https://www.channelfutures.com/wp-content/themes/channelfutures_child/assets/images/logo/footer-new-logo.png
  • Home
  • Technologies
    • Back
    • Analytics
    • Artificial Intelligence
    • Cloud
    • Data Centers
    • Desktop
    • IoT
    • Mobility
    • Networking
    • Open Source
    • RMM/PSA
    • Security
    • Virtualization
    • Voice/Connectivity
  • Strategy
    • Back
    • Best Practices
    • Business Models
    • Channel 101
    • Channel Programs
    • Channel Research
    • Digital Transformation
    • Diversity & Inclusion
    • Leadership
    • Mergers and Acquisitions
    • Sales & Marketing
    • Specialty Practices
  • MSSP Insider
    • Back
    • Business of Security
    • Cloud and Edge
    • Endpoint
    • Network
    • People and Careers
    • Training and Policies
  • MSP 501
    • Back
    • 2020 MSP 501 Rankings
    • 2020 Hot 101 Rankings
    • 2020 MSP 501 Report
  • Intelligence
    • Back
    • Our Sponsors
    • From the Industry
    • Content Resources
    • COVID-19 Partner Help
    • Galleries
    • Podcasts
    • Reports
    • Videos
    • Webinars
    • White Papers
  • EMEA
  • Awards
    • Back
    • Excellence in Digital Services
    • 2020 MSP 501
    • Top Gun 51
  • Events
    • Back
    • CP Conference & Expo
    • Channel Partners Evolution
    • Channel Evolution Europe
    • Channel Partners Event Coverage
    • Webinars
  • Channel Mentor
    • Back
    • Channel Market Intelligence
    • Channel Educational Series
Channel Futures
  • NEWSLETTER
  • Home
  • Technologies
    • Back
    • Analytics
    • Artificial Intelligence
    • Cloud
    • Data Centers
    • Desktop
    • IoT
    • Mobility
    • Networking
    • Open Source
    • RMM/PSA
    • Security
    • Virtualization
    • Voice/Connectivity
  • Strategy
    • Back
    • Best Practices
    • Business Models
    • Channel 101
    • Channel Programs
    • Channel Research
    • Digital Transformation
    • Diversity & Inclusion
    • Leadership
    • Mergers and Acquisitions
    • Sales & Marketing
    • Specialty Practices
  • MSSP Insider
    • Back
    • Business of Security
    • Cloud and Edge
    • Endpoint
    • Network
    • People and Careers
    • Training and Policies
  • MSP 501
    • Back
    • 2020 MSP 501 Rankings
    • 2020 Hot 101 Rankings
    • 2020 MSP 501 Report
  • Intelligence
    • Back
    • Our Sponsors
    • From the Industry
    • Content Resources
    • COVID-19 Partner Help
    • Galleries
    • Podcasts
    • Reports
    • Videos
    • Webinars
    • White Papers
  • EMEA
  • Awards
    • Back
    • Excellence in Digital Services
    • 2020 MSP 501
    • Top Gun 51
  • Events
    • Back
    • CP Conference & Expo
    • Channel Partners Evolution
    • Channel Evolution Europe
    • Channel Partners Event Coverage
    • Webinars
  • Channel Mentor
    • Back
    • Channel Market Intelligence
    • Channel Educational Series
    • Newsletter
  • REGISTER
  • MSPs
  • VARs / SIs
  • Digital Service Providers
  • Cloud Service Providers
  • CHANNEL PARTNERS ONLINE
 Channel Futures

Mobility


BYOD Led to Big Mobile Device Security Lapses in U.S. Army

  • Written by CJ Arlotta
  • April 3, 2013
While many end users are aware of potential dangers associated with not securing a device properly, that doesn't mean they secure it.

rsz_bethjonesWhile many end users are aware of potential dangers associated with not securing a device properly, that doesn’t mean they secure it. Many choose to ignore advice from IT professionals about locking their devices. Sure, we may expect this from the end user, which is why managed services providers (MSPs) try to place themselves between businesses and end users, but what about the U.S. military? Shouldn’t they have higher standards for bring your own device (BYOD) and mobile device management (MDM)? Apparently they do not. Sophos Senior Threat Researcher Beth Jones (pictured) recently highlighted the alarming vulnerabilities left open in the U.S. Military and its implementation of mobile devices in her  Naked Security blog. Here are the details.

