To be BYOD or not to be BYOD: Is a “Bring Your Own Device” Policy Right for Your Organization?

To be BYOD or not to be BYOD: Is a “Bring Your Own Device” Policy Right for Your Organization?

November 12, 2013 2:00 pm

(Save to cal)

Online

Attorney Tatiana Melnik and Senior Product Architect Steve Aiello discuss how to securely implement an effective BYOD (Bring Your Own Device) strategy in your workplace.

Title: To be BYOD or not to be BYOD: Is a “Bring Your Own Device” Policy Right for Your Organization?
Who: Attorney Tatiana Melnik and Online Tech's Senior Product Architect Steve Aiello
Description: Mobile devices are becoming ubiquitous in all companies, including those in the healthcare, finance, and information technology sectors. Companies are adopting Bring Your Own Device (BYOD) policies permitting employees to use mobile devices in a variety of work settings. Doctors, for example, are remotely accessing EHRs through iPads and smartphones, thereby improving their workflow and patient care. Patients are similarly using mobile technologies to access and monitor their health on the go.

This presentation will provide an overview of the legal and regulatory framework for mobile devices and will discuss drafting a BYOD policy, best technical practices for implementation, and enforcement.

 

 

View Slides


April Sage: Hi, everyone. Welcome back to our Tuesday at Two webinar. I’m very pleased to welcome back Tatiana Melnik and Steve Aiello. Today, they’re going to talk to us about bring your own device policies and trying to determine if it’s the right thing for your organization or not. For those of you who don’t know Tatiana, Tatiana is an attorney who specializes in information technology, data privacy, and security and regulatory compliance. She’s worked extensively in the healthcare industry and knows a ton about cloud computing, mobile device policies, and telemedicine just to name a few.

We also have joining us Steven Aiello. He is our senior product architect at Online Tech. Steven has his masters degree in information assurance and he is a certified information systems security professional. The area of information policies and bridging the gap between technology and people is near and dear to both of their hearts. With no further ado, welcome back, Tatiana and Steven. What are we going to learn today about BYOD?

Tatiana Melnik: Thank you very much for having us.

Steven Aiello: We have a couple of things that we’re going to be covering between Tatiana and myself. It was quite an interesting learning experience going through this with her with her legal expertise. We’re going to go over an overview of BYOD and why people or businesses are moving in that direction. Tatiana had some very good insights on legal concerns and why you should or shouldn’t consider bringing your own device to work and how that can impact the company, and then I’ll be covering some of the technical issues and considerations around delivery of BYOD. We’ll both be discussing some of the policies and how to develop policies based on legal requirements and the technical maturity of your organization, and then hopefully we will have some time for questions.

April: Great. Tatiana? Do you want to give us any additional information here?

Tatiana: No, I think we should go ahead and get started. Will you go ahead and skip to slide number six?

April: I will.

Steven: We’re seeing a very large percentage of people who have cell phones. It’s very, very rare that people don’t have a cell phone today. Statistics 88% of adults are cell phone owners. I’m sure we’ve all seen that commercial get your free government cell phone. I know for a lot of families that just replaced the home phone line. I don’t even have a home phone anymore. Of those 88%, 46% of those adults do have some sort of smart phone which for all intents and purposes nowadays is a just a small computer. There’s more computing power in our phones today that there was in a full blown desktop just a handful of years ago.

When we look at computing devices and when we look at smart phones and when we look at tablets, everything that could be encompassed in bring your own device, the main driver is that people want to be able to be more productive. Businesses want to be more productive. They want to have more work getting done and slowly but surely the lines of work and life are being blurred. They want to have access to their device and their information and their customers and their client almost 24 hours a day, and they want it to be convenient. It’s very common just a few years ago to see people carrying a Blackberry for work, and then maybe they had their snazzy little flip phone for their personal use, but people don’t want to have to carry around these different devices.

We’re seeing lots of different technology converge into the mobile phone. You have cameras and MP3 players. As everything’s just becoming smaller it becomes more convenient. In addition with the advent of mail clients for phones, you don’t have to be tethered to your laptops. A lot of business takes place over email, and so people just want that freedom and the ability to work and move throughout their day and be able to get work done anytime that they’re at and have a great user experience. That is one of the main real drivers for BYOD, at least from my perspective.

Tatiana: Next slide. As we’ve seen in the market and you’ve just described, there’s been a huge shift from moving from a single use devices to dual use where you’re using one device of everything that’s going on in your life. It’s because we’re seeing this growing integration of work and personal life. One of the biggest long term and short term benefits of moving to a bring-your-own-device environment is cost saving. Next slide please.

