one is to use a messaging server s management capabilities (usually from the same vendor that makes a particular brand of phone) or use a product form a third party. With the latter approach it is possible to have a single product that can manage multiple brands of phones for use within an enterprise. However, a MDM product provided by a phone manufacturer may have more features or robust support for the mobile devices than third party products. The architecture of both Mobile Device Management solutions are quite similar and the typical solution is to have the client/server architecture. The organisation will have one or more servers that will provide the centralise management capabilities, and usually one client applications will be installed on each mobile device and configured to run in the background at all times. In the event that the device is issued by the organisation, the client application will manage the configuration and security of the whole device. If the device is BYOD, the Guideline on Safe BYOD Management P a g e 9
client application will manage only the configuration and security of itself and its data and not the entire device. Typically, the client application and data are essentially sandboxed form the rest of the device s applications and data, this helps in protecting the organisation from a compromised device. 4.3 Mobile Device Lifecycle Management A six-phase lifecycle model is generally used to help organisations in the setting up of a MDM solution. The phases of the life cycle are as follows: Phase 1: Configure. In this phase, the mobile device, application settings and restrictions are going to be configured according to the security policy of the organisation. Phase 2: Provision. In this phase, provisioning facilitates automated and over-the-air (OTA) user device registration and distributing configuration check and evaluates software package distribution. Phase 3: Security. At this stage the device, apps and data are secured by enforcing security measures authentication and access policies, enable or disable device functionalities, blacklisting and whitelisting apps. Phase 4: Support. The support phase is to help users by remotely locating any device and also provide troubleshooting services. Phase 5: Monitor. The monitor phase is to keep a track on the device, app and data usage; check unauthorise user access; abnormal device behavior including remotely lock, wipe and selectively wipe devices. Phase 6: De-activate. In this phase, lost or stolen devices are decommissioned, user access is blocked and data is wiped out from compromised devices. The figure below shows a typical Mobile Device Management (MDM) architecture. Guideline on Safe BYOD Management P a g e 10
Figure 1: MDM Architecture 4.4 When is MDM Required? Whether to adopt an MDM solution depends on many factors. Firstly, there is a need to determine the type of devices, apps which are being used in the organisation and also the kind of data that are being accessed through them. An MDM solution may not be necessary in case the employees are provided only with BlackBerry or ios devices or in the event the devices do not access critical data. But, in a BYOD environment wherein employees bring devices with different types of OS like Android, ios, Windows, Blackberry, etc. then a MDM solution becomes a necessity to manage those devices and to protect the data from being compromised. Guideline on Safe BYOD Management P a g e 11
Figure 2: MDM Requirement Quadrant 4.5 Guidance for Selecting a MDM Solution Making sure to select the right MDM platform is critical because of security implications and high cost involved. Below is a list of points to consider for choosing a MDM platform: Mobile Policy: The MDM platform should best cater for the organisation s mobile policy i.e. it must have sufficient functionalities to cater for the level of security that the organisation needs. Security Mechanisms: Making sure that the MDM platform supports advanced data security measures and follows best practices is very important. Compliance: The MDM platform should be able to help in fulfilling compliance and regulatory obligations related to data security, customer privacy, etc. Remote configuration & control: The MDM platform should allow remote configuration, updating of OS and apps. Furthermore, it should enable remote control features such as locking and wiping of mobile devices in case of loss and theft. Scalability: The types of platforms and devices that the MDM platform can support are key considerations and also the ability to cater for more devices and platforms in the future. Guideline on Safe BYOD Management P a g e 12
Analytics: The MDM platform must have the capability of providing real-time, comprehensive analytics on registered devices and apps. 4.6 MDM Solutions There are several MDM solutions that are currently available on the market, figure 3 below shows Gartner Magic Quadrant for Mobile Device Management Software by classifying them into categories of niche players, challengers, visionaries and leaders. Figure 3: Gartner Magic Quadrant for Mobile Device Management Software 4.7 Deploying a MDM Solution For the purpose of this document the Cisco Meraki was used to show the basics in deploying a cloud based MDM solution. Cisco Meraki is a MDM solution that is free and has most of the core features that are usually required. Guideline on Safe BYOD Management P a g e 13