Jones pulled the following facts from the report by the Inspector General (which since appears to have been pulled – but now has been reposted – to the government’s web site.) They show how standard BYOD security procedures were neglected by the CIO of the U.S. Army including:

  • mobile devices and data were not protected with MDM software ;
  • the U.S. Department of Defense did not have the ability to remotely wipe devices;
  • the Army CIO was unaware of 14,000 devices throughout the Army;
  • users were not trained and did not sign user agreements; and
  • users were allowed to save sensitive data on removable media.

Jones further said the findings from the report matter to the IT channel because they demonstrate that even the U.S. military is struggling with the security ramifications of BYOD. It’s not surprising that  small to mid-sized businesses are, too. MSPs should take note.

Data loss matters

Jones cited the case of the U.S. Secret Service contractor who left two tapes of sensitive data on DC Metro train as a prime example of what could happen to any employee at any level. Data is power and criminals are always looking to get their hands on sensitive material.

Jones recommended that any CIO grappling with BYOD security issues consider Sophos CTO Gerhard Eschelbeck’s seven-step BYOD security plan:

  1. Identify the risk elements that BYOD introduces — measure how risk can impact a business and map the risk elements to regulations;
  2. Form a committee to embrace BYOD and understand the risks — include business stakeholders, IT stakeholders, and information security stakeholders;
  3.  Decide how to enforce policies for any and all devices connecting to your network — include mobile devices, tablets and portable computers;
  4. Build a project plan — include remote device management, application control, policy compliance and audit report, data and device encryption, augmenting cloud storage security, wiping devices when they are retired, revoking access to devices when the end-user relationship changes from employee to guest and revoking access to devices when employees are terminated by the company;
  5. Evaluate solutions — consider the impact on your existing network and how to enhance existing technologies prior to next step;
  6. Implement solutions — develop a pilot group from each of the stakeholders’ departments. Then expand the pilot  group to departments based on your organizational criteria. Open BYOD program to all employees;
  7. Periodically reassess solutions — invite vendors and trusted advisors to review roadmaps entering your next assessment period.

Tags: Cloud Service Providers Digital Service Providers MSPs VARs/SIs Mobility

Related


  • Black History Month
    Black History Month: Celebrating Tech Pioneers
    From the 19th century to present day, their accomplishments are remarkable.
  • 2021 Channel Influencer Awards
    Spoiler alert: COVID-19 is not the Channel Influencer of the Year.
  • Automation
    Juniper Networks Rolls Out Paragon Automation for 5G, Multicloud
    The portfolio simplifies user experiences for complex 5G and multicloud services.
  • Telecommuter with Kid
    CEO Benioff Touts Salesforce Customer 360 Work-From-Anywhere Capabilities
    Salesforce expects to reach more than $25.5 billion in revenue this year.

11 comments

  1. Avatar Adam April 4, 2013 @ 4:20 pm
    Reply

    BYOD certainly presents serious security risks. One way to manage these security challenges is to separate data and applications from the end user devices. Data and applications can be securely hosted on VDI virtual desktops or on Microsoft RDS (Terminal Server) while mobile employees access those applications and desktops using HTML5-compatible browsers.

    That's the idea behind solutions like Ericom AccessNow, an HTML5 RDP client that enables access to Windows applications and desktops from a browser. Basing access on the browser allows employees to get to their applications and data from iPads, iPhones, Android tablets and phones and other devices.