I have a case study example of the kind of cost savings that an organization can experience. This study comes from the White House as part of its bring-your-own-device tool kit which was designed to support Federal agencies who were seeking to implement BYOD programs in their own departments and in their own divisions. In addition to this case study from the EEOC, the toolkit also includes case studies from the Alcohol and Tobacco Tax and Trade Bureau as well as one from the state of Delaware. There’s a perspective both from the state entity and the Federal entity. One of the biggest benefits of this toolkit is that it includes a few sample policies. Keep in mind if you take a look at the toolkit the policies were drafted specifically for the Federal government, so you want to make sure that you have your internal compliance team and your legal team double check before you adopt any of those policies wholesale for you own organization because that won’t really work too well.

The case study from the EEOC, the primary driver of this agency, their primary drive is to move to BYOD is cost. As we’ve seen with a lot of companies now there’s a huge pressure to do more with less money. Their question was, we have this budget constraint, how do we reduce expenses? The EEOC took a two-pronged approach. Next slide, please.

They looked to negotiating with their wireless carrier and as part of the negotiations the also implemented a BYOD program. Next slide, please.

When they took this approach, as company would do, first, they needed to go ahead, they went and did an internal review of how their devices were currently being used. Because before you force a different policy on yourself and your employees, you want to figure out what they’re actually doing with the existing technology. When they looked at their devices and the EEOC had about 550 company issued or organization issued Blackberrys. When they did their internal analysis, they found that there was a large number of zero use devices. That’s a little problematic because if you’re looking at how do we save money what a colossal waste of money to have devices that are issues that you’re paying for that no one is ever using. That’s definitely not something you want.

The first thing we did was say, “Wireless carrier, we’re not paying for these devices, so take these off the plan.” The remaining devices they moved the devices to a bundled rate plan. Through that movement, they were able to lower their cost by 20% to 30% because they were able to optimize the rate plan. That’s just a really easy way. If you’re looking for an immediate way to save money, that’s a really great way to do it because now 20% to 30%, that’s a huge, huge cost saving that’s almost immediately visible on your bottom line. Basically, it comes down to being able to use the resources you already have in a more efficient manner. Next slide, please.

April: I love that they actually asked their users first. What a concept.

Tatiana: It’s that great?

Steven: A large portion maybe why these devices weren’t used is employees, especially people who are working around the clock, obviously in the IT organization I’m sure Tatiana has pretty demanding schedules with her client, a lot of people like their devices for various different reasons. As Tatiana and I were talking about this, I just took a guess. I said, I bet you’re an Apple person. I’m meeting an IT guy I really happen to like Android. I like Android because of its an open course ecosystem. I like Google, for better or for worse, and there’s no vendor lock in.

As part of my nature as an IT guy to like the newest gadgets and be able to fiddle with it and customize it and things like that, but not everybody really wants to, I don’t want to say struggle, but have to keep up and maintain your devices. Why do you prefer the iOS plaform, Tatiana?

Tatiana: I like it probably for the exact opposite reasons that you prefer the Android. It’s really funny because I have a background in IT. I actually have an IT degree and the last thing I want to do is spend all my days trying to figure out how to operate my phone. To me, the biggest seller of my iPhone was that it’s a closed ecosystem, so there are less interoperability concerns, there are less security concerns, at least subjectively, there are less security concerns. Next slide, please.

I wanted to include this next slide to show you when I say subjectively what I actually mean by that. These are two recent graphics. One is from the McAfee, another one is from Symantec about actual statistics. If you take a look at the numbers you’ll see that by platform a lot of the mobile malware is create for the Android system and it’s because it’s an open platform so you can put a whole bunch of stuff on there. Versus for the iOS it’s more difficult to get your apps in the app store if there’s a problem with it.

On the other hand, if you look at the other graphic you’ll see their list of vulnerabilities by platform. When I say my iOS is subjectively, I have less security concerns, if you look at the numbers it’s actually not correct. I probably should be a little bit more worried about that device if I’m looking at it in that way. Because there aren’t as many malware application written for it, there are ,in fact, less concerns for that perspective.

Steven: Yeah, I would agree. Apple does a much better job controlling its app store than Google does with its market. That’s definitely a point in Apple’s favor.

April: So what exactly is the difference between malware and a vulnerability?

Steven: That’s a really good question. The difference between malware and vulnerability, you think of vulnerability as a flaw in the knight’s armor. He has this very nice sterling piece of chain mail on, and there’s just like a small chink in the armor where it’s not perfectly interlocked. The malware you can think of as some heroine riding up on a horse with the bow and arrow and shoots that bow and arrow right through that flaw in the armor. You need a vulnerability, which is the weakness in the defense system, and then the piece of malware the force that will basically exploit that vulnerability.

Whereas, Tatinana’s point out, there are documented vulnerabilities, quite a significant amount of them, actually more than I though there would be in Apple’s iOS. The delivery method for the malware, it’s very, very tightly controlled by Apple; whereas, Google’s PlayStore is really quite open. You hear a lot about people rooting their Android phones and being able to put whatever they want on them. That’s just much less frequent with Apple iOS devices.

