WIXLIB

Arnab Ghosh et al, Journal of Global Research in Computer Science, 4 (4), April 2013, 62-70SECURITY STRATEGY FOR MITIGATING RISK INBYOD ENVIRONMENTFigure 3: Challenges with mobile device. Source: ESG research survey [1].RISK AND THREATSRisks :a. Credential Information: User credentials like usernameand Password, installed certificates, banking information,web accounts, and E-mail accounts can be accessible ifthe device is compromised or if it lost/stolen.b. Confidential Business Data: Confidential Business Datalike Email, documents, Reports, files, Application etc. isat risk if unauthorized access of the device takes placedue to device compromised.c. Phone and Data Services: There lies risk toeavesdropping on call or sniffing of packets, the devicecan get unauthorized access and device can be rooted orjail broken.d. The Device Itself: The device being highly portable,there lies a risk of getting it lost or stolen very easily.Threats : a. Malware: A compromise of device by malware can leadto loss of confidential business data or can use additionalservices like calling in the background and sending textmessages. It can disrupt the working of an application orthe whole device and make it unusable.b. Spam: Unsolicited messages and e-mails are receivedfrom known or unknown sources causing wastage ofresources such as bandwidth and memory space.c. Phishing: Phishing is possible through an e-mail or SMSphishing to trick a user to access fake website to accessbusiness accounts.d. Bluetooth and Wi-Fi: Bluetooth and Wi-Fi can easily beused to infect mobile devices. A mobile device can belured to accept a Bluetooth or Wi-Fi connection whichcan turn out to be malicious and can intercept all the datato or from the connected devices [18]. JGRCS 2010, All Rights ReservedMobility strategy in an organization:The following framework can be used by the organization forend user mobile computing that would help to define thesecurity strategy for implementing BYOD.The four concepts that come up are:a. Here is your own device (HYOD): In this concept, thedevices are provided by the organization. There is totalcontrol on the device by the enterprise. The enterprisewill provide the complete support for the device, startingfrom installation to configuration and settings etc. of thedevice.b. Choose Your Own Device (CYOD): In this type ofstrategy, the organization provides a number of devices,from which an employee can choose his own device touse. The policies are not so stringent as was the case withhave your own device and the user has authority to installsome specific apps and software.c. Bring Your Own Device (BYOD): The employee buyshis device or the organization provides helps financiallyto buy their own device on which they want to workfrom consumer market. Here the policies are weaker andless control of organization on the device. User can dowhatever they want like installing apps they want, if theyare complying with the organization’s policies. Somesupport with regard to configuring the device accordingto organization s policies will be done.d. On Your Own Device (OYOD): The end user i.e. theemployee can bring in any device on which no supportwill be provided by the organization. The user has theresponsibility to manage the device. No policies areneeded to be followed.Figure 4: Enterprise Control v/s Employee Satisfaction map of variousmobility strategies.As per the above figure, Here Is Your Own Device stylestrategy although gives maximum enterprise strength securitycontrol but as the device is provided to the employee directly,he is remains with no power of choice to use a device of itsliking, hence we see a considerably low employee satisfaction.With Choose Your Own Device, with enterprise giving optionto choose from a set of devices, employee satisfactionincreases to a greater extent, but there are stringent controls of64

Arnab Ghosh et al, Journal of Global Research in Computer Science, 4 (4), April 2013, 62-70organization implemented. Bring Your Own Device strategyallows users to buy the devices of their own choice from theconsumer market, increasing employee satisfaction and thenapply some policies and controls on the device. The strategyfree from organization s control would be the On Your OwnDevice, where user can buy the device of their wish andcontrol and manage the device the way they want. It increasesthe employee satisfaction to the maximum level.But with the terminologies explained above the BYOD andOYOD fall under the category where the devices are boughtby end-user from the consumer market. But in all thesituations the organization has to give access to the employeeto use its applications and data, which creates altogetherdifferent risks at different levels. It is a very clear fact thatthat, due to lack of controls on the devices of end-user,security issues would arise definitely, as the organization hasto deal with too many heterogeneous devices in theorganization, mixing their professional and personal workadding complexity and risk into the system, where as in anormal environment, the organization has to deal with smallset of devices and operate in a standardized manner. So in away some control strategies needed to be developed to addressthe issues of mitigating the risk, so that ways of accessing theresources can be made secure.a.b.c.d.e.Figure 5: Risk v/s Control map of various mobility strategies.Decide Best Approach:The decision on the approach to go