IT Risk Introduced by Bring Your Own Device (BYOD)

vi
IT Risk Introduced by Bring Your Own Device (BYOD)
An Applied Research Project Presented in Partial Fulfillment of the Requirements
for the Master of Science in Digital Forensics and Cybersecurity
John Jay College of Criminal Justice
City University of New York
Robert Shullich
Spring: May 2013

vii
IT Risk introduced by Bring Your Own Device (BYOD)
Robert Shullich
This Applied Research Project has been presented to and accepted by the
Office of Graduate Studies of
the John Jay College of Criminal Justice of the City University of New York in
partial fulfillment of the requirements for the
Master of Science in Digital Forensics and Cybersecurity
Dr. Ping Ji
______________________________________________________________________
Applied Research Project Advisor Signature Date
Dr. Jin Woo Kim
______________________________________________________________________
Second Reader Signature Date
Dr. Richard Lovely
______________________________________________________________________
Director, Digital Forensics & Signature Date
Cybersecurity Program

viii
Abstract
The price point of consumer electronics continues to drop while the performance and
capacity of these devices increases. This is creating a market of personal electronic
devices that surpass the capabilities of similar devices that are used in the enterprise. In
the past there was a clear distinction between electronics used in the home vs. those
used in business, but now these two classes of devices are becoming indistinguishable.
As electronic devices become more mobile, users want to bring their own personal
devices into the enterprise to do their daily work. These are devices that are owned,
tailored and customized to that user’s personal preferences. Users are rebelling at
having to carry multiple mobile devices, where devices are dedicated individually for
personal and business use. Users are looking for one device to do everything. However,
the IT organizations in these enterprises are being challenged by the proliferation of
these personal devices. This is creating a new paradigm in controlling the privacy and
security of data within the enterprise. The new paradigm presents a risk issue where the
organization’s digital assets are comingled with the employee’s personal information,
and on an employee owned device. This paper will describe the risks and issues that an
organization may face in the implementation of a Bring Your Own Device (BYOD)
policy, and present policies and solutions that can be used to mitigate those risks.

ix
Table of Contents
Contents
1. Introduction................................................................................................................................................1
1.1 Early days of computers...............................................................................................................1
1.2 Computers in the 1980’s ..............................................................................................................2
1.3 Computers in the 1990’s ..............................................................................................................3
1.4 Consumer vs. Enterprise Devices..............................................................................................3
1.5 Convergence of Consumer & Enterprise Devices................................................................5
1.6 Scope of this Paper.........................................................................................................................7
2. BYOD Security Issues within the Enterprise..................................................................................8
2.1 Disruptive Technologies ..............................................................................................................8
2.2 Early Use of Personal Devices...................................................................................................9
2.3 Company Owned Portable Devices.......................................................................................12
2.4 Cloud Computing and Services...............................................................................................13
2.5 Bring Your Own Software (BYOS) ......................................................................................15
2.6 Device Standardization, Support and Management..........................................................16
2.7 Adapting the Enterprise to Issues of Mobile Devices and Cloud Services...............16
2.8 Ownership......................................................................................................................................17
2.9 Employee Privacy........................................................................................................................19
2.10 Personal Sharing of BYOD Devices .....................................................................................21
2.11 Application Cohabitation..........................................................................................................22

x
2.12 Regulatory Requirements..........................................................................................................23
2.13 Device Backup .............................................................................................................................23
2.14 e-Discovery & Forensics...........................................................................................................25
2.15 The Exit Strategy.........................................................................................................................26
2.16 Lost and Stolen Devices............................................................................................................27
2.17 Mobile Device Malware............................................................................................................28
2.18 Jailbreaking ...................................................................................................................................29
2.19 Insecure Application Coding and Configuration...............................................................30
3. Recommendations.................................................................................................................................31
3.1 Establish Policies for BYOD...................................................................................................32
3.2 Contracts and Agreements........................................................................................................34
3.3 Offer CYOD instead of BYOD...............................................................................................34
3.4 Secure Containers........................................................................................................................35
3.5 Remote Access Terminal Solutions.......................................................................................36
3.6 Mobile Application Management (MAM)..........................................................................37
3.7 Mobile Device Management (MDM) ...................................................................................37
3.8 Network Access Control (NAC).............................................................................................38
3.9 Data Self Protection....................................................................................................................39
3.10 Device Behavior ..........................................................................................................................39
4.0 Future Research........................................................................................................................................40
5.0 Summary ....................................................................................................................................................42
6.0 References..................................................................................................................................................45

