Mobile devices such as smartphones and tablets have entered the workplace en masse, quickly becoming essential tools
for employees. A recent market study found that 95% of organizations in the United States currently permit employee-owned
devices, and many organizations are going a step further and actually requiring employees to purchase their own mobile devices.
IT departments have been forced to respond to pressure from executives, business units and employees to provide widespread
support for BYOD (bring your own device) environments
Mobile devices such as smartphones and tablets have entered the workplace en masse, quickly becoming essential tools
for employees. A recent market study found that 95% of organizations in the United States currently permit employee-owned
devices, and many organizations are going a step further and actually requiring employees to purchase their own mobile devices.
IT departments have been forced to respond to pressure from executives, business units and employees to provide widespread
support for BYOD (bring your own device) environments
Mobile devices such as smartphones and tablets have entered the workplace en masse, quickly becoming essential tools
for employees. A recent market study found that 95% of organizations in the United States currently permit employee-owned
devices, and many organizations are going a step further and actually requiring employees to purchase their own mobile devices.
IT departments have been forced to respond to pressure from executives, business units and employees to provide widespread
support for BYOD (bring your own device) environments
2013 ForeScout Technologies, Inc. All rights reserved. Call Toll-Free: 1.866.377.8771 www.forescout.com Industry Whitepaper 10 Steps for BYOD Security ForeScout Technologies, Inc. www.forescout.com Page 1 Overview Mobile devices such as smartphones and tablets have entered the workplace en masse, quickly becoming essential tools for employees. A recent market study found that 95% of organizations in the United States currently permit employee-owned devices, and many organizations are going a step further and actually requiring employees to purchase their own mobile devices. IT departments have been forced to respond to pressure from executives, business units and employees to provide widespread support for BYOD (bring your own device) environments. While the benefits of BYOD are undeniable increased productivity, faster decision making, greater job satisfaction and a more attractive and flexible work environment there are inherent security risks associated with BYOD adoption that IT organizations must address and mitigate. Market research identifies the top three BYOD concerns of IT management today as network secu- rity, data security and device security. Consequently, while there are costs savings associated with reduced corporate device purchases, BYOD environments necessitate additional investments in IT infrastructure and management software, as well as the development of policies and procedures to effectively manage and secure personal devices. Here, we outline the important steps that an organization should undertake when implementing a successful BYOD program one that contains the appropriate policies, procedures and security measures to protect your data and your network. 1. Form a committee A BYOD program must meet the needs of multiple constituencies for it to be successful. A team that includes members from diferent IT departments (e.g., security, network, endpoint and application) plus a representative sample of users from various business units is preferable. It is important to decide who is accountable for the overall success of the BYOD program. BYOD policies should be an agreement between the employee and business unit management, with input from HR. The role of IT should be to simply implement and enforce the IT controls to support these policies. 2. Gather data Document the status quo. Review current policies and prevailing attitudes toward IT security and management. Identify which departments/groups/individuals have been most active and supportive in developing and embracing policies in the past. Gather data about: Device count by platform, OS version, ownership (company, personal, non-company personnel) Assessment of data currently passing onto and through mobile devices Mobile device applications in use, app ownership and app security profles All entry paths used by mobile devices, such as cellular, Wi-Fi, bridge to workstation or VPN
3. Identify and prioritize use cases via workforce analysis To be efective, mobile device policies must be contextual to match the organizations various use cases. You need to plan out: How will mobile devices be used? Which mobile applications need to be used ofine such as on airplanes and in elevators? What information will be accessible through mobile devices? What information will be stored on the mobile devices? 