    Download this free white paper for some additional ideas on managing BYOD security issues:
    http://www.ericom.com/WP-MobileAccessSecurity.asp?URL_ID=708

    Please note that I work for Ericom

  2. Avatar CJ Arlotta April 4, 2013 @ 7:42 pm
    Reply

    Adam:

    Thanks for the input.

    How would have Ericom addressed the issues?

    –CJ

  3. Avatar Lawrence Garvin April 4, 2013 @ 8:08 pm
    Reply

    An important distinction for the U.S. Army story related here, and any organization dealing with mobile devices, is whether those devices were *authorized* to be used in the workplace or not.

    In fact, the entire driving force behind the entire BYOD discussion has been employees unilaterally injecting the use of devices into their employer's workplace, in most cases without advance consent.

    Where the real security defect occurs is that such devices can get *access* to organizational resources (data, applications, etc.) in light of the fact that they're not part of the organizational technology infrastructure.

    Wireless technologies are a significant culprit in this matter, and the failure to properly configure wireless technologies to restrict access to only authorized devices. In most cases, wireless technologies are secured by password, which ensures that only authorized *users* get access, but without any real control over what device they use for that access.

    An effective BYOD strategy, in addition to implementing MDM and Remote Wipe capabilities, also needs to implement the appropriate access security mechanisms to ensure unauthorized devices do not have access.

    The whitepaper Managing the BYOD Choas http://content.solarwinds.com/creative/pdf/Whitepapers/Managing_the_BYOD_Chaos_Whitepaper.pdf provides some additional thoughts on how to better manage device access to the organizational network.

    Note: I am an employee of SolarWinds.

  4. Avatar CJ Arlotta April 4, 2013 @ 10:28 pm
    Reply

    Lawrence:

    Thank you for your insight.

    As an employee of SolarWinds, do you believe your solution could do a better job of managing devices for the U.S. military?

    Would a COPE strategy be more effective?

    –CJ

  5. Avatar seema April 11, 2013 @ 8:17 am
    Reply

    An important distinction for the U.S. Army story related here, and any organization dealing with mobile devices, is whether those devices were *authorized* to be used in the workplace or not.

  6. Avatar CJ Arlotta April 11, 2013 @ 11:49 am
    Reply

    Seema:

    You're right, but what about the other issues? What if an authorized device is lost and can't be swiped?

    –CJ

  7. Avatar Adam April 15, 2013 @ 9:42 am
    Reply

    CJ:
    In response to your

    CJ:

    In response to your question, Ericom’s approach to BYOD is to leverage HTML5 technology in such a way that no data is on the employee’s mobile devices. The data and applications stay in the data center, and they are accessed using the mobile device’s browser. Since there’s no data on the devices, nothing is exposed if the device is lost or stolen.

    Adam

  8. Avatar Gary Griffiths April 15, 2013 @ 10:06 am
    Reply

    These are some interesting
    These are some interesting findings. I say this because when it comes to BYOD, Mobile Device Management (MDM) has little if any role to play.

    MDM does not equal Mobile Device Security

    MDM does not equal Mobile Data Security

    MDM only lets you control and manage devices, to the extent a device manufacturer allows you to.

    For BYOD, device security has less relevance, as it is a device not owned by the organisation.

    What should matter though, and be the focus, is data security.

    If I could bold and underline that last sentence I would 🙂

    So when it comes to the plan recommended by Sophos, I don’t think they have it right.

    Policies and Procedures are definitely relevant and need to be thought through, and will be ever evolving. But device management, wiping devices, revoking access to a BYOD device – I don’t see how you could do that to a device you do not own – legally or morally. Yes you can do it technically.

    No disrespect to Ericom, but I don’t believe the approach mentioned above is the answer either. Remote access/VDI is giving a user a Windows Desktop on their mobile device (eg iPad). The user experience is arguably sub optimal (try and drive a Windows desktop on your iPad), it also means they can only access systems when they’re online – presenting another productivity challenge. I will say though, as long as the connection is encrypted adequately, this is a very secure approach.