1
1. Introduction
BYOD (Bring Your Own Device) is a paradigm shift in the use of technology and
services in Information Technology (IT). A short review of the history leading up to
the use of consumer devices in IT is presented here to help the reader to understand this
shift and the subsequent consequences that it may create. Other names used in the
paradigm include BYOS (Bring Your Own Services) and BYOT (Bring Your Own
Technology). For the purposes of this paper, all three are similar in nature, and will just
be called by the one term: BYOD.
1.1 Early days of computers
Up through the 1970’s and into the 1980’s computers used in business by large
corporations were primarily mainframe computers. These computers evolved from
stand-a-lone “one job at a time systems” to batch multiprocessing systems, which could
handle multiple simultaneous users and jobs concurrently executing within a single
system. Mainframes were expensive and could cost from hundreds of thousands of
dollars into the millions of dollars. At that time they could also get physically large,
where the computer systems and their peripherals would require one or more large
computer rooms to hold these systems.
Also, in this time period, smaller systems known as minicomputers and
microcomputers also existed. Digital Electronic Corporation (DEC) manufactured a
line of minicomputers known as the PDP line, which later became the VAX line of
computers. These systems were smaller, yet powerful and in many cases were used for

2
specialized applications, such as process control. These systems were cheaper than
mainframes, yet still expensive to purchase and operate.
1.2 Computers in the 1980’s
Prior to the 1980’s, microcomputers were already in use. Computers such as Atari 400
& 800, Commodore PET, TRS-80 and the Apple II, had existed and were being
marketed (Computer History, 2013). These microcomputer systems were used more for
games and by hobbyists.
A significant change in the 1980’s, starting in 1981, was the introduction of the IBM
Personal Computer (PC) line. This was largely accepted and became very successful.
IBM competitors were copying IBM and producing PC clones that would run the IBM
operating system and provide physical connections to the same external devices, such
as printers and modems.
During the evolution of computers in the 1980’s a significant enhancement for the
personal computer was interconnectivity. Modems, which were in use before the
introduction of the PC and used to connect dumb terminals to mainframes, were used to
connect the PC to other computer systems. These systems included mainframes and
even other PC computers.
Another form of connectivity was the creation of Local Area Networks (LANs) which
allowed PCs to communicate with each other, to use shared resources such as printers
and file servers, and to even provide local connection between the PC and the
mainframe. IBM mainframes used terminals such as the IBM 3270 which was a

3
graphics terminal that had row and column coordinates addressability. This was a
common terminal in use for IBM mainframes at the time, and through the use of PC
software, the PC could emulate the IBM 3270 using a software emulator or sometimes
an emulator card.
1.3 Computers in the 1990’s
In 1995 began a major change in the use of communications: the commercialization of
the Internet. Through the remainder of the 1990’s and into the 2000’s the Internet grew
and computer systems that connected to the Internet grew as well.
PCs continued to improve in speed and capability. This included software
improvements, larger and faster computer processors, memory and disk, and
communications bandwidth also increased and transmission quality improved as well.
LAN speeds using Ethernet increased from 10 Mbps to 100Mbps, and today we have
gigabit Ethernet and faster. Cable modems for cable TV and FIOS also provide high
speeds for Internet connectivity in the 20 Mbps and higher range.
1.4 Consumer vs. Enterprise Devices
Computer components such as memory, CPU, and disk storage, which are used to build
computers, were expensive. The overall processing power and configurations of such
systems might need to be increased in order to handle business workloads. But use of a
computer system by a home user might not require as much computing power or
functionality as the business applications demanded. Extra functionality and features
were required for systems that were used in a business setting, and some of these