April: Like the metaphor. Thank you, Steve.

Steven: No problem.

Tatiana: As Steve noted at the beginning, there are a very, very large number of people who have cell phones and how have smart phones. Companies and the government is recognizing this and taking advantage of it in an effort to increase the level of communication. One of the best examples of these efforts is the Department Health and Human Services which strongly advocates people designing technologies to educate others about health and to manage chronic diseases because your phone is always with you. You basically have a constant reminder of good behaviors. Your phone can beep and say, “Don’t forget to take this drug. Don’t forget to do this. Maybe you should do this tonight. Don’t forget to exercise.” It’s a way to reach a large number of people.

For example, if you have people out in the rural areas that are traditionally more difficult to get to than if someone is living in the city, you can reach them through their mobile device. It’s a really, really, really easy way to do that. Next slide, please.

One of the best examples, of this is the Text4Baby program which was developed as a community partnership. As part of this program, pregnant women and women who have babies that are, real babies less than a year old, will get text messaging reminding them to engage them in good behaviors. Don’t forget to read to your baby tonight. Don’t forget to do this. The government has used this program to educate expectant mothers and new mothers on the best ways to take care of their babies. It’s been really, really successful and really well accepted. Next slide, please.

Steven: While a lot of these technologies, some of us may find them creepy. I don’t know if I’d want the government texting me about my baby. With the proliferations of these devices we see a lot of security concerns and security challenges. There are some very sensitive data that is flowing back and forth, whether it’s trying to reach out into rural areas, doctors communicating, any sort of thing like that.

For businesses, a lot of the challenges that they have with mobile laptops directly play into cell phones or tablets. The only caveat is that almost has their cell phone with them all the time, so it amplifies the problem whereas you may not always carry your laptop with you. I just remembered, I was reading an article that cell phone theft is one of the most increasing crime because these devices are so expensive if you buy them not on contract, $700, $800, $900. Almost everyone has them. It makes them a very rich target for thieves.

One of the things that a lot of companies struggle with is that these devices they are almost all charged via USB port except for Apple which uses their own proprietary plug. They can be connected to corporate WiFi networks. How do you control access to your network with these massive amounts of devices that people are bringing. They want to use their phone for Internet. They want to stream Pandora or Spotify, or Netflix to their phone ,whatever it is that they want to do and how do you keep those things off of the company network.

There’re a couple of things that you can do that we’ve been dealing with these sorts of issues very similarly with other types of technologies. For example, if you consider what was real big a year or two ago is USB drives, thumb drives and external hard discs that people were just coming in and they were plugging into their computer workstations at work. It’s very easy through group policy and active directory to disable these types of hardware devices. We can apply that same methodology to cell phones. We don’t mount them as a media device, or the USB devices are simply not going to allow removable media, things like that. That’s something that you can do for free through active directory.

Then, more on the WiFi corporate network side, you can use something like network access control which is a combination of MAC filtering. Every single network device you could essentially think of it as a phone number that’s tied to the device. If you’re the network admin and you are in enrolling approved devices you can definitely collect those MAC addresses, and then filter on your WiFi access points to keep these phones and these mobile devices that may be unapproved and your employees are bringing in off of your wireless network. It’s a very cost effective and low tech way to keep these mobile devices off your network if you’re really worried about that.

Then, another thing which I actually always recommend is if you do have an open WiFi hotspot on your network require all uses not just people that you may think are bringing miscellaneous devices home, but require all users to VPN through WiFi networks. There are some good WiFi encryption technologies out there depending on how deep you want to go with it if you might need to replace older hardware and things like that. If you enforce the VPN, you are adding that additional layer of security for all devices. That way, if you want to have a public WiFi network for you mobile device users they can do that, they can get out to the Internet, and then only your approved network devices can onto the VPN.

The one big thing that I really worry about with BYOD in mobile devices is data exfiltration and data theft. Again, just like we see in the news, very, very frequently someone left a laptop in the back of their car. It was from a medical organization, someone breaks in and they steal it, and then they have to report that were hundreds of thousands of patients’ records that were on that laptop. Mobile phones are, again, with us all the time and it is fairly easy to lose your mobile phone.

If you look at a lot of the email clients and if you look at how the file systems on the mobile phones are when you sync your mobile phone to your corporate email a lot of times those emails are downloaded right to your phone. If that phone was to get lost, or stolen, or let’s say you were using Dropbox or something like that, there’s a Dropbox plan on your phone, that could open the company up to a massive amount of data loss. It’s just so easy to lose one of these things or it’s so easy to have one stolen. There are some things that you can do to help remedy that situation and to try to make it more secure. We’ll talk about that in a few slides forward.

