BYOD for Employees

IST 725 Final Paper – BYOD for Employees May 1, 2012

Leo de Sousa

Bring Your Own Device for Employees

Understanding the IT Security Architecture Impacts

Leo de Sousa – IST 725


Leo de Sousa

Table of Contents

Abstract ........................................................................................................................................... 3

Introduction ..................................................................................................................................... 4

EA3 Cube Framework Overview .................................................................................................... 8

IT Security Architecture Overview ............................................................................................... 10

Current State - UWYT .................................................................................................................. 11

Future State - BYOD .................................................................................................................... 15

BYOD Management Plan ............................................................................................................. 22

Conclusion .................................................................................................................................... 24

References ..................................................................................................................................... 26


Leo de Sousa

Abstract This paper takes an enterprise architecture approach to describe the IT Security Architecture impacts of migrating from an employer supplied “use what you’re told” (UWYT) model to an employee purchased “bring your own device” (BYOD) model. More and more employees and executives demand the option to use their consumer IT devices to do their work. This blend of work and life, combined with flexible work hours also contributes to an atmosphere where people want to be able to work with the tools of their choice. “Work is no longer a place you go to, and then leave, but an ongoing activity.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 3) Organizations will have no choice but to address the demands of their employees. IT departments in particular, play a key role in articulating the IT security impacts of BYOD programs on their organization. Blount explores the Consumerizaton of IT – Security Challenges by describing the challenges, the opportunities and the benefits. “This important trend is not just about new devices; it’s about the entire relationship between IT and its user population.” (Blount, 2011, p. 3) BYOD is not just a technology or device specific issue. To better understand the impacts of the BYOD trend on organizations, we need a model to describe the current state, the future state and develop a management plan to understand the changes required. Dr. Scott Bernard developed and published the EA3 Cube Framework as “management program and a documentation method”. (Bernard S. A., 2005, p. 33) This paper follows the EA3 Cube framework to help understand the transformative impacts of BYOD on IT Security. Focusing specifically on IT Security Architecture, this paper will use the following layers from the Security Architecture Framework to understand and communicate the impacts of BYOD for organizations: (Bernard & Ho, 2007, p. 10)

1. Information Security Governance 2. Operations Security 3. Personnel Security 4. Information and Data Flow Security 5. Application Development Security 6. Systems Security 7. Infrastructure Security 8. Physical Security

After reading this paper, the reader will have an overview based on an enterprise architecture framework, of the IT Security Architecture impacts implementing an employee BYOD program has on organizations. Keywords: BYOD, data, devices, enterprise architecture, it security architecture, mobility, policy, risk management, security, UWYT


Leo de Sousa

Introduction More and more employees and executives demand the option to use their consumer IT devices to do their work – “bring your own device” (BYOD). This blend of work and life, combined with flexible work hours also contributes to an atmosphere where people want to be able to work with the tools of their choice. “Work is no longer a place you go to, and then leave, but an ongoing activity.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 3) Organizations will have no choice but to address the demands of their employees. IT departments in particular, have a key role to play in articulating the IT security impacts of BYOD programs on their organization. The predominant endpoint model in organizations is an employer supplied endpoint devices such as personal computers and phones (UWYT). This dominant model allows organizations to tightly control access to corporate digital assets including systems and applications as well as corporate structured and unstructured information. In this paper, an endpoint is defined as any device that allows a user to interact with organizations’ digital assets over a network – “the device at the end of a transport layer of a network.” (Wikipedia, 2012) BYOD programs present some difficult questions that require changes to policies, business practices, information security, systems and IT infrastructure.

• What devices are acceptable for employees to use? • How do employers ensure that the devices employees choose to use have appropriate

security and encryption software? • What happens if an employee device is lost containing corporate data? • What amount of control will the employer demand vs. what an employee is willing to

grant on personal devices? • What risks do employers run when an employee owned device contains unlicensed or

illegal software and content? • What are the risks and impacts of these “gateways” to corporate network as they

travel with their owner to their homes, coffee shops and vacations? • What role does identity management and application virtualization play in enabling

and securing BYOD approaches? • How to segregate employer supplied applications from employee owned

applications? Ensuring that there is central management of the infrastructure running on corporate networks allows organizations to meet the audit requirements of privacy legislation like Freedom of Information and Protection of Privacy Acts (FIPPA) and Health Insurance Portability and Accountability Acts (HIPAA). Further, organizations that accept payment for goods and services via payment cards are subject to compliance with Payment Card Industry Data Security Standards (PCI-DSS). Introduction of consumer based, employee owned devices into corporate networks increases the complexity of security management systems. There is also an increased the risk of non-compliance to information security policies. There are costs that will be incurred to accommodate employees’ having the ability to choose their own endpoints including potential more costs as pricing and contractual benefits are lost with individual purchases. (ProfitLine, 2011, p. 2)


Leo de Sousa

Sen published a paper that explores the “Consumerizaton of Information Technology Drivers, Benefits and Challenges for New Zealand Corporates”. Sen suggests the following corporate challenges need to be understood and addressed: (Sen, 2012, p. 14)

• Cost Constraints and Uncertain Cost Boundaries • Security Challenges • Challenges in Support and Control • Challenges around Evolving Relations and Expectations • Changing Policy Needs • Regulatory Obligations