4
“enterprise features” that were missing from the consumer systems usually included
security controls.
In order to satisfy both the business and home users, “one size fits all” did not work as a
sales approach, and needed to be balanced with a “price performance” approach. This
created dual markets, a market targeted for the business and a market targeted for the
consumer. Systems, and in some cases software, would be advertised for the business
or home. One example was the Microsoft Windows XP operating system, which came
in an XP Professional version for business and an XP Home Edition for use in the
home. XP Home had less features, and was sold at a cheaper price.
When targeting the consumer, one of the marketing objectives is “quick to market” i.e.:
to be first and get to the market before a competitor. In doing so, enterprise features
(e.g. the security of the product) are usually not initially considered (except in some
cases for product safety) so consumer computer products and services don’t always get
security “baked into” the product. An example is the Apple iPhone which will be
explained in the next section.
Bifurcation of the target market is not a new concept. Having a business model or
version of an item, and selling it for more, or restricting the audience, is done for
different reasons. In some cases it is price. What a business is willing to pay for a
computer may be more than the average household can afford, but if the computer
manufacturer wants to penetrate the average household, it needs a way to make it
affordable. Training and knowledge is another factor. The cleaning supplies that a
janitor may purchase for professional cleaning may be stronger and more toxic than

5
cleaning supplies sold to the average consumer. A professional Janitor is usually
knowledgeable with the handling of professional cleaning supplies and tools that are
not normally made available to the general public, although with stores like Lowes and
Home Depot the availability aspect has changed. However, janitors probably won‘t be
shopping for their professional cleaning supplies in the local supermarket which targets
the average consumer.
So, grades can be divided into non-consumer and would include professional, business
or commercial grades and then there would be consumer grades.
1.5 Convergence of Consumer & Enterprise Devices
The Blackberry Smartphone is still popular within the enterprise. But RIM (Research in
Motion) has also penetrated the consumer market. Although there are different models
produced by RIM, any consumer can purchase the same model Blackberry as used in
the enterprise environment.
Apple’s initial market penetration with the iPhone was consumer based. Many
organizations panned the iPhone because the early versions did not have the security
features that were expected by corporate IT (Information Technology) to secure the
device. RIM provided encrypted communications and the entire device storage could be
encrypted, the equivalent of laptop full disk encryption. Encryption of the storage of
earlier iOS devices required a 3rd
party vendor solution to be purchased and installed. In
answer to claims that Apple was being lax with security, they provided their “Data
Protection Feature” which provides APIs for encryption on devices that offer hardware
encryption (Apple Inc., 2011). This feature is available on iPhone 3GS and later, all

6
iPads, and 3rd
Generation and later iPod Touch. Data Protection API’s are provided in
iOS V4.0 and later. Organizations are adopting iPhones and iPads in the business using
either native encryption or 3rd
party software add-ons.
Laptop computers that can be purchased by the consumer are as powerful as those
purchased by enterprises. Convergence is where the consumer devices and the
enterprise devices reach a point where the difference can no longer be distinguished.
Blackberry has reached that point where consumer and enterprises can purchase and
use the same devices. Apple does not market a consumer version or an enterprise
version of its iOS devices. Originally the iOS devices were consumer based, and now
the push is to get IT in the enterprises to adopt consumer based technology for use in a
non-consumer environment.
Enterprise IT usually has limited budgets and IT equipment is expected to last within a
set lifetime. These lifetimes are determined by the organization, and are part of the
hardware standardization process. “According to a recent survey that research firm
Gartner conducted with 177 large businesses, the average life span of a desktop PC is
43 months, and only 36 months for mobile PCs” (Dunn, 2005). When working with
personal devices, and the owner is paying for the device, the time between devices may
be much shorter. With service contracts requiring signed 1 or 2 year commitments, it is
possible that personal devices coming into the enterprise may be newer and more
powerful than the devices that are being provisioned by the company. This creates a
situation that not only are personal devices becoming more adaptable to the user than a
company provided device, but personal devices may be superior and more powerful as
well. Before the enterprise had the better, newer and more powerful toys, but with little

