BYOD: Bring Your Own Devil

By Oleh Sannikov, R&D Team, SoftServe, Inc.

 

Cloud-enabled, with multiple email accounts, a mobile device dealing with corporate internal information is a Pandora’s Box. Obviously, it implies that businesses should reconsider their data security policies and choose a specific scenario of BYOD adoption and Mobile Device Management.

 

Preface

The story of “Bring Your Own Device” or BYOD begins in 2007, when the first iPhone was introduced by Apple. The market paradigm changed, customers no longer wanted corporate phones for their work. The option of remote work and flexible schedule was a serious benefit. Young talented workers, as a perfect target group for employers, led the initiative and it spread as a tsunami worldwide.

“With a year-on-year growth rate of more than 250%, 850,000 new Android devices are activated each day, jetting the total number of Android devices around the world past 300 million.” - Andy Rubin, SVP, Mobile and Digital Content, Google, MWC 2012

“365 Million iOS devices have been sold through March 30, 2012” -Tim Kook, VP, Apple, WWDC 2012

 

BYOD is now covering about 9 of 10 USA companies. It obviously means reconsideration of security politics and enforcement of data security. The benefits are in reduced corporate hardware purchase and maintenance.

 

Factors of employee’s motivation and benefits achieved by companies are listed below.

Drivers for BYO Drivers from BYO

Ease of working outside the office Better work time flexibility and mobility

Keeping equipment relevant Possibility to hire part-time/freelance workers

Improved work satisfaction Attraction of talented people

Improved productivity Improved employee satisfaction

Improved employee productivity

Improved business continuity

Reduced maintenance

Reduced training and on-boarding costs

 

More details on these factors can be found in the research conducted by Citrix.

 

 

Q: So, where is the Devil?

In the phone!  Cloud-enabled, with multiple email accounts, a device dealing with corporate internal information is a Pandora’s Box. The mix of private and work data can cause a mess in synchronization, when the user is not even aware which part of the data regularly replicates to his home computer. With independent access to 3G internet, a device can appear as an intruder, acting as a bridge to the company’s network.

Another issue is compatibility. Phones brought by workers can have different versions, conflict with each other, be wrongly configured, have inadequate access rights or not support safe adopted protocols. That’s the reason; the word “devil” is used as a synonym for “device”.

Trapping devils and mitigation of security risks along with the configuration overhead are subjects of Mobile Devil Management.

Mobile Devil Management

Limitations, rules and restrictions are standard tools of Mobile Device (or Devil) Management. It should be scalable to setup and support many devices in a reasonable time. MDM should be integrated into the enterprise environment and be able to change device function as its corporate function changes seamlessly and without user interation. It should also protect sensitive data in the case of device theft or employee withdrawal, by locking and remotely wiping the data.

Apple’s MDM toolset, covered in this article, is an example of flexibility and sufficient reliability of top of platform security, to wildcard mobile devices accessing corporate networks.

iOS Devil Management

It’s about:

Enrollment and Configuration

Management

Queries

MDM is applied to an iOS device and once it has accepted a special Configuration Profile, it is installed through a USB by Configuration Utility (CU) or over-the-air. Therefore, the basic features can be achieved by having only CU (provided freely by Apple). 

Full-featured MDM requires a server:

Microsoft ActiveSync Exchange 2003, 2007 or 2010

Or one of many third party MDM solutions on the market (e.g. AirWatch), covering not only iOS, but other platforms in a supported scope

Configuration profiles are XML files, optionally signed and encrypted by the enterprise CA, to be protected from alterations and sharing with others. Once a profile is installed, the device becomes manageable and can be dynamically configured with settings, queried for information or remotely wiped.

Supported configuration settings include:

Accounts: Exchange ActiveSync, IMAP/POP, Wi-Fi, VPN, LDAP, CardDAV, CalDav, calendars

Passcode policies: require passcode, complexity settings, age, auto-lock time, number of failed attempts

Security and Privacy: allow sending of diagnostic data, untrusted certificates; force encryption of backups

Functionality: Installing apps; allowing Siri, camera, screen capture, autosync in roaming, voice dialing, in-app purchase; requiring store password for all purchases;

iCloud: allow backup, document and key-value sync

In addition to configuration, a device can be queried for information in real time:

Device: UDID, name, model name, iOS version, serial no., IMEI, modem firmware, battery level, capacity, free space and network information

Security: applied restrictions, configuration profiles and certificates installed, passcode and hardware encryption status

Applications: a detailed list

MDM also can manage:

Profiles: configuration and provisioning

Applications: install and remove (only managed)

Passcode: wipe, lock or clear

Interaction is made using the Apple Push Notification service, being embedded into the core of the OS and optimized for traffic consumption.

 

The picture above (provided in the already mentioned Apple’s MDM toolset description) illustrates the workflow:

The server sends a push notification prompting the device to check in for tasks or queries.

The device connects directly to the server over HTTPS. The server sends commands or requests information.

Android, Blackberry, Windows Phone…

(Are all MDM-capable)

Blackberry and Microsoft were originally targeting enterprise markets, with legacy security model implementations. But they are currently out of BYOD focus, less expensive and some might say not as “cool” as Apple products.

Android runs on a huge variety of devices in all market segments. Open platform by design, with diverse stores, no apps review or common practice to be “rooted”, it has weak and fragile security walls. MDM services run at the privilege level, accessible to other processes, which disables the application of proper restrictions. Therefore, IT departments strike to prevent Androids intrusion, in favor of safety reasons.

Conclusion

(What can we do here?)

Each company will have its own scenario of BYOD adoption.

Mature IT companies and service providers already have adjusted environment to keep the “devil” trapped. Corporate network has an isolated layer for guest access; each project is configured to live in sandbox and has access to its own resources only. Employees sign NDA documents and take responsibility for their actions.

As Mobile Device Management is one of the BYOD’s hearts, one of existing (like AirWatch) or proprietary solution can be used.

In all cases, reasons to use this or that specific approach should be determined by analyzing company’s information flows and measuring security risks of data leakage.

About the Author

Oleh Sannikov is a Technology Consultant at SoftServe, Inc., a leading global provider of software development, testing and consulting services. Oleh has more than 9 years of experience in software creation for Apple iOS and Mac OS X environments. He specializes in consulting and architecture assessments of mobile solutions developed at the Company.

 

 

This article was originally published by Executive Brief

Enjoyed the article?

Sign-up for our free newsletter to kick off your day with the latest technology insights, or share the article with your friends and contacts on Facebook, Twitter or Google+ using the icons below.


E-mail address

Bill has been a member of the technology and publishing industries for more than 25 years and brings extensive expertise to the roles of CEO, CIO, and Executive Editor. Most recently, Bill was COO and Co-Founder of CIOZone.com and the parent company PSN Inc. Previously, Bill held the position of CTO of both Wiseads New Media and About.com.

Comments



White Papers