The “use what you’re told - UWYT” model delivers cost management, security management, centralized support and strong policy enforcement. The challenge with UWYT is it fails to deliver on social engagement or facilitate the blending of personal and work as defined by Wallin, “keep employees happy”. (Wallin, 2011, p. 1) Two key groups are driving BYOD initiatives – “senior managers at the board level asking IT to sync their personal devices with work and the number of younger employees … with high expectations of using their personal devices with work applications.” (Ranger, 2012) Wallin confirms this “often, ‘bring your own’ starts on the executive floor” (Wallin, 2011, p. 1) Employee recruitment and retention is positively impacted by implementing new working practices like BYOD. (6dg, 2012) Employee satisfaction and motivation are very relevant topics as organizations look to increase productivity in a globally competitive business environment by having a motivated workforce. Sen’s paper cites the following corporate benefits: (Sen, 2012, p. 13)

• Accelerates Business Growth • Productivity through Employees bringing in New Technology • Employee Productivity through Trust • Cost Benefits

Employees expect to work with tools that are of equivalent capability as those they purchase for personal use. This is a significant challenge especially from a cost impact as most organizations cannot keep up with the rapid developments in consumer IT and fall behind. “Employees expect to be able to use all the innovative new devices and tools at their disposal, both to do their jobs and to maintain their always-connected lifestyles while being able to work whenever and wherever they need to.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 1) Leif-Olof Wallin from Gartner provides four conflicting goals that need to be considered when considering moving from UWYT to BYOD.

1. Social – keep employees happy 2. Business – keep processes running effectively 3. Financial – manage costs 4. Risk Management – stop bad things from happening (Wallin, 2011, p. 1)


Leo de Sousa

A whitepaper presented by ProfitLine introduces the concept of liability to describe models of deploying services. The concept of liability helps categorize the risks that IT Security Architecture addresses. “Corporate Liable” is defined as “devices/services paid by employer and contracts are signed by enterprise representative.” (ProfitLine, 2011, p. 2) This describes the traditional approach of employer supplied and controlled endpoints (UWYT). The contrasting model is “Individual Liable”: “devices/services purchasing purchased by employee, who is then reimbursed via expense report or stipend for minutes spent on business calls or emails.” (ProfitLine, 2011, p. 2) Individual Liable describes the BYOD model for user endpoints in organizations. Actually, a hybrid of Corporate and Individual liability is the most practical approach for organizations. The whitepaper also suggests key risk factors that need consideration: (ProfitLine, 2011, p. 2)

• Sourcing and Contractual Issues – major pricing and contractual benefits are lost when moving to an Individual Liable model – example for 7000 user profile resulted in a significant cost increase due to individual purchases over bulk corporate purchases

• IT Support and User Experience – hidden IT support costs and potential user experience issues – example employees will still call the central IT service desk and the IT department will have significant difficulty keeping up with the variety of endpoints and their particular support needs. Also user experience can suffer as they would have to go to the place they purchased their device for support

• Security – increased security risks and policy ramifications – example security policies and safeguards must be put in place to protect corporate assets. Creating a user signed off policy to address issues like controls on personal devices is critical

Orans and Pescatore from Gartner present a model to help understand risk and security pressures on the value to the business from BYOD. They describe 4 strategies organized in a two dimensional quadrant with the horizontal axis being “Security Pressure” referring to security demands from internal and external forces and the vertical axis being “Value to Business” referring to the value that the user delivers to the business through the use of consumer technology. They recommend that most organizations begin with the Contain strategy and use Network Access Control (NAC) to “isolate personally owned mobile devices in a limited access zone, where they may access a subset of applications and data.” (Orans & Pescatore, 2011, p. 1) Network Access Control in combination with Mobile Device Management (MDM) and Hosted Virtual Desktops (HVD) allows organizations to manage all four strategies of Block, Disregard, Contain and Embrace for BYOD in organizations. The quadrant diagram below maps the security responses to risk and business value.


Leo de Sousa

High

Low Low Security Pressure High

(Orans & Pescatore, 2011, p. 3) Category Definitions (Orans & Pescatore, 2011, p. 7)

• Block – (or ban) the use of consumer-grade products or services by explicitly prohibiting their use in an appropriate policy; then enforce the policy by scanning for use or blocking port numbers of device drivers – example block peer to peer file sharing services

• Contain – actively accepts and facilitates use in well-defined situations and in some cases implements controls to present the use of the consumer technology – example SSL VPN

• Disregard – essentially means pretending that the consumeration trend doesn’t affect you or at least not actively looking to see where consumer technologies are in use – example technology that has no business impact like an mp3 player

• Embrace – refers to the IT organization incorporating consumer-grade technology or enterprise versions of consumer products/services) and promoting, delivering and supporting it just like any other IT-delivered product or service – example corporate use of iPads for employees

Embrace Contain

Disregard Block

Value to Business


Leo de Sousa

EA3 Cube Framework Overview The EA3 Cube Documentation Framework (Bernard S. A., 2005, p. 38) provides an excellent starting point to understand the risks and impacts of implementing an employee BYOD model. The documentation framework structures the layers of an organization so that we can map changes and their impacts to them. Enterprise Architecture (EA) is described by the formula (Bernard S. A., 2005, p. 32): Enterprise Architecture = Strategy + Business + Technology The EA3 Cube framework describes an Enterprise Architecture by documenting the current state of an enterprise and then documenting the future state with the changes implemented. The documentation approach has six basic elements. (Bernard S. A., 2005, p. 37)

1. EA documentation framework – levels, segments and artifacts 2. EA components 3. Current State view 4. Future State view 5. EA Management Plan 6. Planning Threads – IT security, IT standards and IT workforce

