Living in the Bay Area and working at innovative technology companies may have jaded my perception of Bring Your Own Device (BYOD) and the value it can provide to an organization if implemented properly.
Over my short career, I have watched the migration of macOS into the workplace and the evolution of mobile devices as core business tools. Both of these were traditionally focused on consumers but have spread into the corporate arena. They have helped employee productivity and allowed for greater flexibility.
This flexibility can be seen as part of new hire onboarding where employees are given options to select PCs that best meet their needs and not given one-size-fits-all laptops. At the far end, some companies provide a technology allowance to allow employees the ability to purchase whatever PC they prefer. Regardless of where your company stands on the spectrum, the winds of BYOD change are upon us.
As a security practitioner, this can be a little anxiety-inducing, to say the least. The controls, both technical and policy-driven, that your organization relies on to manage and enforce your technology assets might not be available in the BYOD world. In addition, you are introducing new variables into the environment that will require new risk modeling. This new model will inevitably change the way a security team approaches cybersecurity risk management and the tools they leverage to mitigate those risks.
First Steps: Gaining BYOD Visibility & Establishing Security Policies
Visibility into how your employees are accessing their business applications is challenging. Each user is different and the applications they need to get their job done can be unique and specialized.
I recently had a conversation with a friend and she was telling me about how they stumbled across a personal laptop that a member of their marketing team had been using for years. It was not part of their asset inventory, it had no security controls around it and they had no clue on how or what it was accessing. It was concerning but even more eye-opening to her. She quickly realized that this was probably the norm and not the exception. After discussing the first steps toward a solution, we arrived upon an agreement that embedding security policies into company culture was a must. This ensures that employees are aware of their company's acceptable use of personal devices.
For BYOD specifically, a policy should include rights to monitor, general security requirements (up-to-date, encryption, etc.) and support. This policy can be used as the guiding principal of your BYOD program. NIST 800-114, User’s Guide to Telework and Bring Your Own Device (BYOD) Security can help you with building your framework and policy.
The Approach: Technical Enforcement of BYOD Security Policies
Now that you have a BYOD policy in place and your employees are aware of what is expected of them, you can start leveraging technology to help enforce your policy. There are countless ways to approach this and I will highlight my personal preference in the following steps:
- Establish a technical way to get visibility into the devices that are accessing your corporate applications. This will give you insight into the devices that meet your policies and those that do not.
- Once you have a good understanding of the device landscape, you can start building technical enforcement frameworks. For example, you may wish to ensure only devices that are corporate-issued and managed have access to your critical applications.
- Configure and build these frameworks via technology and have the ability to turn them on in a passive state. Take note of the potential user impact and any potential productivity issues that may arise.
- Work with the business and agree on a timeframe to start enforcing your framework. Share your data around the potential impact. Communicate upcoming changes to your employees.
- Enforce your new framework via technical controls. Make sure you provide a way for employees to communicate any challenges they may face as a result. Make sure to include notifications to the users on why this access is not allowed. Being transparent is helpful for everyone.
Duo Helps: Device Visibility, Access Policies & Mobile Support
Being in the path of access provides Duo a unique opportunity to help your organization get visibility into the devices that are connecting to your applications.
With Device Insight, you can fully understand what your device inventory looks like and the security health of those devices prior to allowing them access to your applications. For example, you can see if the device’s operating system, browser or plugins are out of date, which can put them at risk of known vulnerabilities and exploits.
Secure your environment and identify corporate-owned vs. BYOD with the help of Duo’s Trusted Endpoints feature. Mark devices as ‘trusted’ to get visibility, and enforce device access policies based on what type of device is requesting access.
New Duo Feature: Trusted Endpoints for Mobile
Now you can identify corporate-owned vs. personal devices and enforce policies for both iOS and Android mobile devices with Duo’s Trusted Endpoints for mobile. This gives you the ability to control access to your applications from mobile devices and provides you granular security policies.
To complement your existing mobile management technology, we’ve also added an integration with Enterprise Mobility Management (EMM) solutions (Airwatch and MobileIron). This enables you to ensure that your users’ mobile devices are enrolled in these tools prior to granting them access to your applications.
With Duo’s Endpoint Remediation, you can also enforce granular access policies on a per-application basis across laptops, desktops and mobile devices. This can provide your organization a technical framework to ensure access to applications is granted to only the devices you trust and meet the requirements of your BYOD policy.
Our Duo Beyond offering provides your organization with all the necessary tools needed in order to build a successful BYOD program. We are eager to explore these options with you and welcome the opportunity to help.