FEATURE
Best practices for
BYOD security
Hormazd Romer, Accellion
IT revolutions tend to be double-edged swords. There are always benefits –
increased computing power or mobility or ease-of-use or some exciting combi-
nation of features that might have seemed unimaginable just a few years earlier.
Inevitably however, these new features and benefits also bring new difficulties
and risks.
For IT security teams, the new risks
typically include security vulnerabilities.
Attackers are quick to exploit design
flaws or architectural weaknesses that
can be used to steal data, sabotage
networks or siphon funds. Over time,
vendors and customers discover these
flaws and weaknesses – usually the hard
way, by discovering that they have been
exploited – and fix them. Until the new
technology matures, security teams find
themselves racing to patch vulnerabili-
ties, educate users, fine-tune processes,
and deploy new security solutions tailor-
made for the post-revolutionary world.
For enterprise mobile computing,
the race to contain new threats is defi-
nitely on. The Bring Your Own Device
(BYOD) revolution has swept enterprises
of all kinds. In organisations as diverse
as law firms and manufacturers, employ-
ees are buying their own mobile devices
such as smartphones and tablets and
using them for work.
Employees are not just bringing a single
device to work, either. A recent survey by
iPass found that the average mobile worker
now carries 3.5 mobile devices, which
might include smartphones, laptops, and
tablets. Employees may have purchased
some or all of those devices themselves.
Recognising that employees love their
Android phones, iPhones and iPads, and
won’t leave them home, a majority of
organisations have formally adopted BYOD
policies. Employees can now store business
data and do work on their own mobile
January 2014
devices, rather than just on those officially
provisioned by their company. What does
this mean for the teams and administrators
responsible for network security?
New security risks
To assess the risks of BYOD computing,
we need to consider everything from
data contamination to user habits to the
activities of criminal syndicates. Let’s
start with the device itself.
Security as an afterthought:
Consumer devices such as iPads were not
designed with rigorous data security in
mind. Most mobile devices either lack
advanced security features or have them
disabled by default. Even basic features
such as screen locks are turned off, and
most users leave them that way.
Data contamination: Today, an
employee’s vacation photos are likely to
reside on a smartphone or tablet that an
employee also uses for work. The photos
and other content share storage space
along with confidential business data.
Never before has personal data mixed
so freely and casually with business
information. This combining of data
introduces new risks to the enterprise.
Through carelessly configured back-ups
or file copies, personal content might
accidentally end up on corporate file
servers. Worse, personal files that contain
malware might spread to business files
and from the mobile device to internal
file servers and other enterprise assets.
Hormazd Romer
New forms of malware: New forms
of malware targeting mobile devices are
on the rise. IBM predicts that mobile
malware will grow 15% annually for
the next few years. Hackers and crimi-
nal syndicates realise that most mobile
devices are less secure than more tra-
ditional devices such as laptops. They
have begun targeting mobile devices for
attacks ranging from mischievous pranks
to advanced persistent threats that
stealthily copy internal data over many
months, transmitting it to remote con-
trol centres around the world.
“Malware that would have
been caught by network
defences in the office on
Monday afternoon is able to
install itself on the mobile
device of an employee work-
ing remotely on Friday night”
Phishing attacks that slip past net-
work defences: Many employees rou-
tinely catch up on email and work dur-
ing evenings and weekends, and when
they do, they typically use smartphones
or tablets. Realising that most of these
devices lack AV software and that most
email and web traffic accessed remotely
bypasses inspection by firewalls and
gateways, attackers are now design-
ing phishing attacks and other email
exploits to be triggered during non-
business hours.
And the attacks are working. Malware
that would have been caught by net-
work defences in the office on Monday
afternoon is able to install itself on the
mobile device of an employee work-
ing remotely on Friday night. Once
installed, keyloggers and other malware
13
Computer Fraud & Security
 FEATURE
can feed attackers valuable information
for launching more damaging attacks
against file servers email servers, and
other internal assets.
Lost devices: On average, a cellphone
is lost in the US every 3.5 seconds.1 Even
if a lost smartphone or tablet does not
contain confidential data, it still might
include apps or cached credentials that
make it easier for criminals to infiltrate
an enterprise network. As workers begin
carrying more devices, the likelihood of
them losing devices only increases.