Here are images of the EA3 Cube Documentation Framework: (Bernard S. A., 2005, p. 38)


Leo de Sousa

Implementing BYOD will touch all the components in the EA3 Cube framework particularly the Security/Standards/Workforce planning thread. There will be changes required to the architecture layers of data and information, systems and applications and networks and infrastructure. There should be a special focus on access and protection of data and information as digital information is growing exponentially in their enterprises. Enabling access to digital information on personally owned devices like laptops, tablets and mobile phones requires added security measures to protect against data breaches. Meeting employee demands for personalization must be balanced with the organizations’ need to meet legislation compliance. Looking at the EA3 Cube framework, we can see how each component interacts to enable secure sharing of data and information to BYOD devices. Enterprise Security Architecture (ESA) is one of the planning threads in the EA3 Cube framework. Enterprise Security Architecture helps identify issues and the risks that could impact a company and its employees when implementing a BYOD program. ESA also provides a framework for planning and implementing secure business practices.


Leo de Sousa

IT Security Architecture Overview Enterprise Security Architecture is a vertical planning thread in the EA3 Cube framework as it touches all the layers in the model. Bernard and Ho present a Security Architecture Framework (SAF) that has eight layers: (Bernard & Ho, 2007, p. 10)

1. Information security governance 2. Operations security 3. Personnel security 4. Information and data flow security 5. Application development security 6. Systems security 7. Infrastructure security 8. Physical security

These eight layers are important to consider when shifting from employer supplied “use what you’re told” (UWYT) to an employee purchased “bring your own device” (BYOD) model. Here is an image that represents the Security Architecture Framework with the EA3 Cube layers on the right: (Bernard & Ho, 2007, p. 11)


Leo de Sousa

Current State - UWYT Current State (EA3 and SAF) Fully Managed Endpoints - UWYT The predominant organizational model of IT managed endpoints is employer supplied endpoints. Think of this as the “use what you’re told – UWYT” model. (Lomas, 2011) This has been the predominant model for IT departments supplying endpoints to their businesses for the decades. “UWYT treats the user as just another socket to be plugged into the network – a plug specifically selected to fit the needs of the IT department, not the socket.” (Lomas, 2011) The Block and/or Disregard models are used for UWYT environments. (Orans & Pescatore, 2011) This section characterizes the information security attributes for UWYT so that we can compare this to the future state implementing BYOD. One of the key aspects of the UWYT model is that it limits the scope and costs of implementing IT security practices and policies by restricting the choices for endpoints used by employees. This is a Corporate Liable model for risk. Information Security Governance “The purpose of the ‘IS Governance’ layer in the SAF is to define security strategies, policies, standards and guidelines for the enterprise from an organizational viewpoint.” (Bernard & Ho, 2007, p. 11) The centralized nature of this model relies on IT being the only source for endpoint technology. This is the Corporate Liable model for managing endpoints. IT departments have a mandate by their organization to protect the company by standardizing and implementing policies that enforce the Block and/or Disregard model. (Orans & Pescatore, 2011) Some companies employ the Contain model for email and calendar access on BYOD devices, but they have not created a formal BYOD policy. This introduces risks of data leakage from not being able to manage lost or stolen devices. Most senior executives are unaware of this corporate risk. Many organizations do not have an information security policy and rely on human resources policies that align to a UWYT model. There is no question that the employer has all the control in this model. This layer focuses on policy, policy formation, evaluation, and standards (including legislative compliance – HIPPA and FIPPA). Operations Security “The purpose of the Operations Security Layer is to define the enterprise’s intra-organizational and operational needs as they interact with and require access to the enterprise IT services, in order to identify and address security needs at the enterprise’s organizational level.” (Bernard & Ho, 2007, p. 12) With the centralized UWYT model, organizations can limit the scope of operations security to the assets deployed for use to employees. This has a lesser ongoing cost for the following activities: risk assessment, vulnerability assessment, contingency planning, incident handling team, disaster recovery planning, business continuity planning and security operations center.


Leo de Sousa

Personnel Security “The purpose of the Personnel Security layer is to ensure that enterprise personnel are accessing and utilizing its information and technology services safely, securely and in accordance with their predefined roles and responsibilities of their job functions, through proper access control plans and detection of employee anomalous behavior.” (Bernard & Ho, 2007, p. 14) The UWYT model allows for security taps and monitoring into a known (centrally provisioned) IT architecture. Monitoring of endpoints requires installation of security software on the device. This security practice is much easier to implement when configuration and disbursement of devices come from a central source. Two key activities in this security layer are “Due Diligence” practices and security awareness training. These two activities are easier for companies to implement with a Corporate Liable UWYT model. Limiting the device types allows for the creation of standard training materials and instructions for employees. Information and Data Flow Security “The purpose of the Information & Data Flow Security layer is to identify and classify information and data as it moves through the enterprise – in order to justify adequate security controls.” (Bernard & Ho, 2007, p. 16) The UWYT model facilitates information and data flow security by standardizing controls to manage the risks of data loss and data protection on endpoints. Using information classification techniques protects the confidentiality and sensitivity of corporate information. The appropriate access controls, authorization, encryption and backup techniques across all devices and users in the organization can be determined based on information classification methods. Key activities in this security layer are information classification, security models, risk controls, risk management and risk analysis. All of these activities require a commitment of resources and time. The implementation and management costs are less when the number of models/types of endpoints that access corporate data is limited. Application Development Security “The purpose of the Application Development Security layer is to design the authentication, authorization and accounting (AAA) components into the applications used in the enterprise; to enforce the application process follow throughout the enterprise; and to ingrain security in the SDLC.” (Bernard & Ho, 2007, p. 18) The UWYT model encompasses the entire infrastructure needed to run the enterprise applications used by employees to do their work. There typically are limitations on the hardware (Intel PC), operating system (usually Windows) and browser (usually Internet Explorer) to allow for standard configurations of applications. By controlling the hardware, the workstation or laptop, applications central application security management is possible. One other attribute of this layer in the UWYT model is the applications developed, purchased and installed are predetermined for employees. Key activities in this security layer are common application vulnerabilities, software development lifecycle and best practices. Standardizing the application


