BYOD Led to Big Mobile Device Security Lapses in U.S. Army
While many end users are aware of potential dangers associated with not securing a device properly, that doesn't mean they secure it. Many choose to ignore advice from IT professionals about locking their devices. Sure, we may expect this from the end user, which is why managed services providers (MSPs) try to place themselves between businesses and end users, but what about the U.S. military? Shouldn't they have higher standards for bring your own device (BYOD) and mobile device management (MDM)? Apparently they do not. Sophos Senior Threat Researcher Beth Jones (pictured) recently highlighted the alarming vulnerabilities left open in the U.S. Military and its implementation of mobile devices in her Naked Security blog. Here are the details.
Jones pulled the following facts from the report by the Inspector General (which since appears to have been pulled – but now has been reposted – to the government's web site.) They show how standard BYOD security procedures were neglected by the CIO of the U.S. Army including:
- mobile devices and data were not protected with MDM software ;
- the U.S. Department of Defense did not have the ability to remotely wipe devices;
- the Army CIO was unaware of 14,000 devices throughout the Army;
- users were not trained and did not sign user agreements; and
- users were allowed to save sensitive data on removable media.
Jones further said the findings from the report matter to the IT channel because they demonstrate that even the U.S. military is struggling with the security ramifications of BYOD. It's not surprising that small to mid-sized businesses are, too. MSPs should take note.
Data loss matters
Jones cited the case of the U.S. Secret Service contractor who left two tapes of sensitive data on DC Metro train as a prime example of what could happen to any employee at any level. Data is power and criminals are always looking to get their hands on sensitive material.
Jones recommended that any CIO grappling with BYOD security issues consider Sophos CTO Gerhard Eschelbeck's seven-step BYOD security plan:
- Identify the risk elements that BYOD introduces — measure how risk can impact a business and map the risk elements to regulations;
- Form a committee to embrace BYOD and understand the risks — include business stakeholders, IT stakeholders, and information security stakeholders;
- Decide how to enforce policies for any and all devices connecting to your network — include mobile devices, tablets and portable computers;
- Build a project plan — include remote device management, application control, policy compliance and audit report, data and device encryption, augmenting cloud storage security, wiping devices when they are retired, revoking access to devices when the end-user relationship changes from employee to guest and revoking access to devices when employees are terminated by the company;
- Evaluate solutions — consider the impact on your existing network and how to enhance existing technologies prior to next step;
- Implement solutions — develop a pilot group from each of the stakeholders' departments. Then expand the pilot group to departments based on your organizational criteria. Open BYOD program to all employees;
- Periodically reassess solutions — invite vendors and trusted advisors to review roadmaps entering your next assessment period.
BYOD certainly presents serious security risks. One way to manage these security challenges is to separate data and applications from the end user devices. Data and applications can be securely hosted on VDI virtual desktops or on Microsoft RDS (Terminal Server) while mobile employees access those applications and desktops using HTML5-compatible browsers.
That's the idea behind solutions like Ericom AccessNow, an HTML5 RDP client that enables access to Windows applications and desktops from a browser. Basing access on the browser allows employees to get to their applications and data from iPads, iPhones, Android tablets and phones and other devices.
Download this free white paper for some additional ideas on managing BYOD security issues:
http://www.ericom.com/WP-MobileAccessSecurity.asp?URL_ID=708
Please note that I work for Ericom
Adam:
Thanks for the input.
How would have Ericom addressed the issues?
–CJ
An important distinction for the U.S. Army story related here, and any organization dealing with mobile devices, is whether those devices were *authorized* to be used in the workplace or not.
In fact, the entire driving force behind the entire BYOD discussion has been employees unilaterally injecting the use of devices into their employer's workplace, in most cases without advance consent.
Where the real security defect occurs is that such devices can get *access* to organizational resources (data, applications, etc.) in light of the fact that they're not part of the organizational technology infrastructure.
Wireless technologies are a significant culprit in this matter, and the failure to properly configure wireless technologies to restrict access to only authorized devices. In most cases, wireless technologies are secured by password, which ensures that only authorized *users* get access, but without any real control over what device they use for that access.
An effective BYOD strategy, in addition to implementing MDM and Remote Wipe capabilities, also needs to implement the appropriate access security mechanisms to ensure unauthorized devices do not have access.
The whitepaper Managing the BYOD Choas http://content.solarwinds.com/creative/pdf/Whitepapers/Managing_the_BYOD_Chaos_Whitepaper.pdf provides some additional thoughts on how to better manage device access to the organizational network.
Note: I am an employee of SolarWinds.
Lawrence:
Thank you for your insight.
As an employee of SolarWinds, do you believe your solution could do a better job of managing devices for the U.S. military?
Would a COPE strategy be more effective?