Again, this goes through and just reiterates that point, some of the security challenges. Thirty-two percent of the security challenges that people are facing is still on information. We have traditional threats. People are tracking their users and seeing where they’re going, maybe they’re sending content that they’re not supposed to, reconfiguring their devices. A lot of companies nowadays will disable cameras. If you enroll a device there’s adware that’s placed on the devices. There’s statistic that through a fairly high percentage of Android based phones actually end up being shipped with malware just because of the applications that a lot of these mobile phone vendors put on them. These are some of the statistics around mobile phones in BYOD devices that are out there. This is from the Symantec Internet security threat report.

Tatiana: Now we’re going to go ahead and move on to talk about briefly some of the legal concerns and some of the things you should consider when you are drafting a BYOD policy.

Primarily, one of the primary issues, I think one of the biggest issues when we’re looking at BYOD is really compliance, particularly if you’re operating in a highly regulated market such as health care of the financial services industry. This compliance not only with your internal controls, but also compliance with external laws such data breach notification requirements, data destruction laws, litigation hold. I bring those up in particular because your internal controls are generally impacted by BYOD because a lot of companies don’t have the requisite data protection controls on the phones, so they don’t even know what kind of information is stored on the phone.

If someone loses their iPhone or their Android device, they lose the phone someplace and now you have to a breach notification. How do you know who to notify? You’re not even sure what’s on that phone. Maybe there was an Excel spreadsheet on there with social security numbers or with email addresses which is now included as identifying information under of the state laws. Now you’re required to do notification of these individuals and you have to figure out how do you find out what’s on the phone.

One of the best ways to deal with that obviously is not allow that kind of storage, segregate the data, enable remote wipe so that you can try and control some of those things if the device is lost. Another concern, and this goes back to the integration of work and personal lives, are wage and hour laws. A lot of people don’t realize that it’s a huge benefit for companies from employees to work 24/7. They’re super productive. They’re always available, but if those employees at hourly employees you’ll probably supposed to be paying them overtime. That’s not good for them to be working 24/7 because now you owe them all of these extra hours of overtime. It’s really important for employers to really evaluate those issues to make sure that those laws are not being violated. Of course, for doctors and attorneys and some other practice areas we have malpractice concerns. Next slide, please.

On the privacy and security side, the biggest concern is data breaches that result from lost and stolen laptops and USB drives. As Steven mentioned earlier, this happens a lot. When we look at some of the penalties and fines that have come down from the Office of Civil Rights, who’s in charge of enforcing HIPAA and we’ll talk about one of these later on in the presentation, it’s because someone’s laptop is stolen, or because a USB drive is lost and it wasn’t encrypted. There’re have been numerous incidents where people have bought used cell phones and used devices from eBay or Craigslist and they do a forensic analysis of that device and it belongs to some executive of some Fortune 500 company. That’s a really big problem because you could imagine that that person probably has highly sensitive information on that device. If it’s not properly wiped, now it’s available to whoever purchased that device and whoever that person decides to share that information with. That’s definitely problematic. Next slide, please.

When we’re looking a privacy and security issues, I’m using health care as an example because this is one area that’s taking a particularly focused look right now because of all of the data breaches going on with people’s medical records. There are a ton of different bodies that have an interest in this state. If you’re operating, you’re either a health care provider or you’re a business associate, or you’re a subcontractor of a business associate and you have access to protected health information. It’s really important that you’re paying attention to what’s going on in the market because you can see all of these different agencies are playing a role. In terms of other spaces, the Federal Communications Commission, the FCC, is really, really active in this space because they’re very concerned that there are not enough wireless and bandwidth resources to fill the demand from consumers.

You see all of these commercials from AT&T, from Verizon, from all these companies about how they’re upgrading their networks. That’s what the FCC wants to know, how are you really upgrading your networks to make sure that you can fulfill all of this demand that people are having on their mobile devices. Next slide, please.

Steven: One thing that I found especially interesting is I was talking to Tatiana and as somebody who’s interested in policy is that the companies, they are the ones that are stipulating what they need to do. I’ve worked with compliance a lot, but it was really insightful to talk to you, Tatiana. The Office of Civil Rights is generally the office from what I’ve learned that will be enforcing governmental fines and penalties. As we were looking at some of these case studies, down at the bottom, a small company may pay $100,000 versus a larger company may pay million and a half per incident per year. The goal of those fines is to send a message. It’s not to put the company out of the business. It’s not to make them shutter their doors and things like that.

Tatiana also really brought up some really valid points where maybe a billion dollar company, a million and a half dollar fine doesn’t seem like very much, but there’s also this litigation that may go into these types of breaches and which is really expensive. Lawyers aren’t cheap. There’re class act lawsuits. You’ve heard of companies that have had breaches they have to pay for this credit report monitoring and all of these sort of things. I think that one of the most important things to know is that you need to define your policy which we’ll look at on the next slide.