ahead with the mobilitystrategy will totally depend upon risk acceptance criteria,keeping in mind the various risks involved in differentstrategy. The category where devices are bought fromconsumer market i.e. BYOD and OYOD, the OYOD will bevery dangerous for use in the organization. In the same wayHYOD will be very controlled environment, where employeewill be least satisfied, so a balanced approach where enterpriselevel control exist on the device as well as there are options tohave their own device according to their wish has to beconsidered. These two strategies would be CYOD and BYOD.An organization need to decide with their objectives by whichstrategy they want to go ahead [5].f.Determining roles and responsibilities for managingand securing the device: There should be centraladministration of mobile device which would beassigning roles and responsibilities for managing andsecuring the device. The responsibility of theadministration is to deployment of the devices,Add/Delete of devices, Connect a device, Device import,Edit device properties, Locate a device, Lock a device,Revoke a device, Selective wipe a device, Unlock adevice and Wipe device and also define the policies,define the type of files i.e. public, private, protected anddefine users and end user policy [9].Registry and inventory of mobile devices: All newmobile devices will go through a thorough procurementprocess registering details i.e. Model, Serial Number,Operating System, Device Id, Applications installed.Redistribution of the mobile devices – To secure theorganization’s data on a mobile device, the data isdeleted by the admin when the user is no longeremployee at organization. The device permanentlydeletes the data i.e. Deletion of only business data fromthe device that includes: Emails, Calendar entries, SMS,Memos, Contacts and Accounts, Browser cache,Accessed and Downloaded Files, Application and Appdata, Sensitive and Credential InformationTesting of applications to be installed on the devices:The applications will be installed onto the device after aproper testing procedure; the given testing’s required i.e.Check for trusted certificates embedded in theapplication and its expiry, Threats to the application areidentified, Vulnerability assessment is done, Calculaterisk by risk metric framework and Determine if risks canbe mitigated through the use of controls.Efficiently installing and configuring security settingson the devices according to user profiles.Updating security settings, policies and patches: Updatethe patch release of application, configuration settings ofthe device and policies by pushing it onto the devicefrom time to time according to the requirement andapplicability, Anti-malwares are to be updated on a dailybasis, Firmware updates of OS are to be pushed onto thedevice, whenever it arrives [11].Training to employees on securing mobile devices:Train employees to secure business data on mobiledevice i.e. Presentation on risks to the device, Livedemos on how device can be compromised, Lectures onimportance of mobile security, Questionnaire on a yearlybasis on mobile security. Manuals should be given,showing basic guidelines [11].Control Objectives and Controls for BYODControls: Controls are the safeguards or countermeasures toavoid, counteract or minimize the security risks over theorganization assets and data [4].Control Objectives: A control objective provides a specifictarget against which to evaluate the effectiveness of controls[2].Defenses and MeasuresDefining the requirements for the secure mobile network: JGRCS 2010, All Rights Reserved65

Arnab Ghosh et al, Journal of Global Research in Computer Science, 4 (4), April 2013, 62-70So, for the BYOD concepts Control Objectives are defined inFive Major parts which are given as follows:a. Identification and access controlb. Data protectionc. Application securityd. Integrity controle. ComplianceTable 2: Data ProtectionData ProtectionEncrypt the data stored on the deviceObjective: To protect the data or resources related to the organizationwhich is residing on mobile devices.Table 1: Identification and access controlIdentification and access controlEnforce Strong PasswordObjective: To protect from the unauthorized access of the device.ControlRestrict repeatedRestrict user from using sequential orcharactersrepeated characters in their passwordControlMinimumPassword The password should be at least 9 characterslengthlong.ControlRequirealphanumeric Passwords must have at least one letter orvaluenumber.ControlMinimumspecial Password must be having at least 1 noncharactersalphanumeric characters (such as , &, and!).ControlMinimum password age The passwords shall be changed in every 60(in days)daysControlPassword history for a minimum of threepreviously used passwords should bePassword historymaintained. New password won’t beaccepted if it matches previously usedpasswords.ControlDevice auto lock should be set to 3 minutes.If the device isn’t used for the specifiedAuto lock (in minutes)period of time; it automatically locks in 3minutes.ControlGrace Period for device lock should be 1min.i.e. how soon the devices can be unlockedagain after use, without prompting again forthe password. The time limit is maximum 1Grace Period for device minute. Setting this to immediately willlockrequire a password every time the device isunlocked.ControlNumber of maximum failed attempts is 10Maximum failedand after the limit is crossed; all the data