BYO[D] Doesn’t Have to Mean Bring Your Own [Vulnerability]

The Bring-Your-Own-Device (BYOD) model of operating has been a double-edged sword for IT professionals. On the one hand, it empowers and allows for business productivity. On the other hand, it continues to create a serious challenge for organizations as IT and security professionals find ways to enforce access control across a diverse ecosystem of mobile devices.

The challenge is not getting any easier with an increased focus on remote work. To solve it, security teams need to place device integrity and identity management at the forefront of efforts to police the ever-shifting perimeter of today’s enterprises.

Ensuring those systems are clean and adequately authenticated is a critical element of enterprise identity and access management (IAM) strategy, and requires an approach built around visibility and defense in depth.

Bring-Your-Own Vulnerability
Tell any security professional that productivity will involve expanding the attack surface, and they will reflexively cringe. Yet innovations often force the needs of productivity and security to clash. Such is the case with BYOD, which has improved business productivity for years by enabling employees to use whatever devices they want to do their work. In theory, it empowers the user whilst making the enterprise more agile.

With the proliferation of mobile devices and the distributed nature of today’s workforce, however, comes the reality of out-of-date systems, policy violations, and other challenges that may go unnoticed when the device is not connected to the network, or under corporate governance. Without control over a personal device, the enterprise may not immediately detect changes to the system that impact security. Malware infections can occur due to personal surfing habits or users connecting to rogue wireless access points. There is also the prospect of physical loss or theft of devices without adequate data protection, thus exposing corporate data.

Each device represents a potential point of failure, a point of attack. Unfortunately, many organizations may be failing to account for these increased risks. According to a 2019 survey by Bitglass taken at Cloud Expo Europe in London, 16% of respondents said their organization’s main priorities for security for the year included unmanaged device access, which came in second in the survey behind malware protection (26%). In addition, while 74% of respondents said their company allowed BYOD, 47% said that either their employer had no BYOD security policy or they did not know if it did.

The Importance of Visibility
With the growing number of mobile devices connecting to the network, organizations need to have visibility into their entire attack surface and the integrity of the devices connecting to their environment so that they can judge the risk of each access request. BYOD is not bad—in fact, coupling BYOD with proper visibility into the accessing device allows for a superior security approach. For businesses to make sound decisions about access, they need to be able to collect, correlate, and analyze data about user and device activity and posture.

To get the visibility they need, organizations should consider a few possibilities. The first is using Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) solutions, which are effective at understanding the state of the mobile device and enforcing data separation and selected data deletion in case a device is lost or compromised. There is also Mobile App Management (MAM), which allows enterprises to provision and secure mobile applications approved by the organization.

Another solution for mobile devices that accomplishes the same goal is to use third-party services. Here, the device is not under active management, but device posture and risk are analyzed based on information in open source intelligence. By leveraging that information, the appropriate risk is ascertained, forming the basis to either allow or disallow access to certain information or the ability to perform certain tasks.

Regardless of what approach is chosen, the emphasis needs to be on assessing the health and behavior of the device before decisions are made to grant it and its user access to protected resources.

Zero Trust in the Mobile World
When it comes to authentication, both employee-owned and company-owned devices should be treated in the same manner. Neither should be trusted. It may be tempting to think the security challenges of BYOD can be solved by only supporting certain hardware, but this is only the beginning. Gathering and correlating details about user and device characteristics are a critical part of inching businesses closer to a more secure environment. Controlling user access to critical systems and data is mandatory in the age of BYOD, and concentrating on the identity-focused security outcomes recommended by the Identity Defined Security Alliance (IDSA) reduces the risk of access abuse and malicious behavior.

A Zero Trust approach to BYOD verifies the device while also enabling the dynamic re-attestation and revocation of user access based on the detection of anomalous behavior. Through the integration of multifactor authentication, session validation, device management, unified endpoint management, and other capabilities, organizations can make decisions based on intelligent risk analysis. As employees seek device autonomy in the name of ease of use and productivity, embracing a Zero Trust strategy built around deep visibility is critical to success. For a real world example, check out Adobe’s customer story.

About the Author: Baber Amin is Ping Identity CTO for West and a member of the Identity Defined Security Technical Working Group.  In addition to helping customers with their IAM strategy, Baber has been involved in M&A, ML/AI strategy, overseeing solutions in OpenBanking, GDPR, Privacy, and Consent and product and solution go-to market for Ping solutions in Employee, and Consumer centric Identity and Access Management. Prior to Ping Identity, he held leadership roles with Oracle, CA and Novell. Baber is also an author on several patents in software security, web caching and content distribution.



Let's work together to help everyone become more secure.