We need to have policies in place and policies are actually very, very important, one, they protect clients. I’ve seen examples of companies where they don’t have a policy on something. An employee may do something dumb and it just may be a simple mistake on the part of an employee. The importance of policy will protect your customers. It will protect you as an organization. If you’re a healthcare organization, it’ll protect your patients’ rights. Also, by instilling policies it really does give a level of professionalism to the company because things should be done in a consistent manner. Whenever there’s not a hard and fast rule about a process you can look back to the policy and say, “What is the guiding light on this policy?” It can protect, again, employees from liability if they just do something silly. Maybe they opened some sort of patient data that they shouldn’t have. Again, it can protect the company from a lawsuit because of a simple mistake.

Tatiana: As we already mentioned, there are a number of layers who are focusing on mobile devices. Some of the other regulators that we didn’t mention are the Gramm-Leach-Bliley those laws, and that’s particularly for people who handle financial data. Then, you have the FTC Safeguard rules. PCI DSS, again credit card information. This has been around for a really long time. Certainly, you should revisit those requirements at least once I a while to make sure that you’re in compliance with what you’re required to do because if you do have a breach that can be used as a standard under which to say you weren’t compliant, this is an industry standard that you were negligent. Next slide, please.

When you’re looking at drafting your BYOD policy this may be a time for you to carefully evaluate your existing policies because you may not actually need to draft a new policy specifically to address bring your own device because you may have a number, as you can see here, a number of policies that already impact using those devices on site. You want to take a look and make sure and maybe all you need to do is say at the bottom and this also impacts or this also includes anybody who’s bringing their own device on premises.

You will generally, though, want to have some policy in there that talks about authorizations that if you’re going to bring your device you’re going to do X, Y, and Z. You’re going to enroll your device into our device management program. You’re going to give us the authorization to remotely watch your device and things of that nature.

If you are having specific problems with employees who are not following policies or maybe you’re having employees who are using their devices at work in a way that is impacting their productivity, then you may want to address that by specifically drafting a policy addressing that kind of activity, and then of course once that policy is put in place you have to educate your workforce, and then appropriately discipline the people who are violating that policy which means you need to have management that is aware of that policy and can discipline people accordingly. There are also some technical controls that you can put into place to deal with how people use their mobile devices at work. Steven will talk a little bit about that later. Before you put those technical controls in place you need to enroll those devices into your program which means you have to have a program and you have to have policies in place. Next slide, please.

Steven: I’m going to pick on SANS, although I am an avid SANS fan. I do their certifications and all. This was one sample policy that’s available online. If you go through and open up this link and you look at some of the suggestions here in this policy, as I was reading through it I thought about how would I feel if I was the user on the receiving end of this policy. There are some verbiage in it, you will not install any applications on this phone without corporate authorization, and we have the ability to do this and do that. I said, to me, I chuckled and it didn’t really sound like my device anymore. It says bring my device to work, but it’s not really my device. It’s something that maybe I purchased and now the corporation that I’m working for is just control of it. That really didn’t sit very well with me.

Another part of it is sometimes these controls are just very, very difficult to enforce or not difficult but they can be expensive to enforce for a smaller company. We happen to be an IT company and we have a lot of technology both around here and we have a lot of technology here. If you’re a 50 or 100-person organization and your bread and butter is not technology, it could be a significant lack in organizational knowledge and there could be a significant gap in your technical maturity that you have in your organization in order to implement these sorts of things.

As I look at it, I think that the first thing is you need to draft a plan that is reasonable. There’re lots of companies, I remember at an organization where I worked and they had these content filtering devices, and they didn’t want us to go to Feedback. It’s not really that hard to get around these things. You set up a VPN proxy outside of your work, and then you VPN over a SSL port and then you can go wherever you want. Sometimes these policies and be a little bit more counterproductive. Determined employees are almost impossible to stop, especially if they know what they’re doing.

What I took away from this is you have to write a policy that’s applicable. You have to write a policy that is appropriate for your business. What might be an appropriate policy for let’s say not for profit, a not-for-profit organization may be very different than a policy for some sort of government, military organization, and you need to be able to have the technical knowledge and the technical staffing in house to actually implement this policy or you can get into trouble if you’re not living up your policies. Don’t just out get a great policy from the Sans reading room, and then say this is what we’re going to do if your organization does not have that mindset and cannot enforce it. Next slide.

When drafting a policy there’re a couple things that you’re going to need. You’re going to need support from senior management. This goes back to what type of company are you. Maybe as an organization you believe in that kind of freedom of information, you believe in that freedom of access, and so the appropriate stance for your organization is we don’t do content filtering. We don’t have certain things that we find is not appropriate to share. That could be case for some organizations, not many. From an IT perspective, what is the strategy, what is the direction that the company wants to go? It really is the chief IT officer’s or the CIO or the CTO or whoever it is to set that vision and set that goal and define those policies.

