A Secure BYOD Environment

Published: February 19, 2013

Author: Jay Paloma, Enterprise Security MVP

In this day and age, a significant percentage of the working population is using some form of personal handheld or portable technology for communications, information, and entertainment. Sooner or later these technologies are used in the workplace, connecting to the corporate network and accessing corporate data. If the organization does not have any way of ensuring that network services are only available to authorized devices, or alternatively, detecting rogue devices that are connecting to the corporate network, then there is a risk that corporate data may be compromised.

This is why some organizations are seriously considering a “Bring Your Own Device,” or BYOD policy. With BYOD, users who prefer using their own computers or devices to do their work can do so, especially if these users tend to be more productive when they use technology that they are familiar with. In addition, organizations enjoy the obvious cost savings because the usage of these additional devices does not incur any additional capital expenditure for the company.

The BYOD policy also comes with an obligation to IT to ensure that corporate data remains secure in spite of the introduction of these unmanaged devices into the corporate network.

Bring Your Own Device

Many people think that a BYOD corporate initiative simply means that the organization is becoming more flexible because the applications and data are now accessed in more ways and in a wider variation of devices than before. In the context of corporate security, the letters “YO” in BYOD need to be emphasized: “Your Own.” This means that the company now has to work with devices that are not company assets and would most likely not conform to corporate security measures. These devices should be able to access any required applications while maintaining security from two fronts: securing corporate data from the user, and securing the user’s personal data on the device.

Microsoft offers two options to bring about a secure BYOD environment:

• Virtual Desktop Infrastructure (VDI) allows users to access a rich Windows desktop running in a datacenter through Hyper-V and accessed through Remote Desktop Services (RDS). VDI works best in a stable Internet connection. You can read more about Microsoft’s VDI strategy here: http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/virtualization/vdi.aspx.
• Windows To Go allows users to start up Windows 8 Enterprise from an external USB device. This option is best when network latency makes it no longer possible for the VDI solution to work, or where the application that accesses a backend infrastructure like a database does not require continuous network coverage. You can see a video of Windows To Go here: http://technet.microsoft.com/en-us/windows/jj737992.aspx.

The best way to visualize an organization’s BYOD security is through a “ Defense in Depth” strategy. As you can see, what we are securing is the data, and all other security measures are intended to protect it. The same is true for a secure BYOD implementation.

Securing the Data, Application, and Host

The major security concern of the BYOD initiative is the proliferation of devices with a variety of unmanaged operating systems. This in turn leads to issues on application compatibility with the OS, or the web-based application to the browser running on the device.

To ensure a common and managed host, a VDI or a Windows To Go environment is highly recommended. Running the application that accesses the data directly from the device is not encouraged. The benefits of this are:

• In a VDI or Windows To Go environment, the application is running on a managed host operating system, which complies with the corporate security standards and ensures timely security updates. Host and application security are covered.
• Because the host operating system is the one currently in use by the organization, application compatibility is no longer an issue. In addition, the organization enjoys the flexibility of having multiple types of devices and device operating systems without the effort required to develop the applications for those device operating systems.
• Data is accessed from an application running on a managed operating system, making data access more secure.

Securing the Internal and Perimeter Network

A good network strategy of the BYOD initiative is to treat the BYOD devices as external, meaning they should be able to connect only to the needed resources through the external network, and be subject to the security checks available in the perimeter network.

In the VDI option, it is recommended that the devices do not connect to the internal network similar to VPN; rather these devices connect directly to the VDI infrastructure.

In a Windows To Go option, the devices should have access to additional infrastructure services like Active Directory domain controllers so that security settings like Group Policy Object settings can be enforced.

Physical Device Security

The organization has to be protected from the device being physically compromised by ensuring that:

• Screen lock with passcode is enforced, and repeated failed attempts would result in the device being wiped off.
• Application data cannot be copied over to the physical device.
• In case of loss or theft of the device, any information pertaining to the VDI environment should be wiped off from the device remotely by the corporate IT.
• In the Windows To Go environment, the USB device can be encrypted through BitLocker Drive Encryption. As long as the password is secure, the Windows instance and the data in the USB drive are secure.

Policies, Procedures, and Awareness

The organization should have education programs on the benefits and accompanying responsibilities of the BYOD program, and implementing certain security measures on the devices like installing antivirus and ensuring that the definitions are current, and so on.

What About Personal Data?

Phones and tablets, let’s face it, have more personal data than ever: pictures and media, text messages, personal emails, messenger, as well as social networking credentials. An employee who elects his/her device participate in the corporate BYOD program would appreciate the fact that personal data remains secure as well.

• Personal data should not be accessible to the organization
• Personal data should not be affected if the organization wipes off corporate data from the device.

In both VDI and Windows To Go options, personal data is isolated from corporate usage. In VDI, because the device is only a Remote Desktop Services client, and in Windows To Go where it is running another operating system instance independent of the device OS.

Conclusion

If your organization is considering a BYOD policy, it is now time to review the different options and technologies available to implement a secure BYOD environment. Remember that BYOD is not just users being allowed to connect their personal devices on to the corporate network. BYOD is about giving your users the ability to use technology they are familiar with, while ensuring that corporate data remains safe.