“To ensure all their devices
have the files they need,
employees often try out one
or more file-sharing services,
including free but risky file-
sharing apps”
Risky file sharing: A mobile device
without data is of limited use. To ensure
all their devices have the files they need,
employees often try out one or more
file-sharing services, including free but
risky file-sharing apps that run on public
clouds. Unfortunately, these services,
though popular, are usually not secure
enough to be trusted with enterprise
data. For example, the popular service
Dropbox accidentally disabled all pass-
word protection on all its customers’
accounts for four hours in 2012. Having
originally been designed for consumers,
these services usually lack the centralised
control and monitoring features that
large enterprises and government agen-
cies need for security and compliance.
In addition, many public cloud file-
sharing services also pose legal risks to a
company’s claim to own and control its
data. For example, the terms of use for
Google Drive, Google’s free file-sharing
service, begin by stating that users retain
the intellectual copyright for the ideas in
the content they store. But the terms of
service go on to say that by using the ser-
vice, customers grant Google and its part-
ners the right to reproduce and modify
any uploaded data in order to operate,
promote, or improve Google services:
14
Computer Fraud & Security
“When you upload or otherwise
submit content to our Services, you
give Google (and those we work with)
a worldwide license to use, host, store,
reproduce, modify, create derivative
works (such as those resulting from
translations, adaptations or other chang-
es we make so that your content works
better with our Services), communicate,
publish, publicly perform, publicly dis-
play and distribute such content. The
rights you grant in this license are for the
limited purpose of operating, promot-
ing, and improving our Services, and to
develop new ones. This license continues
even if you stop using our Services (for
example, for a business listing you have
added to Google Maps).”2
Understandably, most enterprises would
be reluctant to surrender control of their
data to Google under such sweeping
terms simply for the convenience of free
file-sharing and collaboration.
Best practices
Fortunately, new security solutions are
available to help organisations protect
their mobile content and networks. To
make the most of these solutions, it’s
important for security teams to focus
their attention on just what it is they
are securing. Ultimately, what is more
important for enterprise security: pro-
tecting an ever-changing collection of
mobile devices, or protecting enterprise
data itself, regardless of the device?
Mobile Device Management (MDM)
solutions focus on securing devices. They
help organisations provision mobile
devices and maintain Access Control
Lists (ACLs) of devices permitted to
access the network.
MDM solutions have two shortcom-
ings. First, they typically lack detailed
controls for securing individual files.
As their name implies, their focus is on
devices, rather than on individual files,
which might require access rights that
vary by user and even by device.
Second, the pool of devices being used
by employees is in constant flux. By focus-
ing on device security, IT organisations
depending on MDM platforms for secu-
rity often find themselves with an endless
to-do list of moves, adds and changes.
Taking a different approach to MDM,
Mobile Content Management (MCM)
is a new class of mobile security solu-
tion that focuses on securing content,
wherever it is located. To protect content
stored on or being transmitted to or
from mobile devices, MCM solutions
provide secure software ‘containers’.
These containers shield confidential
data from unauthorised access and
malware infection. Even if other files
on the device do become infected with
malware, the files within the container
remain safe. IT departments can config-
ure and control these secure containers
remotely, so if a device is lost or stolen,
administrators can quickly disable access
rights for all files in that container on
the device.
Leveraging a secure MCM solution,
here are six best practices for protecting
confidential data on mobile devices.
1. Choose a solution that
protects all confidential
files on all devices
Organisations should select an MCM
solution that works with whatever
mobile devices employees are carrying,
so that no device is unprotected, no
matter what OS it’s running. At a bare
minimum, the solution should support
Android, BlackBerry, iOS, and perhaps
Windows Phone.
2. Centralise access
control and monitoring
Centralised monitoring allows network
administrators and security officers to
monitor the distribution of files and to
detect anomalous behaviour before it
leads to data breaches. Centralised moni-
toring and logging are essential capabili-
ties for organisations that need to com-
ply with industry IT regulations such
as Sarbanes-Oxley (SOX) or the Health
January 2014

Insurance Portability and Availability Act
of 1996 (HIPAA).