    Many of the problems that arise from BYOD stem from the lack of security around business data, and from a misperception that Mobile Device Management (MDM), is the appropriate technology for BYOD. It is not.

    There are three principles you need to adhere to from a data security perspective.

    1. Protect your corporate data at rest and in transit. BYOD means employees are accessing, and potentially storing, corporate data, on their personally owned devices. To ensure your corporate data is secured, you need to ensure it is encrypted at all times. That means data must be encrypted whilst stored on a BYOD device, and it needs to be encrypted in transit, between the mobile device and your corporate systems. Two common ways for achieving this are application level encryption, and Virtual Private Networks (VPN).

    2. Prevent business data leakage. Stopping your corporate data leaking to personal applications, includes those applications residing on the device and in the cloud that you don’t control or have secured. By separating corporate data from personal data, the business data can be controlled and prevented from being moved purposefully or inadvertently to non corporate applications. This includes preventing the ability to copy and paste from business applications to personal applications, as well as preventing the ability to use “open in” to open business data in a personal application – yet allowing this to work for business data being opened in a business application. This is critical for both data security and privacy requirements. The two best approaches for this capability today are containerisation, and virtualisation.

    3. Enforce strongly authenticated access to business applications. Encrypting data, and preventing data leakage will only protect your data if adversaries cannot easily access the information by logging in. Many attacks happen today by way of social engineering, and the reliance on passwords had left many companies and individuals vulnerable (http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/). The best way to prevent these attacks from being successful today is via multi factor authentication.

    So, to summarise the above, if you are looking at implementing a successful BYOD program, you will need to choose a technology, or technologies, that can encrypt your data at rest and in transit, prevent any corporate data being moved to any unsecured non-business application or system, and require multi factor authentication to access your business applications and data.

    And I’d say this will be the easiest part of your BYOD program. This technology exists today. It’s the policies etc that are quite difficult to sometimes work out.

    Note: I am an employee of Good Technology. These comments are solely my own, and not necessarily the views of my employer.

  9. Avatar joepan April 18, 2013 @ 6:54 pm
    Reply

    Gary: Thanks for taking the
    Gary: Thanks for taking the time to stop by and offer the detailed notes. We look forward to staying in touch with Good, especially amid the CEO announcement a few weeks back.

    Best,
    -jp

  10. Avatar Lawrence Garvin April 22, 2013 @ 3:10 pm
    Reply

    CJ: I don’t think a COPE
    CJ: I don’t think a COPE strategy would be appropriate here. As I understand COPE, that methodology is more targeted to whether a product should be introduced into a market, and that’s going to be driven by the market’s interest in the product.

    In the instant case, we’ve already determined that the market (the employees) are interested in the product (devices), so I think its less of a question about introduction as it is retention and supportability.

    If the organization were introducing something *new* to the organization, then a COPE strategy would be appropriate.

    SolarWinds does have products that can assist in this endeavor. User Device Tracker (http://www.solarwinds.com/user-device-tracker.aspx) allows an organization to identify the devices and authentication accounts being used on the network, and other products can be used to monitor what those devices are actually doing while connected to the network.

  11. Avatar CJ Arlotta April 24, 2013 @ 11:28 am
    Reply

    Lawrence:
    Thanks, again, for

    Lawrence:

    Thanks, again, for your comment.

    I’m not choosing either model, but I do enjoy playing devil’s advocate.

    Wouldn’t it be easier to support models if a businesses limited its choice of devices?