andpassword attemptssettings are securely erased from the device.AuthenticationObjective: To verify the user and the device.ControlTo prevent the device from unauthentic useror from the unwanted access on the deviceuse two-factor authentication which includesthe following–1. User Name and Password for userauthentication.2. Digital Certificate- Exchange of trustedTwo factorcertificate between the mobile device andauthenticationenterprise services to authenticate thedevice by using the Digital SignaturealgorithmNetwork SegregationObjective: To segregate access to network of BYOD device.ControlThe devices BYOD in nature can beGuest Network forconnected to only guest network henceBYODminimizing the risk of access to internalnetwork. JGRCS 2010, All Rights ReservedEncryptdeviceDataonControl1. Internal Memory (Phone Memory):Use various encryptiontechniques likeAES, DES, RSA or RC4 to protect thecontact list, drafts, and Calendar, Memosand credentials information.2. External Memory (Flash Memory):To protect the data stored in flash memoryon the device use cryptographic keys whichare generated by the system’s RandomNumber Generator (RNG) using analgorithm.Wipe data locally, remotely and selectivelyObjective: To protect the critical information when device is lost.ControlInitiate automatically local wipe of data after 10failed attempts (all data and settings on theLocal Wipedevice will be erased).ControlThrough MDM – As soon as any user reportsRemote Wipemissing or lost device MDM administratorshould initiate remote wipe of the device.ControlThe MDM can selectively wipe data on thedevice which can be certain sensitiveSelective Wipedocuments, logs, configuration file according toorganizations need stored in specific area.BackupObjective: To maintain the availability of information when the lost devicehas been recovered or the device is formatted.ControlBackup data regularlyMaintain backup of the device personally eitherusing iTunes through cable or through iTunesWi-Fi Sync.Locate or lockout the device remotelyObjective: To Locate or lockout the device remotely when the device islost, stolen or misplaced.Control0Locate or lockout theTo locate/lockout the device remotely use andevice remotelyapplication from the application store of thedevice.Table 3: Application SecurityApplication SecurityCertified business applicationsObjective: To avoid use of untrusted application.ControlRun business application which is duly signedThird Partyby application developer’s like- Code signing.applicationsControlIn-house applicationsThe in-house developed applications certifiedby the application managers of the organization.TestedteambysecurityControlTested by the security team of the organizationand certified OK for use.ControlApproval from the management for itsdeployment.Download business application from controlled locationObjective: To avoid download of malicious applications.ControlApplications are to be downloaded fromManagement approval66

Arnab Ghosh et al, Journal of Global Research in Computer Science, 4 (4), April 2013, 62-70Organization sapplication storeapplication store of organization whereapplications are tested and then placed on itsserver.Blacklist and Whitelist applicationsObjective: To identify untrustworthy or malicious applications.Control1. Blacklist all applications by default and thenprovisioning of application done accordingto profiles and user groups.2. The applications found to be malicious orBlacklistinguntrustworthy are removed securely fromthe device and a blacklist is maintained sothat it can never be installed on the device.ControlMaintain a list of application which istrustworthy on the centrally managed store suchWhite listingas MDM which will be given access throughuser groups.Table 4: Integrity ControlIntegrity ControlAnti-malware applicationObjective: To protect device from malwares.ControlIt should provide runtime and static scanning onthe device.It should protect, detect and remove latestviruses, worms, Trojan horses, spyware,MinimumAdware and most Root kit signatures on thefunctionalitydevice.ControlRun well-known, tested and licensed antiTested and licensedmalware application on all mobile/handhelddevicesControlProtect anti-malwares with password withreference to the password policy of theorganization so that users cannot disable orPassword protecteduninstall the application.ControlKeep anti-malwares updated with latestUpdatesignatures.Firewall applicationObjective: To filter inbound and outbound traffic.Control1. Restrict on the basis of network traffic likeWi-Fi, 3G.2. Restrict on the basis of applications.Minimum3. Restrict on the basis of network traffic likefunctionalityAddresses, PIN and SMS.ControlRun well-known, tested and licensed firewallTested and licensedapplication on all mobile/handheld devices asfirewallapplicableControlDefine rule set of firewall with reference to theRule set of firewallrequirements of profiles and user groups.Establish VPN connectionObjective: To maintain accuracy of data in transit.ControlMinimum VPNUse VPN controls and Digital Certificate forsettingsintegrity controlTable 5: Compliance [17]ComplianceRisk managementObjective: To incorporate mobile security into the company’s overall riskmanagement program.ControlIncludingmobile Update the organization s security policy bysecurityincluding mobile security into its overall riskmanagement. JGRCS 2010, All Rights ReservedMaintain logsObjective: To monitor any unauthorized