What You Need to Know about BYOD Security

[Inga Goddijn <inga () riskbasedsecurity com>]

https://appdevelopermagazine.com/3397/2015/12/2/What-You-Need-to-Know-about-BYOD-Security/

As employees bring their own devices to work, IT teams face an assortment
of challenges, from managing mobile apps on a myriad of different devices
to backing up and restoring business data. But bar none, the greatest
burden for IT staff is securing business data on mobile devices.

*The Good, the Bad, and the Ugly (in Reverse Order)*

*The Ugly*

The BYOD phenomenon has spawned an array of new security risks. These risks
include data breaches caused by lost and stolen phones, data exfiltration
from insiders, wireless or man-in-the-middle attacks, and mobile malware.

While the insider threat might not seem daunting, a lack of oversight makes
it easy for employees to abuse trust. From their mobile device, employees
can easily open sensitive email attachments and then upload them to a
cloud-based storage site and then – poof - they are gone.

*The Bad*

Lost and stolen phones are the top mobile security risk for organizations.
Thieves steal a whopping 3.1 million smartphones every. Users can also
simply lose or misplace their phones. Unfortunately, both scenarios expose
organizations to data loss. An experiment by Symantec revealed that 96% of
people that find a lost phone will attempt to access sensitive information
such as an HR or password file stored on a recovered phone.

*The Good*

Malware, the cyber-attack of choice in the PC world, has only penetrated a
small percentage of mobile devices. But risks increase dramatically on
jailbroken phones.

*Mobile Device Management*

Mobile Device Management (MDM) can help reduce mobile security risks. With
MDM, IT administrators can remotely wipe lost devices, control which apps
can be installed on a device, and manage encryption settings. However, MDM
solutions cannot monitor app usage or prevent insider abuse.

Moreover, employees aren’t thrilled about corporate-mandated MDM solutions.
In a recent report by Webroot, 55 percent of respondents would be extremely
or very concerned if their employer could access personal data and 47
percent are concerned about personal data being wiped by an employer.

*The Rise of Mobile App Management and App Wrapping*

To satisfy privacy concerns and app auditing requirements, mobile security
vendors have introduced Mobile Application Management (MAM). MAM solutions
can manage, monitor, and secure individual apps. MAM relies on secure
containers or app wrapping to protect custom apps.

With app wrapping, MAM vendors provide customers business apps developed by
the MAM vendor or by app partners with built in security controls. These
apps typically include email programs, contact lists and secure browsers.

Alternatively, organizations can wrap their own apps by integrating code
from the MAM vendor’s software development kits (SDKs) into their app. SDK
integration is only available if organizations have developed their own
apps.

While application wrapping avoids the privacy concerns introduced with MDM,
it also imposes its own unique set of problems.

*Unwrapping App Wrapping*

While app wrapping provides greater control over mobile apps without
intruding on users’ personal data, it is not practical for most
organizations.

The drawbacks of app wrapping and MAM include:

*- MAM vendors that offer pre-wrapped apps only support a small number of
apps.* As of May 2015, Google Play featured 1.5 million apps while Apple
App Store hosted 1.4 million apps. MAM vendors support a miniscule fraction
of total apps, preventing organizations from supporting the business apps
they need.

*- Employees might dislike apps developed by MAM vendors.* Some MAM vendors
offer their own browser, email and calendaring apps. Unfortunately, your
employees may complain that these apps are not as feature rich as their
favorite browser, email client, or calendar app.

*- SDK integration can be costly.* Some MAM vendors offer SDKs that allow
organization to wrap their own apps. Unfortunately, app development can be
costly for smaller businesses, especially if businesses need to support
multiple types and versions of mobile devices.

*- Lack of coverage for all types of mobile devices. *Employees with
Blackberry, CyanogenMod, Windows Phone, and Firefox OS devices may be
unable to access mobile resources if MAM vendors do not support these
platforms.

Even with app wrapping, sensitive data is still stored on devices. While
MAM security measures like strong authentication and data encryption
drastically reduce the risk of data loss, if phone owners choose weak
passwords, then phone thieves may still gain access to sensitive apps and
data.
As a result of these shortcomings, organizations may want to consider
alternative approaches to mobile security before plowing ahead with an
investment in MAM.

Alternative BYOD security solutions like virtual mobile infrastructure
(VMI) mitigate security risks by preventing data from being downloaded and
stored on mobile devices. Organizations can monitor app activity to prevent
insider abuse and data loss.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!