4. Create an economic model Create a financial model that can be added to and adjusted in subsequent steps. BYOD programs may or may not lead to direct cost savings; but the ROI derived through increased productivity, greater job satisfaction, a flexible work environment and the ability to attract talent cant be overlooked. Factor in the following: Device costs (may increase or decrease depending on what the company covers) Data connectivity costs (will the organization cover data plans to achieve economies of scale?) Software license costs (and tracking software used/installed on personal devices) IT infrastructure costs (security, management, bandwidth, data protection) Industry Whitepaper 10 Steps for BYOD Security ForeScout Technologies, Inc. www.forescout.com Page 2 5. Formulate policies For any medium to large organization, a one size fits all approach is unlikely to succeed. Different policies for different groups/departments/types of users must be considered. For example for the majority of employees you may support simple applications such as email on the top five mobile platforms; for the sales organization you may wish to support a sales force automation package on only one or two mobile platforms; executives may receive best-effort support for all applications on their desired platform. Strike the appropriate balance between user experience and security based on your organizations desired risk profile. BYOD policies should be broad-based and protect the wired and wireless networks. Use cases should address smartphones and tablets that need wireless access, as well as laptops (Mac and Windows) that need wired access. 6. Decide how to protect your network Once you have decided which types of devices to allow, and what applications and data you are going to permit on each device, your next step is to determine how you are going to limit access and protect your network from unauthorized, non-compliant and rogue devices. While you may be tempted to manage the BYOD program manually by deploying 802.1X configurations and certificates to a pre-determined set of approved personal devices, this approach is likely to prove cumbersome, static in nature and non-scalable. Network access control (NAC) provides one of the most flexible and automated approaches to securing a BYOD environment. NAC offers device profiling, user authentication, guest on- boarding, compliance and configuration checks, automated remediation and a granular policy-based approach to easily implement the managed diversity model across an enterprise. 7. Decide how to protect your data In any BYOD project you need to determine how to secure your data. NAC protects data on your network from unauthor- ized and non-compliant devices, but you also need to protect data stored on the mobile device. A multi-platform mobile device management (MDM) system is the best approach for managing and securing the information on corporate and personal mobile devices. MDM systems often provide a set of mechanisms that enforce separation between corporate and personal footprints on a device. One such mechanism is the use of containers to house sensitive information and corporate apps (such as corporate email) on a mobile device, allowing employees to retain device control and application choice outside corporate containers. Containers prevent data move- ment from one app to another, typically include encryption and data loss prevention controls, and provide the ability to delete corporate data without deleting the employees personal infor- mation (partial wipe). 8. Build a project plan Create a plan for implementing IT controls to support your BYOD policies. Determine if the controls will be implemented in a phased manner or all at once. Some common BYOD controls include: remote device management application controls policy compliance and audit reports data and device encryption augmenting cloud storage security wiping devices when retired revoking access when end-user relationship changes from employee to guest revoking access when employees are terminated 9. Evaluate solutions According to Gartner, NAC and MDM are key components of a broad BYOD security strategy. When evaluating solutions, make sure you consider the impact on your existing network and how well the solution integrates with existing IT systems such as directories, patch management, ticketing, endpoint protection, vulnerability assessment and SIEM systems. Strike the right balance between cost, security, and user experience. 10. Implement solutions Building and refining operational processes is key to scaling a BYOD project. Begin with a pilot project (select users from each department or only IT staff) to test and refine BYOD policies. Broaden the program with a goal of supporting 500 to 1000 employees in specific departments to refine and scale the operational processes. Then open the program to all employees, perhaps one business unit at a time, based on your organizational criteria. Industry Whitepaper 10 Steps for BYOD Security ForeScout Technologies, Inc. www.forescout.com Page 3 About ForeScout ForeScout enables organizations to accelerate productivity and connectivity by allowing users to access corporate network resources where, how and when needed without compromising security. ForeScouts real-time network security platform for access control, mobile security, endpoint compliance and threat prevention empower IT agility while preempting risks and eliminating remediation costs. Because the ForeScout CounterACT solution is easy to deploy, unobtrusive, intelligent and scalable, it has been chosen by more than 1,400 of the worlds most secure enterprises and military installations for global deployments spanning 37 countries. Headquartered in Cupertino, California, ForeScout delivers its solutions through its network of authorized partners worldwide. Learn more at www.forescout.com. ForeScout Technologies, Inc. 10001 N. De Anza Boulevard Cupertino, CA 95014, USA Toll-free: 1.866.377.8771 (US) Tel: 1.408.213.3191 (Intl.) Fax: 1.408.213.2283 www.forescout.com 2013 ForeScout Technologies, Inc. Products protected by US Patent #6,363,489, March 2002. All rights reserved. ForeScout Technologies, the ForeScout logo, CounterACT, CounterACT Edge and Active Response are trademarks of ForeScout Technologies, Inc. All other trademarks are the property of their respective owners. Doc 2013.0008