Again, you need that staff that is technically trained to implement all of these types of controls that you’re trying to implement or put in place, not just around BYOD but, again, all devices. Many, many of the problems that we have with BYOD can be related directly back to general security concerns or computing. Then, you have the problems of legal enforcement and human resources. These are all sorts of things that you’ll need to consider when drafting your policies.

Tatiana: Steven’s right. You can definitely get in trouble if you have policies in place that you are not living up to. I’m going to give you some examples of those kinds of situations. The Federal Trade Commission is one those bodies that people seem to forget about, but which has a very broad mandate to protect consumers. Anytime something really bad happens from a consumer standpoint, consumers go and complain to the Federal Trade Commission and say, “This company said they’re going to do X, Y, and Z, but they actually don’t do that at all, they completely lied about what’s going on.” The FTC will bring charges under section 5 of the FTC act which bars unfair and deceptive acts and practices.

They have a couple of other laws that they can enforce and they can bring action under, but a lot of these cases are brought under section 5. As of May 1, 2011, the FTC has brought 32 legal actions which really doesn’t seem like a lot at all. Next slide, please.

The consequences of those actions are pretty serious because if you are one of the unfortunate companies to be in the target of the FTC you can be sure that you’re going to have either protracted litigation because if they decide to sue you they’re not letting you go, or you’re going to agree to a 20-year third party audit consent agreement where you’re going to need to do an audit within the first 180 days after you sign the agreement, and then another audit every two years for the next 20 years.

Some of the companies, particularly the Internet companies that they’ve been caught up by the FTC, they haven’t even been around for 20 years. The technology hasn’t even existed for 20 years, so now they have this compliance that could certainly outlive the existence of the company given how quickly we see that companies can fall apart.

I want to give you some examples of the kind of language and the kind of issues that come up that gets companies into trouble. Compete, Inc., which is where Compete, Inc. and CBR system or this provision was taken from. That’s actually quoted language from the consent agreement. The Compete, Inc. is a market research and web analytics firm. The FTC alleged that the company was using its web tracking software to collect personal data without adequately disclosing to the consumers to the extent to of the information that was being collected. The company said something like, “We take reasonable measures. The data is going to anonymized,” and all of the stuff you would generally read in a regular privacy policy were there we just look at your habits and we don’t look at you as an individual where, in fact, the company was capturing credit card numbers, passwords, social security numbers and transmitting that information directly to the company and basically aggregating all the data together.

When, in fact, they were telling consumers one thing but doing something completely the opposite, that’s where the FTC said, “Wait a second. That is not reasonable. That is not okay.” When you’re looking at your own policies make sure that the policy that you have in place actually speak honestly about what you’re doing, particularly where you are collecting consumer data and you’re promising that you’re going to use some form of security measures. Make sure that you’re accurately portraying what you do.

For example, if you don’t encrypt stuff don’t tell people that you encrypt stuff. On the other hand, if the industry expectation is that you’re supposed encrypt that stuff and you don’t do it, that’s also very, very problematic. Next slide, please.

Steven: As we’re looking at these policies, even after they’re drafted because technology changes so quickly, we need to review those policies and the procedures that back those policies on a very regular basis. It is best practice to have your senior executive sign off, preferably on a quarterly or review them on a quarterly basis and at the least they should be reviewed on an annual basis.

One of the things that I’ve spoken to and I’ve spoken to people, there seems to be a lack of I want to say interest on the part of corporate officers. As you’re making this case it’s good, that’s why I think its really great that Tatiana and I are talking together because generally corporate officers they don’t want to get into legal hot water and they don’t want to have to pay all these fines. Having this brain share and understanding how these things work from both the technical and the legal perspective can really give a different lens when presenting the importance of reviewing and signing off on these policies to the higher level management team. Next slide.

Again, a lot of these things that we’ve been struggling with with BYOD are, again, directly applicable to things that we’ve already seen in the laptop, people bringing their own laptops from home. Again, it goes back to that concept. Is your company technically mature enough to enforce the policies that it’s writing? There's a really great article, there's a friend of mine that I had a conversation with. He told me the terms, the security poverty line. Security can be very expensive. Again, if you're not an IT company and you don't have let's say IT people on staff it's very, very possible if your company only has 10, a dozen, two dozen employees that you don't have a dedicated IT guy, much less an IT guy who's outsourced and knows security.

What do you do? There's a phenomenal article that I encourage everybody to read. One of the first things that you can do is, again, getting back to those policies, it is make sure that you're not putting things in your policies that you can't live up to. There's a lot of free technology out there, so it's more on the technical tangent. If people have questions about it they can feel free to email after and I'll reply. There's a lot of free technologies out there that you can implement for logging so you can do forensics analysis on it, for locking systems down. It doesn't have to be some big expensive shiny device. I would fully recommend that you apply the resources that you have first versus going out and spending money on something because it just may be too cost prohibitive to do so. There are some things that you can do definitely to help mobile devices, specifically we'll talk about those on the next slide.