Leo de Sousa

development platforms reduces the number of vulnerabilities that need application security activities. Systems Security “The purpose of the Systems Security layer is to protect sensitive applications and provide granularity of access controls to sensitive resources.” (Bernard & Ho, 2007, p. 20) The key activities in this security layer are platform hardening, authentication and authorization, database security, PKI enabled applications, single sign-on and host based intrusion detection. The UWYT model facilitates these security activities because installation of system security occurs at hardware configuration and before end user provisioning. Many organizations use the Blackberry Enterprise Server (BES) to control access to email and calendars on Blackberry mobile devices. The BES server also enforces policies like device encryption and mandatory passwords. It also has the capability to “wipe” the device if it is stolen or lost. IT departments are recognizing the importance of Identity and Access Management (IAM) systems. These systems facilitate the provisioning of accounts, role management, authentication and authorization to applications, systems and information. Many IAM systems rely on human resource business processes to timely update employee records so that the appropriate access is granted and removed as the person’s role changes. Infrastructure Security “The purpose of the Infrastructure Security layer is to develop a secure infrastructure that meets all the security requirements of the enterprise and can safeguard against future attacks against the enterprise.” (Bernard & Ho, 2007, p. 22) This security layer is critical in protecting organizations. The UWYT model provides layers of protection at the network level to limit threats from external attacks using network partitioning and firewall security. It also provides protection from internal attacks by using network partitioning, internal firewalls and virtual private networks (VPN). Some of the key activities in this security layer are network partitioning, firewall security, network security testing, network-based intrusion detection system (NIDS), broadband security, PKI risks, PKI issues and virtual private networks. Physical Security “The purpose of the Physical Security layer is to construct a secure perimeter physical defense system that safeguards the facility and physical resources for the enterprise.” (Bernard & Ho, 2007, p. 25) Most organizations that use the UWYT model rely on keeping computer endpoints behind the protection of physical security including building and facility security and physical assess controls. Taking UWYT devices out of the physical locations of organizations compromises any physical security practices that are in place.


Leo de Sousa

Current State Summary The predominant model of IT managed endpoints in most organizations is employer supplied endpoints – “use what you’re told” (UWYT). This method of endpoint management has many benefits such as restricting complexity, managing enterprise risk due to data leakage, limiting costs and providing strong IT security. This model assumes a Corporate Liable approach, where “devices/services paid by employer, and contracts are signed by enterprise representative”. (ProfitLine, 2011, p. 2) The main attributes of this environment are centralized policies, standards, implementation and usage. IT departments have a mandate by their organization to protect the company by standardizing and implementing policies that enforce the Block and/or Disregard model. (Orans & Pescatore, 2011) The UWYT model limits employee choice and potentially runs the risk of being uncompetitive when seeking out talented employees. It is a “tightly coupled” model for managing endpoints for an organization.


Leo de Sousa

Future State - BYOD Future State (EA3 and SAF) Endpoint Independence - BYOD Many organizations are struggling to develop an approach to meet their employees’ demands for using the devices of their choice. Employees expect to work with tools that are of equivalent capability as those they purchase for personal use. Most organizations cannot keep up with the rapid developments in consumer IT and fall behind particularly with new functionality. “Employees expect to be able to use all the innovative new devices and tools at their disposal, both to do their jobs and to maintain their always-connected lifestyles while being able to work whenever and wherever they need to.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 1) Every organization is facing a conflict between corporate and consumer IT spaces. This trend is driven by employees who want to use the consumer based technology that they are familiar with. With the market leadership of Apple consumer devices like the iPhone and iPad, companies are struggling to keep up with the functionality and features in their corporate fleet of technology endpoints. This is not just a staff level pressure but touches all levels of organizations as board members bringing tablets to their executive meetings. Some of the categories this trend impacts: mobile phones, storage, innovative services, dynamic content creation, update cycles and style and customization. (Bernnat, Acker, Bieber, & Johnson, 2010, p. 3) Corporate vs. Consumer IT (Bernnat, Acker, Bieber, & Johnson, 2010, p. 3) Corporate Space Consumer Space Devices with functionality limited to phone calls and email, typically Blackberry

Mobile Phones Smart phones offering tens of thousands of useful apps, typically iPhone or Google Phone

Restricted storage for files and email

Storage Providers such as Google and Yahoo offering virtually unlimited storage

Static employee directories and cumbersome proprietary platforms

Innovative Services Social networks such as Facebook and LinkedIn used for both socializing and working

Outdated static content within corporate intranet – centralized maintenance and control

Dynamic Content Options Blogging, wiki, social networking and content services allowing consumers to create, customize, and manage the content they want

Long replacement cycles – up to four years for hardware and eight years for software

Update Cycles Very rapid updated hardware – immediate download of new apps and services