activities.ControlThe logs are to be maintained for everycommunication made between the device andFrequency of logsorganization s resource.ControlDuration of StorageLogs are to be maintained for at least one year.ControlThe logs are to be stored at a centralized mobileStorage Locationdevice management server and at the VPNgateway.Periodic auditObjective: To provide an assessment of system s internal control.ControlSecurityauditof A periodic security audit of mobile devices is todevicesbe done; a minimum of twice in a year, toreview the controls in place are workingaccordingly.Compliance with international lawsObjective: To comply with the law of the respective country with regard tomobile security.ControlCompliancewith Framework is to be modified according to therespective countrylaw of the respective country.Privacy Issues of an employeeObjective: To maintain the privacy of employee data.ControlSegregateemployee Disk partitioning to be done, which would helpdata from enterprise selective wipe of data, if device is stolen ordata on device.employee leaves the organization.Managing BYOD:So while talking about to manage the BYOD within theorganization There are two models which can be used tomanage the mobile devices in an organization to bring inBYOD.a. Mobile Device Management: What is MDM (MobileDevice Management)?The mobile device management tool helps the organization tofully control the devices which are generally supported byAPI s of smartphones used these days. With the help of thistool organizations can lock down devices, enforce policies onthe device, can encrypt the data or even wipe the data on thedevice locally or remotely. The MDM tool helps on thesecurity and management of device by monitoring, controllingand protecting the device. It can do so by enforcing securitysettings, managing passwords, installing digital certificates forauthentication. It can monitor applications installed on thedevice. It can even push for installation of applications on thedevice and enforce policies for the usage of that application. Itcan also even uninstall applications. It can generate reportsand can manage the inventory of devices and applications. Itcan create groups for the devices and classify the files. Be itany platform of mobile device it acts as a single point formanaging the devices. It also restricts user to download andinstall certain applications. It also helps to backup data andprovides recovery services. In addition, the MDM is a tool thatin a centralized manner controls the devices and can do overthe air configuration remotely to those devices that areconnected to the network.67

Arnab Ghosh et al, Journal of Global Research in Computer Science, 4 (4), April 2013, 62-70along with it some added policies and controls have to beestablished for the appropriate security of corporate data.Cloud Service:Figure 6: A MDM architecture.The mobile devices are connected to the corporate network viaan encrypted channel. The device platform can be Android,Apple, Symbian, and Blackberry. The MDM is placed at theDMZ which is public facing so that devices who are trying tocommunicate from external network can be enrolled andconfigured by the MDM. Also policies can be enforced andactivity can be monitored, hence reports can be generated. TheMDM authenticates devices by exchanging certificates fromthe organizations certificate server. With the help of AccessServer, MDM can define access right. Also MDM cancontinuously sync and store backups of the data oforganization to and from devices through the sync server. Anadministrator console which is inside the corporate networkcan manage the MDM by performing various tasks andrequest. Lastly, the user client side control on the devices suchas changing passwords can be provided. All thecommunication is generally secured by SSL/TLS, to providean encrypted channel.The issues that MDM considers while managing the devicesare as follows:a) Device Management: The device manager manages theapplications and software on the device. It is involved inthe inventory of device. Management of various licensesis also done by it. MDM manages the configuration ofthe devices according to organizations policies. Itremotely controls the device like locking and wiping.Also manages the session of devices to communicatewith the corporate network.b) Security Management: MDM considers various aspectof security like configuring the MDM itself, managesdata security and applications. Finally it can also manageand integrate the various patches available.c) File Synchronization: MDM continuously storesbackup, manages the session to synchronize file transferand manages various documents.In a nutshell, MDM can act as a comprehensive solution for anorganization to manage employee owned devices. Though JGRCS 2010, All Rights ReservedFigure 7: Cloud Architecture for Mobile DevicesAccording to the model, the client on the mobile device willaccess the service through an intermediary or broker whichwill be controlling the delivery to the end user. When auser/employee will try to access the data, he would undergo anauthentication process which can be through certificates,tokens, smar

Bring Your Own Technology (BYOT) and Bring Your Own Software (BYOS) in which employees use non-corporate software and technology on their device. This increases the scope altogether for an employee to use its own technology, but in turn creates many challenges for the organization [13].