This is definitely a bonus for you, you iPhone users. After iPhone 4, encrypt your mobile device. If you have an iPhone it's done natively. On Android devices, it is a setting that you can enable. That way if your mobile device is lost or stolen somebody tries to get that data off of the mobile device it will be scrambled. It will be unintelligible. Encryption is so powerful and so important for today's security measures. There's just no reason not to encrypt your data anymore.

The pass code requirement when you turn on your phone or when it goes sleep, that lock timer where you have to enter in your pass code to actually unlock your phone that way if you do lose it and somebody picks it up they don't just have unfettered access to your phone. There is this little PIN code that they have to know get into your phone. That's a huge boost.

No jail broken phones. This is more of an Android issue than an Apple issue. Sometimes people will jail break their phones to get around the tethering fees that their cellular phone providers want them to pay. There's a lot of things that can go wrong on a jail broken phone. You can put apps on the phone and things can happen on the phone that you just don't want occurring in your corporate network.

One thing that can definitely be done if you have the means, if you maybe outsource your email, is to implement a remote wipe that way if an employee reports that phone or mobile device has been lost or stolen that you can remotely wipe that device from a centralized location and you that way can be sure if it's been encrypted and you have a password on it you can be relatively sure that they've not been able to exfiltrate any data from that device.

Then, the last one, which is especially problematic with the Android phone is enforcing the OS updates and application updates. Unfortunately, the fragmentation of the Android operating system and the lack of due diligence by cell phone carriers to update the code in the operating system on the Android phone is really what's made it quite vulnerable to these pieces of malware that Tatiana spoke about earlier. At least for your applications and educate your users within the organization how important to update the phone and all the applications that run on it when the time is appropriate.

Next, we'll talk about some delivery systems and segmenting the data. Getting back to this expensive process of aggregating data and things like that, you have data on your phones, you have data on your servers, you have data that's flowing through your network. Correlation is very, very hard if you can't get data off of your phones and you can't track how those phones were connecting into your network. It could be very, very challenging to make sure that information was not where it shouldn't have been.

There're some technical solutions that you can apply on some logical solutions. In the next slide, one thing that I am huge advocate of is data classification and data isolation. Let's say you have a file server and people want access to certain types of data from their tablet from home. They're working from home and they want some access to that. It's very important that you classify within your organization what is sensitive and what is less sensitive. If you have data that is so important that it's critical to the organization then you should keep that data segmented, referenced by the red there.

That's the tiny quantity of data that's mission critical. Then, the rest of the stuff you could allow remote and BYOD access to. It is probably the easiest way to ensure that your organization does not data that it shouldn't is by data classification and data isolation. This is not something that's technical. This is a procedural process that you go through as an organization. You tag the data. You move it to different systems, and you maintain and control access through different methods. That is the first place, in my opinion, any organization should start.

As we move onto the next slide we're going to talk a little bit about data delivery. The first thing that we're going to talk about is terminal server services. Everybody knows Microsoft terminal services or maybe some of the IT folks have. It was commonly referred to as remote desktop. It's a very mature technology. Essentially what it does is it sends a picture of the device to either your workstation, your tablet, your phone. There're a lot of clients available. It does work especially well for tablets. In the next slide there's a very simple diagram of how the terminal services work.

You, as an end user on the left most slot side of the slide, maybe you have your phone. There is actually already P clients for phone if you need to gain access to a server. You would go through the Internet represented by the cloud. Hopefully, you have a firewall in place or you're VPNing in which is even better. Then, you have a simple Microsoft server that is running this remote desktop services role. Let's say for the sake of this particular conversation we have some sort of Excel spreadsheet you need to manipulate and do some entrance of data in there. There are applications on the backend that simply pushes forward, if you would, a picture of what's going on on your screen, and yet you're able to interact and manipulate with it, manipulate the Excel spreadsheet.

The difference here is that if you were to email yourself this Excel spreadsheet, the spreadsheet now exists on your phone. If your phone is not encrypted, if it doesn't have a PIN code and you lose it this very sensitive Excel spreadsheet could be accessed by some nefarious person who stole or found your phone. By using this type of remote delivery service, A, it's not too expensive. Most companies do have at least one Windows server out there that they can add this role to, and B, it's been around for a long time and it's fairly easy to set up. If you are very concerned about this type of data being on phones this is a very, very simple way that you could manage this data delivery.

The next few things that you should be thinking of is, one, having pass keys; and two, it's like I mentioned, used a VPN. Most phones nowadays have a VPN client so that you can actually VPN into your network. Use two-factor authentication. There's a lot of companies out there that will literally give you free two-factor authentication up to 10 users. DuoSecurity is a great organization that will do that. It's free for small businesses up to 10 users. There's no excuse not to use it and it really boosts the protection.