Highly standardized, inflexible and often restricted environment (“beige box”)

Style and Customization High variety of consumer devices, systems, applications and “skins”


Leo de Sousa

Blount explores the “Consumerizaton of IT – Security Challenges” by describing the challenges, the opportunities and the benefits. “This important trend is not just about new devices; it’s about the entire relationship between IT and its user population.” (Blount, 2011, p. 3) BYOD is not just a technology issue. “In particular, enterprises can only leverage these benefits if they can effectively control access to their critical systems, applications and information, from both approved IT endpoints and from these new consumer devices.” (Blount, 2011, p. 3) The two main types of controls for BYOD will be: controls on the device and controls relating to access and use of IT systems, applications and information. (Blount, 2011, p. 9) This section characterizes the information security attributes for BYOD so that we can compare this to the current state using UWYT. Using Orans and Pescatore’s model, the future state moves BYOD adoption from Block and Disregard to Contain and Embrace. BYOD impacts all levels of the Security Architecture Framework. Each of the following sections will compare the UWYT model to the BYOD model with a focus on the impacts on IT security practices and policies. This approach creates a hybrid liability model with some Corporate Liable and Individual Liable components. Information Security Governance “The purpose of the ‘IS Governance’ layer in the SAF is to define security strategies, policies, standards and guidelines for the enterprise from an organizational viewpoint.” (Bernard & Ho, 2007, p. 11) The decentralized nature of the BYOD model relies on IT departments to protect the corporate network from unintended risks. This introduces Individual Liability into the Corporate Liability management of endpoints in an organization. (ProfitLine, 2011) IT departments must also retain responsibility to ensure secure access to systems, applications and information. BYOD allows IT departments to reduce their focus on being the source for endpoints. To adapt to the BYOD demands from executives and employees, IT departments need to shift from their “tightly coupled” approach to a more “loosely coupled” approach. (Blount, 2011, p. 3) This means building a management plan to move from the Block and/or Disregard model to a Contain and/or Embrace model. (Orans & Pescatore, 2011) Some companies employ the Contain model for email and calendar access on BYOD devices, but they have not created a formal BYOD policy. This security layer focuses on policy, policy formation, evaluation, and standards (including legislative compliance – HIPPA and FIPPA). One of the first key action items is to develop a BYOD policy. “Developing formal BYOD policies is critical, because personally owned devices present risks to the network in the form of unintended denial of service and other threats to network stability, such as the spread of malware.” (Orans & Pescatore, 2011, p. 2) The policy will need to address the requirements of general IT security and specifically information security and endpoint usage. Employees will need to sign-off on the BYOD policy, which specifies adhering to established security practices including allowing the employer to have some level of access on their personal device. Clearly defining who has control of the various components of the endpoint is important for the policy to be effective.


Leo de Sousa

“Some people believe that consumerization of IT means only supporting new, smarter consumer devices. But, although that was the first symptom, this trend is actually far more important and impactful than that. It’s not just about devices – it’s about control.” (Blount, 2011, p. 5) Operations Security “The purpose of the Operations Security Layer is to define the enterprise’s intra-organizational and operational needs as they interact with and require access to the enterprise IT services, in order to identify and address security needs at the enterprise’s organizational level.” (Bernard & Ho, 2007, p. 12) BYOD significantly expands the scope of the operations security practices that need to be in place. Expanding the number and types of endpoints will require addition investment in the following activities: risk assessment, vulnerability assessment, contingency planning, incident handling team, disaster recovery planning, business continuity planning and security operations center. Support costs will increase for helpdesk and technical staff who will need to support a multitude of endpoint devices. “Paradoxically, this trend is likely to both expand the scope and reduce the control of IT. The scope of responsibility for IT will be expanded because its role now doesn’t stop at the firewall – the corporate network now extends out to the user and their unique access devices.” (Blount, 2011, p. 7) Personnel Security “The purpose of the Personnel Security layer is to ensure that enterprise personnel are accessing and utilizing its information and technology services safely, securely and in accordance with their predefined roles and responsibilities of their job functions, through proper access control plans and detection of employee anomalous behavior.” (Bernard & Ho, 2007, p. 14) The BYOD model requires an investment in security training programs for employees. Many users of consumer IT devices fail to keep their security software updated or implement device storage encryption or even set a device password. This poses a significant risk to organizations when personal devices contain corporate information and applications. Employers should establish an organizational change management program to educate employees who use personal devices to access IT systems, applications and information. Employees will be less inclined to implement security best practices on their devices unless they understand the risks of not complying. This is very much a culture issue and if not addressed introduces significant risk to organizations from data leakages of corporate sensitive information. Monitoring of BYOD endpoints requires installation of security software on the device. Again, this will be a culture change issue for employees. The employee will need to allow the employer access to their personal device to protect corporate information. Employers will implement mobile device management software to secure and monitor endpoints accessing and storing corporate data.