–CJ
An important distinction for the U.S. Army story related here, and any organization dealing with mobile devices, is whether those devices were *authorized* to be used in the workplace or not.
Seema:
You're right, but what about the other issues? What if an authorized device is lost and can't be swiped?
–CJ
CJ:
In response to your
CJ:
In response to your question, Ericom’s approach to BYOD is to leverage HTML5 technology in such a way that no data is on the employee’s mobile devices. The data and applications stay in the data center, and they are accessed using the mobile device’s browser. Since there’s no data on the devices, nothing is exposed if the device is lost or stolen.
Adam
These are some interesting
These are some interesting findings. I say this because when it comes to BYOD, Mobile Device Management (MDM) has little if any role to play.
MDM does not equal Mobile Device Security
MDM does not equal Mobile Data Security
MDM only lets you control and manage devices, to the extent a device manufacturer allows you to.
For BYOD, device security has less relevance, as it is a device not owned by the organisation.
What should matter though, and be the focus, is data security.
If I could bold and underline that last sentence I would 🙂
So when it comes to the plan recommended by Sophos, I don’t think they have it right.
Policies and Procedures are definitely relevant and need to be thought through, and will be ever evolving. But device management, wiping devices, revoking access to a BYOD device – I don’t see how you could do that to a device you do not own – legally or morally. Yes you can do it technically.
No disrespect to Ericom, but I don’t believe the approach mentioned above is the answer either. Remote access/VDI is giving a user a Windows Desktop on their mobile device (eg iPad). The user experience is arguably sub optimal (try and drive a Windows desktop on your iPad), it also means they can only access systems when they’re online – presenting another productivity challenge. I will say though, as long as the connection is encrypted adequately, this is a very secure approach.
Many of the problems that arise from BYOD stem from the lack of security around business data, and from a misperception that Mobile Device Management (MDM), is the appropriate technology for BYOD. It is not.
There are three principles you need to adhere to from a data security perspective.
1. Protect your corporate data at rest and in transit. BYOD means employees are accessing, and potentially storing, corporate data, on their personally owned devices. To ensure your corporate data is secured, you need to ensure it is encrypted at all times. That means data must be encrypted whilst stored on a BYOD device, and it needs to be encrypted in transit, between the mobile device and your corporate systems. Two common ways for achieving this are application level encryption, and Virtual Private Networks (VPN).
2. Prevent business data leakage. Stopping your corporate data leaking to personal applications, includes those applications residing on the device and in the cloud that you don’t control or have secured. By separating corporate data from personal data, the business data can be controlled and prevented from being moved purposefully or inadvertently to non corporate applications. This includes preventing the ability to copy and paste from business applications to personal applications, as well as preventing the ability to use “open in” to open business data in a personal application – yet allowing this to work for business data being opened in a business application. This is critical for both data security and privacy requirements. The two best approaches for this capability today are containerisation, and virtualisation.
3. Enforce strongly authenticated access to business applications. Encrypting data, and preventing data leakage will only protect your data if adversaries cannot easily access the information by logging in. Many attacks happen today by way of social engineering, and the reliance on passwords had left many companies and individuals vulnerable (http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/). The best way to prevent these attacks from being successful today is via multi factor authentication.
So, to summarise the above, if you are looking at implementing a successful BYOD program, you will need to choose a technology, or technologies, that can encrypt your data at rest and in transit, prevent any corporate data being moved to any unsecured non-business application or system, and require multi factor authentication to access your business applications and data.
And I’d say this will be the easiest part of your BYOD program. This technology exists today. It’s the policies etc that are quite difficult to sometimes work out.
Note: I am an employee of Good Technology. These comments are solely my own, and not necessarily the views of my employer.
Gary: Thanks for taking the
Gary: Thanks for taking the time to stop by and offer the detailed notes. We look forward to staying in touch with Good, especially amid the CEO announcement a few weeks back.
Best,
-jp
CJ: I don’t think a COPE
CJ: I don’t think a COPE strategy would be appropriate here. As I understand COPE, that methodology is more targeted to whether a product should be introduced into a market, and that’s going to be driven by the market’s interest in the product.
In the instant case, we’ve already determined that the market (the employees) are interested in the product (devices), so I think its less of a question about introduction as it is retention and supportability.
If the organization were introducing something *new* to the organization, then a COPE strategy would be appropriate.
SolarWinds does have products that can assist in this endeavor. User Device Tracker (http://www.solarwinds.com/user-device-tracker.aspx) allows an organization to identify the devices and authentication accounts being used on the network, and other products can be used to monitor what those devices are actually doing while connected to the network.
Lawrence:
Thanks, again, for
Lawrence:
Thanks, again, for your comment.
I’m not choosing either model, but I do enjoy playing devil’s advocate.
Wouldn’t it be easier to support models if a businesses limited its choice of devices?
–CJ