To comply with HIPAA, for example,
healthcare organisations (HCOs) in the
US must be able to demonstrate that
they can monitor and control the dis-
tribution of all files containing Patient
Health Information (PHI) – healthcare
records that could be used to identify
specific patients. If files are distributed
over a public cloud service such as
Dropbox, the HCO’s IT and security
teams will lack any way to monitor the
distribution of files. On the contrary,
confidential patient data could be eas-
ily replicated or distributed broadly,
and the HCO would never know until
the data breach was exposed, probably
resulting in regulatory censure and
other penalties.
“When access proves diffi-
cult, employees sometimes
begin keeping local copies of
files and copying them from
device to device, thereby
undermining security and
version control”
By using an MCM rather than a
public cloud service, the HCO’s IT and
security teams can ensure that the dis-
tribution and storage of PHI adheres to
industry regulations and policies.
3. Connect to SharePoint
and other important
services
Most enterprises and government agen-
cies have invested in ECM systems such
as SharePoint. These systems provide
advanced role-based controls for file
storage and powerful search capabili-
ties to help employees find information
quickly.
Unfortunately, accessing these systems
remotely can be cumbersome or outright
impossible, depending on the configura-
tion of the mobile devices and the ECM
system. When access proves difficult,
employees sometimes begin keeping
January 2014
local copies of files and copying them
from device to device, thereby under-
mining the security and version control
features of the ECM system.
Organisations should select an MCM
solution that provides access to content
stored in these existing systems. This
way secure mobile file sharing becomes
a natural part of the workflow, and
workers in remote locations always have
access to the critical files they need.
4. Increase trust and
control with private
clouds
Private cloud solutions – cloud services
that enterprises run in internal datacen-
tres – can provide the scalability and
cost-effectiveness of cloud computing
without the security and availability risks
of public clouds.
Whenever possible, enterprises should
deploy their MCM solutions on private
clouds, giving their own IT organisa-
tions complete control over the location
and availability of data.
5. Block risky services
Even with an MCM solution in place,
employees may be tempted to try the
free services that their friends are using.
By blocking these services, enterprises
can ensure that mobile workers don’t
jeopardise the confidentiality and integ-
rity of the confidential data.
Educating users about the risks of
these public-cloud services is another
important way to ‘nudge’ them into fol-
lowing best practices for data security.
6. Choose proven
solutions
Organisations should select an MCM
solution that has been certified to meet
stringent security requirements, such
as the Federal Information Processing
Standard (FIPS) 140-2 requirements for
US federal agencies. The US National
Institute of Standards and Technology
FEATURE
(NIST) developed the FIPS specifica-
tion to ensure that government agencies
use sufficiently strong cryptographic
services, including authentication and
encryption, for protecting agency data.
If an MCM platform has received FIPS
140-2 certification, organisations can
be sure that the platform’s authentica-
tion and encryption technology has
passed inspection by the US Federal
Government and been approved for use
by government agencies. It also means
the software has been tested and proven
to securely protect data at rest and in
transit on mobile devices.
Conclusion
By following these six best practices,
enterprises can enjoy the benefits of the
BYOD revolution – increased productiv-
ity and collaboration – while avoiding
the security risks. A rigorously secure
MCM solution that supports a broad
range of mobile platforms gives network
administrators and security teams the
controls and monitoring features they
need to protect mobile devices and the
data they carry.
About the author
Hormazd Romer is Accellion’s senior direc-
tor of product marketing. He has over 12
years’ experience driving product marketing
and product management for enterprise
software solutions. Accellion provides
enterprise-class mobile file sharing solutions
that enable secure anytime, anywhere access
to information while ensuring enterprise
security and compliance.
References
1. Yu, Roger. ‘Lost cellphones add
up fast in 2011’. USA Today, 23
Mar 2012. Accessed Jan 2014.
http://usatoday30.usatoday.com/
tech/news/story/2012-03-22/lost-
phones/53707448/1.
2. ‘Google Terms of Service’. Google.
Updated 11 Nov 2013. Accessed 7
Jun 2013. www.google.com/intl/en/
policies/terms/.
15
Computer Fraud & Security