Leo de Sousa

Information and Data Flow Security “The purpose of the Information & Data Flow Security layer is to identify and classify information and data as it moves through the enterprise – in order to justify adequate security controls.” (Bernard & Ho, 2007, p. 16) BYOD will be able to leverage the same information and data flow security as UWYT. Using information classification techniques protects the confidentiality and sensitivity of corporate information. Information use on personal devices is an important consideration in mitigating the risks of data leakage. “… many organizations believe that their own employees pose a more serious data security threat, via either inadvertent or malicious behavior, than do outsiders.” (Blount, 2011, p. 15) The appropriate access controls, authorization, encryption and backup techniques across all devices and users in the organization can be determined based on information classification methods. Key activities in this security layer are information classification, security models, risk controls, risk management and risk analysis. All of these activities require a commitment of resources and time. The implementation and management costs are less when the number is limited of models/types of endpoints that access corporate data. There are information control technologies to manage information protection available to help provide a layer of security. Technologies that limit the ability to copy data, print data or email data are known as “digital rights management”. IT departments need to assess whether the digital rights management protection will “travel” with the data as it moves from the corporate network to a BYOD device. The success or failure of this approach would be a guide to suggesting to which endpoints should be purchased by employees. Another approach would be to adopt virtualization strategies that contain corporate information in the data center and only send screen changes to the BYOD endpoint. This is a more secure approach as the data never leaves the corporate data center, keeping it protected while allowing the employee to work. Application Development Security “The purpose of the Application Development Security layer is to design the authentication, authorization and accounting (AAA) components into the applications used in the enterprise; to enforce the application process follow throughout the enterprise; and to ingrain security in the SDLC.” (Bernard & Ho, 2007, p. 18) The UWYT model contains the entire infrastructure to run the enterprise applications needed by employees to do their work. Moving to a BYOD model introduces consumer based, personal endpoints and a multitude of personal applications. These environments are not the typical hardware (Intel PC), operating system (usually Windows) and browser (usually Internet Explorer) used in UWYT models. Application development needs to move to use open, web standards that can be deployed on any endpoint device. Consideration for the multitude of applications available from the various endpoint vendors’ “App Stores” is important. Employees will be downloading free and purchased applications onto their end devices. IT departments will have no way to vet these applications for security flaws. At this point, there are no simple ways to verify the security on employee purchased/downloaded applications. There are potential security risks if the downloaded applications access corporate data on the endpoint device and


Leo de Sousa

propagate the data back out to the internet. Application and desktop virtualization strategies should be implemented to segregate personal applications from enterprise applications. BYOD introduces some challenges to organizations that use more of a “buy vs. build” approach. When procuring new software and applications, the ability to run on multiple platforms becomes a key requirement. In addition, consideration for the ability to virtualize the software application will help secure running them on BYOD endpoints. If the application can be deployed to any browser on any operating system and device, then risks and costs can be managed effectively. Control of the application would move from physical infrastructure to virtual applications and virtual desktop management. One other attribute of this layer in the UWYT model is the applications developed, purchased and installed are predetermined for employees. Standardizing the application development platforms on open standards reduces the number of vulnerabilities that need application security activities. Systems Security “The purpose of the Systems Security layer is to protect sensitive applications and provide granularity of access controls to sensitive resources.” (Bernard & Ho, 2007, p. 20) The key activities in this security layer are platform hardening, authentication and authorization, database security, PKI enabled applications, single sign-on and host based intrusion detection. The BYOD model requires a proactive approach to system security because personal devices are not controlled and have the potential to introduce significant security risks. BYOD relies on identity management governance processes like role management, access requests, authentication and authorization. The reliance on human resource business processes to timely update employee records is more critical with BYOD than UWYT. If an employee leaves the organization, there needs to be a secure process to remove all corporate assets from their personal endpoint device. Privilege and access rights cleanup become a fundamental ongoing security practice in order to protect corporate data. Infrastructure Security “The purpose of the Infrastructure Security layer is to develop a secure infrastructure that meets all the security requirements of the enterprise and can safeguard against future attacks against the enterprise.” (Bernard & Ho, 2007, p. 22) This security layer is critical in protecting organizations from internal and external attacks. The BYOD model introduces a new security layer into the network for wired and wireless networks – Limited Access Zone (LAZ). Network partitioning, firewall security combined with network access control (NAC) will manage the risk of personal devices connecting to the corporate network in the Contain strategy for BYOD. NAC can enforce endpoint protection policies. If the BYOD device does not have adequate malware protection and is not up to an established security patch level, it will be blocked from accessing the corporate network. Using the LAZ as a control boundary protects corporate systems, applications and information. The LAZ should be established on both the wireless and the wired networks as more employees choose to use


Leo de Sousa

laptops over desktop PCs. Once the Contain strategy is established, it can be grown out to become the Embrace strategy where all endpoints are personal devices. “There is a huge operational and support gap between a Contain strategy (let some people BYOD for some things) and an Embrace strategy (allow everyone to BYOD for almost everything).” (Orans & Pescatore, 2011, p. 4) Physical Security “The purpose of the Physical Security layer is to construct a secure perimeter physical defense system that safeguards the facility and physical resources for the enterprise.” (Bernard & Ho, 2007, p. 25) Most organizations that rely on keeping computer endpoints behind the protection of physical security including building and facility security and physical assess controls. As organizations deploy more laptops in favor of desktops and begin the Contain strategy of BYOD, they will rely more heavily on other security layer protections. Many employees will take their employer supplied laptops home to do work and even on vacation. BYOD devices ignore the physical security layer and rely on other security layers: information security governance, personnel security, information and data flow security, application development security, system security and infrastructure security. Future State Summary Blount cites four factors that are contributing to the push to adopt consumer technology into organizations. The first and most obvious factor is the “continued innovation in personal devices”. (Blount, 2011, p. 6) As pressure mounts from both executives and employees, IT departments will have no choice but to adopt some form of BYOD model. The second factor is “high growth in use of social media and related applications”. (Blount, 2011, p. 6) Employees are using social media as part of their everyday lives and now integrating social media tools as part of their work practices. The third factor is the “externalization of the business”. (Blount, 2011, p. 6) This is a seen as a cost saving model particularly to reduce IT costs by using cloud based services and outsourcing or off-shoring non-core functions. The last factor is “the blurring of the line between personal and work life.” (Blount, 2011, p. 6) Like social media making its way into the workplace, work is making its way into personal lives. In the early days of desktop computing, employees could leave their work at work. Now with light weight laptops, tablets and smartphones, work is coming home. In some cases, this is part of a planned telecommuting strategy but in most cases it is being enabled by highly functional consumer technology. The two main types of controls for BYOD will be: controls on the device and controls relating to access and use of IT systems, applications and information. (Blount, 2011, p. 9) BYOD strategies must be considered by organizations as their executives and employees demand the ability to use personal devices to access corporate information and systems. Organizations no longer have a choice and need to move from the Block/Disregard strategies to Contain/Embrace for BYOD. (Orans & Pescatore, 2011) This is a “loosely coupled” environment where the make and model of the personal endpoint device becomes irrelevant.