7
or no differentiation between what the consumers can buy vs. what the business
procures, now the employee may be bringing in newer and more powerful tools.
1.6 Scope of this Paper
To implement a policy allowing BYOD within the enterprise, if not handled properly,
may lead to operational and security problems. This paper will focus on potential
security issues and addressing the risk posed by BYOD.
BYOD can produce both risks and rewards. The objective is to reap those rewards
while minimizing risk to the organization. Addressing risk begins with the inherent
risk, i.e. risk without controls, and through a reiterative and recursive set of processes,
hopefully leads to a residual risk that is acceptable to the enterprise. Five sets of
processes are defined in risk management: Avoidance, Acceptance, Transfer, Sharing
and Mitigation (NIST, 2001). The business may drive a low residual risk by avoidance,
i.e. ban the use of personal devices in the enterprise. This may work for a while, but it
might be only delaying the inevitable. A Forester study shows that 53% of employees
are already using personal devices at work, and within the next 3 years the use of
personal devices at work will be both a standard and requirement (King, 2012).
It is assumed in this paper that the organization will move towards the adoption of
BYOD. It is not the objective here to encourage or promote the use of BYOD, but to
help the organization make such adoption of BYOD safer, i.e. with less risk.

8
2. BYOD Security Issues within the Enterprise
2.1 Disruptive Technologies
“Disruptive technology is a term coined by Harvard Business School professor Clayton
M. Christensen to describe a new technology that unexpectedly displaces an established
technology.” (TechTarget, 2013). Four related disruptive technologies faced by the
enterprise are Social Media, Cloud Computing, Mobile Technology and BYOD. These
are not new problems but businesses are still struggling to address these technologies
and attempting to make them secure. Two of these technologies, Social Media and
Cloud Computing were identified by Gartner in 2008 as being in a list of the 10 most
disruptive technologies for 2008-2012. (Gartner, 2008). Williams (Williams, 2012)
identifies Technology Trends for 2013 to include BYOD, Consumerization of IT,
Mobility, Social Collaboration and Cloud. Each technology in its own right is powerful
and creates challenges within the organization, but combining them creates a perfect
storm that some businesses are not able to handle. Williams calls this interoperability
“The Hyper Convergence Effect”. KPMG predicts that these disruptive technologies,
with Big Data, will drive technology spending in 2013 (KPMG, 2013).
For example, BYOD is related to mobility in that many devices that an employee would
bring to work would be mobile devices such as Phones and Tablets, butalso include
laptops. The enterprise is already faced with a full plate of issues by just addressing the
mobile devices that are owned by the business. Integrating non-business owned
devices, software and services into the environment increases the risk and complexity

9
of protecting business assets that if not handled properly could expose the organization
to more risk and liability.
2.2 Early Use of Personal Devices
One of the early uses of personal devices for processing of enterprise data was
conducting remote computing – work at home – solutions. In this scenario an employee
could take work home and use their personal home computer to get work done. A more
common scenario is remote computing, where the employee would dial in on a modem
and connect to the company’s computer system or timeshare services. This was being
done even before the PC era, using dumb terminals to connect to mainframes to
perform remote work. Today, with the Internet and high speed connections, remote
computing is usually performed over the Internet using a VPN (Virtual Private
Network) connection.
Personal services were sometimes used by workers to be able to work at home. Without
having a remote computing connection, users would send the documents and data to a
personal e-mail service, such as Hotmail. This would leave sensitive data in a
minimally protected environment, and the organization would not even be aware of
these unauthorized copies of company data that were floating around. With cloud
storage and services, data could be moved to file lockers (e.g. Dropbox, MegaUpload,
RapidShare, Skydrive, etc.) and stored in the cloud, or to a cloud collaboration service
such as Google Apps, also leaving copies of data in the cloud. Personal USB flash
drives have been used to copy and transport corporate data between the office and
home, creating a risk should the flash drive be lost while it contained sensitive