    –CJ

Leave a comment Cancel reply

-or-

Log in with your Channel Futures account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

Related Content

  • IBM’s Hybrid Cloud Build Team Helps Partners ‘Like Never Before’
  • Dell Partners Get New 2021 Program, More Access to VMware
  • Atos Rolling Out Unify Office by RingCentral UCaaS in UK
  • How to Lead Retailers Through the Digital Transformation

Galleries

View all

Threat Protection Vendors: Why MSSPs Have to Ramp Up Efforts Right Now

February 23, 2021

Industry Perspectives

View all

Three Ways MSPs Can Improve Supply Chain Security

February 24, 2021

SASE: The Key to Mitigating Business Transformation Risk

February 22, 2021

Public Sector IT Funding Outlook for 2021–and What It Means for Our Reseller Partners

February 18, 2021

Webinars

View all

XDR and Why it Matters to MSPs

March 24, 2021

Top Security Trends Impacting Technology Security Providers In 2021

March 25, 2021

In Case of Emergency: The Importance of Proactive Critical Event Management

February 23, 2021
  • 1

White Papers

View all

Ready To Add Cutting Edge IoT Solutions To Your Portfolio?

February 25, 2021

What Is The Value Of Distribution For The Internet Of Things?

February 25, 2021

The Internet of Things (IoT): Where do You Begin?

February 25, 2021

Upcoming Events

View all

Channel Partners Virtual

March 2, 2021 - March 4, 2021

Channel Partners Conference & Expo

November 1, 2021 - November 4, 2021

Videos and Fastchats

View all

FASTCHAT: How SOAR Eliminates Security Challenges and Elevates Service Provider Revenues

January 6, 2021

Happy Holidays from Channel Partners & Channel Futures!

December 21, 2020

FASTCHAT: How Old, Unpatched Technologies Are Creating New Security Threats for MSPs and Their Customers

December 3, 2020

Twitter

ChannelFutures

Ready To Add Cutting Edge IoT Solutions To Your Portfolio? Read this white paper to learn how! @GetWirelessLLC… twitter.com/i/web/status/1…

February 25, 2021
ChannelFutures

What Is The Value Of Distribution For The Internet Of Things? This white paper will tell you @getwirelessllc… twitter.com/i/web/status/1…

February 25, 2021
ChannelFutures

The Internet of Things (IoT): Where do you begin? Read this white paper from @getwirelessLLC to find out… twitter.com/i/web/status/1…

February 25, 2021
ChannelFutures

5G Revolution or Evolution? @GetWirelessLLC dlvr.it/RtSzdZ https://t.co/Ot1F4s0tUq

February 25, 2021
ChannelFutures

#CPVirtual is going live in just 5 days! Get your pass before rates go up, and join us next week for the premier vi… twitter.com/i/web/status/1…

February 25, 2021
ChannelFutures

#ZeroTrust approach boosts #cybersecurity, aids #datalossprevention, says @tgravel. @appgatesecurity… twitter.com/i/web/status/1…

February 25, 2021
ChannelFutures

.@BlackBerry report shows rise in hacker-for-hire groups targeting #MSSPs. dlvr.it/RtQjD9 https://t.co/VYr5cEXCCm

February 25, 2021
ChannelFutures

.@PTsecurity_UK discovers #vulnerabilities in @VMware vCenter server. dlvr.it/RtQjD5 https://t.co/WQbn5SJdFL

February 25, 2021

MSSP Insider

Newsletters and Updates

Sign up for The Channel Report, Channel Futures Update, MSP 501 Newsletter and more.

Live Channel Events

Get the latest information on the next industry-leading Channel Partners event.

Channel Partners Online

Want more? Find more channel news and analysis on our sister site, Channel Partners.

Media Kit And Advertising

Want to reach our audience? Access our media kit

DISCOVER MORE FROM INFORMA TECH

  • Channel Partners Online
  • Channel Partners Events
  • MSP 501
  • MSSP Insider
  • IoT World Today
  • Webhostingtalk

WORKING WITH US

  • Contact
  • About us
  • Advertise
  • Newsletter

FOLLOW Channel Futures ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookie Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X