Leo de Sousa

This method of endpoint management has many challenges including new policies, culture change with the blend of personal and work lives, information and system security. The main attributes of this environment are centralized polices, strong identity management practices, information categorization and access control and network access control. The BYOD model expands employee choice and may be a success factor for recruiting employees. It also introduces new risks to the organization particularly around data leakage that must be planned for. This is a hybrid liability model mixing Corporate Liable and Individual Liable components into the organization’s enterprise architecture. “CIOs must get ahead of the consumerization curve by coming to terms with what is valuable and productive about the influence of consumer IT.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 4)


Leo de Sousa

BYOD Management Plan Bernard describes the EA Management Plan as “a plan to move from the current to the future EA” and “a management program that provided a strategic, integrated approach to resource planning.” (Bernard S. A., 2005, p. 34) The following processes are components of the management plan:

• Resource Alignment; resource planning and standards determination • Standardized Policy: Resource governance and implementation • Decision Support: Financial control and configuration management • Resource Oversight: Lifecycle approach to development/management

Bernnat et al suggest two approaches to accommodate using consumer IT by employees. The first option is the “Bring In” approach. This approach “involves opening the corporate IT environment to private use and letting employees’ digital lives freely enter their work environments.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 6) The second option is the “Reach Out” approach. This approach “reaches out to employees, allowing them to use their personal devices – even PC’s – to do their work.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 6) Each of these approaches has different resource, policy, support and oversight requirements. BYOD Management Plan

Resource Alignment

Standardized Policy

Decision Support Resource Oversight

Bring In Approach

Use existing resources for endpoint management because the endpoints are employer owned

Implement Information Security and BYOD Policy for private Web use on employer owned endpoints

Employees have a wide variety of employer supplied endpoints to choose

Enterprise apps are pre-installed and employees can add personal apps

Employees use company owned endpoints and there continues to be a high degree of employer control

Reach Out Approach

Increase support resources for endpoint management because of the mix of employer and employee owned endpoints

Implement Information Security and BYOD Policy for employee endpoints and private Web use

Employees bring their own endpoints for use at work

Access to enterprise apps are controlled by virtualization technologies for apps and desktops

Employees need to ensure their endpoints comply with employer standards

Employers need to establish standards and monitor security access


Leo de Sousa

The management plan also addresses Risk Management issues for Employee BYOD programs. Key areas for risk management are: (Bernnat, Acker, Bieber, & Johnson, 2010, pp. 7-8)

• Security - specifically network security and data leakage • Productivity - potential lost productivity with web surfing distractions • Legal and Compliance - ensuring compliance to privacy and copyright laws • Reputation - employees making poor judgements when interacting on social media • Support and Maintenance Costs - heterogeneous endpoint environments increase support

costs • Risks - employees may not be able to do their work (in a timely manner) when their

personal endpoint fails and requires replacement All of these risks must be considered and planned for either in the creation of policy and the development of technology/security solutions.


Leo de Sousa

Conclusion Bernard describes four dimensions of security: physical, data, personnel and operations. (Bernard S. A., 2005, p. 329). These were expanded on by Bernard and Ho into a Security Architecture Framework to eight security layers. (Bernard & Ho, 2007) This paper used the eight layers to describe the impacts on IT security architecture when organizations implement a BYOD model. This table summarizes the differences between UWYT endpoints and employee BYOD using Bernard and Ho’s model: UWYT - Employer BYOD - Employee Information Security Governance

Standardized endpoints with a Block or Disregard policy approach – “tightly coupled” control of all layers of architecture – focus on corporate control – this is a corporate liable model

Move to a ‘loosely coupled’ approach to endpoint management. This is not a endpoint centric approach – focus on policy, culture change and controlling the applications, systems and information layers – requires a BYOD policy to be in place describing responsibilities of employer and employee – this is a blend of a corporate and individual liable model

Operations Centrally supported data and endpoint service, standard security, antivirus and data protection – requires an acceptable use policy but no mention of personal endpoints

Expands the scope of support to hybrid model – internal for data, external vendor for endpoint, distributed security, antivirus and data protection

Personnel Lesser level of employee technical ability due to central support, no tax implications as these endpoints are considered equipment, standard user experience and support. Lower costs to create and deliver training on standard endpoints

Higher level of employee technical ability due to hybrid support, stipend model may result in income tax implications; potential confusion for users resulting in unsatisfactory service, a BYOD policy must be created. Higher costs to create and deliver training especially about information security