Cisco Meraki MDM Setup To setup Cisco Meraki an account has to be created on https://meraki.cisco.com/products/systems-manager where you will be asked to fill out some basic information before you are redirected to the cloud GUI dashboard. Device Enrollment Figure 4: Cisco Meraki GUI Dashboard Cisco Meraki MDM support different platforms such as ios, Windows, Android, OS X and Chrome for enrollment. For this demonstration an Android smartphone was used for enrollment. Firstly, download the Systems Manager app from Google Play and install it on the smartphone and afterwards enter the code specific to your deployment. Figure 5: Downloading Android App Guideline on Safe BYOD Management P a g e 14
Figure 6: Enrolling Android Smartphone Managing Devices Figure 7 below shows the GUI dashboard of Cisco Meraki and also that the smart phone has correctly been enrolled. Figure 7: Cisco Meraki Client List Dashboard Figure 8 shows the client details such as OS version, MAC address, IP address and the list of apps that are installed. There is also the possibility of executing commands such as performing selective or full wipes or enforce security by enabling password strength and Geofencing. Guideline on Safe BYOD Management P a g e 15
Figure 8: Client Details Guideline on Safe BYOD Management P a g e 16
4.8 Sample Mobile Device Security Policy This sample policy provided below is intended to act as a guideline for organisations looking to implement or update their mobile device security policy. IT requirements 1. Devices must use the following Operating Systems: Android 2.2 or later, ios 4.x or higher. <add or remove as necessary> 2. Devices must store all user-saved passwords in an encrypted password store. 3. Devices must be configured with a secure password that complies with <Company X> s password policy. This password must not be the same as any other credentials used within the organisation. 4. With the exception of those devices managed by IT, devices are not allowed to be connected directly to the internal corporate network. User requirements 1. Users must only load data essential to their job onto their mobile device(s). 2. Users must report all lost or stolen devices to <Company X> IT immediately. 3. If a user suspects unauthorised access to company data via a mobile device, they must report the incident in alignment with <Company X> s incident handling process. 4. Devices must not be jailbroken or rooted* or have any software/firmware installed designed to gain access to prohibited applications. 5. Users must not load pirated software or illegal content onto their devices. 6. Applications must only be installed from approved sources such as Google Play or the Apple app store. Installation of apps from un-trusted sources is forbidden. If you are unsure if an application is from an approved source, contact <Company X> IT. 7. Devices must be kept up to date with manufacturer or network provided patches. As a minimum patches should be checked weekly and applied at least once a month. 8. Devices must not be connected to a PC without up-to-date and enabled anti-malware protection or which does not comply with corporate policy. 9. Devices must be encrypted in line with <Company X> s compliance standards. 10. Users must be cautious about the merging of personal and work email accounts on their devices. They must only send company data through the corporate email system. If a user suspects that company data has been sent from a personal email account, either in body text or as an attachment, they must notify <Company X> IT immediately. Guideline on Safe BYOD Management P a g e 17
11. (If applicable to your organisation) Users must not use corporate work stations to back up or synchronise device content such as media files, unless such content is required for legitimate business purposes. *Jailbreaking (ios) and rooting (Android) refers to removing restrictions imposed by the manufacturer. This gives a user access to the operating system to unlock features and install unauthorised software. Guideline on Safe BYOD Management P a g e 18
5.0 Conclusion The massive adoption of the Bring Your Own Device (BYOD) culture in organisations is posing serious problems to IT departments in securing sensitive corporate data. Furthermore, with a huge array of different devices and platforms, it has become very difficult and resource consuming to control devices, apps and their usage. This is why a Mobile Device Management (MDM) solution is becoming a necessity for organisations to mitigate business risks and to centrally control and monitor in real-time the mobile environment. Guideline on Safe BYOD Management P a g e 19
6.0 References NIST, Guidelines for Managing and Securing Mobile Devices in the Enterprise, csrc.nist.gov Australian Signals Directorate, asd.gov.au/publications Kaspersky, Security Technologies for Mobile and BYOD, kaspersky.com/business Ernst & Young, Bring Your Own Device, ey.com Gartner, Mobile Device Management, gartner.com/it-glossary Sophos, Sample Mobile Device Security Policy, sophos.com Xcubelabs, Mobile Device Management, xcubelabs.com Guideline on Safe BYOD Management P a g e 20
Appendix A List of Acronyms BYOD MDM CIO CISO Wi-Fi GPRS 3G 4G OTA GUI OS MAC IP Bring Your Own Device Mobile Device Management Chief Information Officer Chief Information Security Officer Wireless Fidelity General Packet Radio Service Third Generation of Mobile Telecommunications Technology Standard Fourth Generation of Mobile Telecommunications Technology Standard Over-the-air Graphical User Interface Operating System Media Access Control Internet Protocol Guideline on Safe BYOD Management P a g e 21