Use strong encryption if you're going to use remote desktop. Windows XP did not have very strong encryption. I would argue that if you're still using Windows XP you have other problems and you should probably get rid of it. They are completely end of lifing support, April 8, by next year so you won't be able to get any security patches or anything like that. These are some things that you can do on a pretty modest budget.

The next slide if you want to go very fancy and high tech, VMware offers the Horizon suite. Again, we have user on the left. You're going through the Internet, preferably through a firewall. Then, they recommend that you do load balancing. VMware has a whole suite of systems that sit in front of a traditional VMware stack. Then, this VMware stack is connected to storage. Again, at the end of the day, you're just delivering applications to the end user whether it be on their cell phone or their tablet.

The benefit of maybe the VMware with it's obviously more expensive price tag is that you can do things much more effectively on the phone. Whereas, the RDT solution really would be effective for a tablet, but if you've ever tried to RDT into a server and your phone screen is not so big it can be a little bit challenging. If you have content like Excel spreadsheets or full blown applications and not just some simple spreadsheets or Word docs that you want to share with users, that's maybe where you'd be looking at this more expensive and more technical implementation. Next slide.

Tatiana: I think I'm going to go ahead and skip these slides. These next slides just give another example of an incident that happened and this was specific to health care. Folks that have a question about this particular incident are welcomed to reach out to me and I can give you additional information on what the Office of Civil Rights found problematic. The reason I included it was because it was specific to bring your own devices and mobile devices. There were some guidance that the Office of Civil Rights gave for what kind of policies and procedures they expected.

The FTC has done some formal alerts, so if you're in another industry but you'd like to have some more feedback and what the regulators would expect from you, please reach out to me. This is the first time that Steve and I have given this presentation together, so both of us would really love your feedback to let us know what you thought about including both the legal stuff and the technical stuff, and then how that worked out. Without further ado, I'll turn it over to April to raise any questions.

April: Great. Thank you so much, Tatiana and Steve. I know we may not have time to answer all of the questions that were submitted in advance, but we have a couple minutes here so feel free to send in any questions you have. If you think of them after the fact we will definitely be happy to connect you with Steven and Tatiana.

One question for the two of you is where is the best place to start to look for a framework and try to organize thoughts about putting together a BYOD policy? Would be information that they can find at Sans or any good books or references out there if the organizations are trying to figure out where to tackle this?

Steven: Do you want to go first, Tatiana?

Tatiana: You can go first if you have some ideas.

Steven: Sure. Whenever, in my assessment, how I was always taught, whenever you start thinking about how you want to develop a policy you need to think of the posture of your organization. It sounds simple but it that's really the best place. I remember when I was doing grad work over at Eastern we were helping the masters college in some problems that they were going through. One side there were these security purists that I was working with. They were, "Everything needs to be locked down and everything needs to be encrypted and everything needs to be this," because that's the way they thought of it.

That's not what the posture of their organization was. The posture of their organization was except for a couple of very specific student records that they had a lot of their data was really public. When we actually sat down and we started drafting policy for them we did not have to put confidentiality controls around most of their data because it was just public data. We were again able to isolate. We were able to classify the data between confidential and nonconfidential. We were able to isolate the confidential data and then just spend money very, very wisely on that confidential data and monitor that. That same principle applies to BYOD.

The delivery method should always be based on the sensitivity of the data. If you start with your policies, thinking about the data and the loss of that data or the exposure of that data to people that should not have it that will start you on the right path conceptually. That's what you should be looking at before any sort of technical implementation.

April: That makes a lot of sense. Save a lot of wasted time and money.

Steven: Absolutely.

April: Great. It's know it's right here on 3:00, so with respect to everyone's time, Steven and Tatiana thank you so much. Lovely to have you. We'll look forward to learning more from you in the future. Thanks again.

Tatiana: Thank you so much.

Steven: Thank you.


Tatiana Melnik, Attorney
Tatiana-Melnik2Tatiana Melnik is an attorney concentrating her practice on IT, data privacy and security, and regulatory compliance. Ms. Melnik regularly writes and speaks on IT legal issues, including HIPAA/HITECH, cloud computing, mobile device policies, telemedicine, and data breach reporting requirements, is a Managing Editor of the Nanotechnology Law and Business Journal, and a former council member of the Michigan Bar Information Technology Law Council.

Ms. Melnik holds a JD from the University of Michigan Law School, a BS in Information Systems and a BBA in International Business, both from the University of North Florida. www.melniklegal.com

 

 

 

Steven Aiello, Senior Product Architect, Online Tech

Steven Aiello

Steven Aiello is a Senior Product Architect with Online Tech, the Midwest’s premier managed data center operator. His certifications include CISSP (Certified Information System Security Professional), ISACA CISA, VMware VCP ( VMware Certified Professional), Cisco CCNA ( Cisco Certified Network Associate), Comptia Security+, and Certified Incident Responder (New Mexico Tech).



Webinars    |    Online


Get started now. Exceptional service awaits.