Information and Data Flow

Centrally provisioned and secured information to meet regulatory and compliance rules and audits. Access controls limit data leakage based on information classification methods

Leverages centrally provisioned and distributed security, need an ability to wipe enterprise data but not personal data, more controls required to meet regulatory and compliance rules and audit – digital rights management

Application Entire application infrastructure contained to corporate endpoints to limit vulnerabilities and data leakage. Provides employees with only the applications they need and typically with a lesser user experience

Focus on open standards that will run on any endpoint; consideration for future applications (buy or build); strategies needed to separate personal apps from enterprise apps due to the possibility of inappropriate data access

System Centralized control of access to applications, systems and information using IAM and PKI security, IT

Strong reliance on HR business processes to timely notify of changes in employee status; IAM is a critical


Leo de Sousa

controls the access process instead of relying on HR business processes

technology and security strategy and needs investment to properly create role based access and remove access in a timely manner

Infrastructure Layered security approach to network access that restricts access to the wired network for accessing enterprise applications, systems and information. Blocks external endpoints from accessing the network

Layered security approach for network access gets augmented by implementing a Limited Access Zone for BYOD devices; use Network Access Control to verify adequate malware and patch protections before allowing access

Physical This is a key security layer for UWYT as it restricts physical access to key applications, systems and information. This security layer is compromised as soon as an endpoint is taken out of the physical protection of the corporate workplace.

Physical security is ineffective for BYOD as most of the endpoints are mobile; reliance on the other key security layers is mandatory to reduce risk

Some final overall considerations for moving from a Block/Disregard strategy to a Contain/Enable strategy for BYOD are (ProfitLine, 2011, p. 2):

• The major pricing and contractual benefits that are lost when moving to individual liable • The hidden IT support costs and potential user experience issues • The increased security risk and policy ramifications

Each organization needs to consider the impacts of the endpoints supported, the data on those endpoints, identity management, employee on-boarding and off-boarding and providing a endpoint independent platform to deliver data and information.

A Proposed Approach to Introduce BYOD for Employees

This proposed approach requires executive leadership and strong project management. The project plan should allow for conducting the policy and research activities in parallel. Implementing the Policy and Technology strategies requires budget and resources for successful deployment and ongoing support in a BYOD Contain/Embrace strategy.

UWYT Block/Disregard Strategy • most organizations are here

today • there are risks as some

employees are connecting to employer networks with not controls

Policy Development • Contract Negotiations • Remuneration Models • BYOD Policy • Information Security Policy

Technology Research • Mobile Device Mgmt (MDM) • Hosted Virtual Desktops (HVD) • Virtual Applications (APPV) • Network Access Control (NAC)

Implementation based on Policy and Research • Pilot Contain Model with small

group • Grow out Contain Model • Embrace Model requires all 4

technologies to be in production

BYOD Contain/Embrace Strategy • most organizations will stay at

Contain model for the next 3 to 5 years

• only a few organizations (mostly small ones) will go to Embrace model


Leo de Sousa

References 6dg. (2012). Business Optimisation. Retrieved from 6dg:

http://www.6dg.co.uk/solutions/business-optimisation/ Bernard, S. A. (2005). An Introduction to Enterprise Architecture 2nd Edition. Bloomington, IL:

AuthorHouse. Bernard, S., & Ho, S. M. (2007, Oct 29). Enterprise Architecture as Context and Method for

Implementing Information Security and Data Privacy. Washington, DC, USA. Bernnat, R., Acker, O., Bieber, N., & Johnson, M. (2010). Friendly Takeover The

Consumerization of Corporate IT. Retrieved from booz&co: http://www.booz.com/media/uploads/Friendly_Takeover.pdf

Blount, S. (2011, Aug). the consumerization of IT: security challenges of the new world order. Retrieved from Computer Associates: http://www.ca.com/us/~/media/Files/TechnologyBriefs/Consumerization-of-IT-Tech-Brief.pdf

Lomas, N. (2011, Oct 23). BYO - bring your own device; Cheat Sheet. Retrieved from TechRepublic: http://www.techrepublic.com/blog/cio-insights/byo-bring-your-own-device-cheat-sheet/39748120?tag=content;siu-container

Orans, L., & Pescatore, J. (2011, Dec 22). NAC Strategies for Supporting BYOD Environments. Retrieved from Gartner: http://www.gartner.com

ProfitLine. (2011). The Hidden Risks of a "Bring you own Device" (BYOD) Mobility Model. Retrieved from ZDNet: http://i.zdnet.com/whitepapers/Profitline_The_Hidden_Risks_of_a_Bring_your_own_Device_BYOD_Mobility_Model_1_19_2011.pdf

Ranger, S. (2012, Apr 19). How the BYOD flood is sweeping away the IT department's priorities. Retrieved from TechRepublic.

Sen, P. K. (2012, Feb 24). Consumerization of Information Technology Drivers, Benefits and Challenges for New Zealand Corporates. Retrieved from Victoria University of Wellington: http://researcharchive.vuw.ac.nz/bitstream/handle/10063/2095/thesis.pdf?sequence=1

Wallin, L.-O. (2011, Oct 20). Gartner's View on 'Bring Your Own' in Client Computing. Retrieved from Gartner: http://www.gartner.com

Wikipedia. (2012, Jan 31). Endpoint. Retrieved from Wikipedia: http://en.wikipedia.org/wiki/Endpoint

BYOD for Employees

Technology

Transcript of BYOD for Employees