10
corporate data. Prior to USB flash drives, this same risk was presented in the use of
floppy discs and CDROM media.
Companies realized the security risks that remote computing created. Use of personal
equipment took enterprise data outside the organization’s hardened perimeter, and once
outside – control of that data was lost. Control of that data might not have been a
priority a long time ago, but in 2002 California started to raise the bar for data
protection with its breach notification law (Calif Office of Privacy Protection, 2012).
Prior to the notification laws, organizations were expected to protect personal
information, but if they failed (i.e. the information was breached), they would quietly
fix the problem and keep it secret. Prior to this law a data breach would not normally be
publicized, and if it could be avoided, not even reported to law enforcement. If news
got out about a breach, there could be negative effects including loss of business
revenue, a negative hit on the stock price, and the brand reputational damage.
In the United States forty-six states, the District of Columbia, and some of the
territories have enacted breach notification laws. (NCSL, 2012). Different laws impose
additional requirements on the privacy and integrity of business and personal data, and
include Sarbanes-Oxley Act of 2002 (SOX), Fair Credit Reporting Act (FCRA),
Gramm-Leach-Bliley of 1999 (GLBA), and Heath Information Portability and
Accounting Act of 1996 (HIPAA). An industry regulation for cardholder data of credit
cards is controlled by Payment Card Industry (PCI) council. Banking and other finance
organizations in the USA may be under control of regulations of the Financial Industry
Regulatory Authority (FINRA). In addition to breach notification laws, there are data

11
protection laws which set minimum requirements on how certain types of data must be
protected.
Another security issue caused by remote computing is the opening of an attack vector.
In information security, the old school approach was perimeter protection. This meant
putting a wall around the data center using firewalls, intrusion detection, and hardening
the perimeter to keep the bad guys out. But at least two security technologies break the
perimeter – security technologies that break security. The first is the remote access
method itself, such as modems and VPNs. Remote access just punches a hole in the
perimeter and almost negates (by bypassing) many of the protections provided by the
firewall. And then encryption was added. Encryption provides confidentiality – it
protects the data stream so unauthorized parties can’t see the data. But, in a proverbial
case of shooting one’s self in the foot, it prevents firewalls and intrusion detection from
being able to evaluate the payloads. When the bad guys use encryption against the
organization, data can be exfiltrated without being seen, and malware can be introduced
and attacks carried out without detection. In order to provide a way for employees to
gain access to the corporate network so they can work remotely, a door was also
opened for the bad guys to come in as well.
The risk mitigation for remote computing included controls such as multi-factor
authentication, endpoint protection, and in some extreme cases, to only allow company
owned devices to be used to remotely connect to the organization’s network. In this
extreme case, if a user was to work remotely, including telecommuting, a company
owned and configured device would be assigned for the employee to take home and

12
use. Another risk mitigation approach was the use of thin clients, such as Terminal
Services and Citrix, where the home access only provided a window to the corporate
data, no data was transmitted or processed on the personal device. In this scenario,
corporate data never really leaves the perimeter and is stored on the remote device.
2.3 Company Owned Portable Devices
Early portable devices were the laptop computers. They provided information on the
go, and could also be used for remote computing. To keep overall costs down, an
employee might have been assigned a laptop which would be used in the office instead
of a desktop. The use of port replicators and docking stations allowed the laptop to
easily fit in as a desktop. Being a company owned device, these devices were also
supported and managed by the IT department, with standardized company owned
software and the configuration locked down to provide security. Some larger
companies might have issued both a desktop and laptop to a single employee in some
cases.
The portability of a laptop, being a mobile device, does have drawbacks. They get lost.
Besides the cost of the lost hardware (and in some cases the lost of the software
licenses that were on the device), there is the cost of the data that was stored on the
device. If the data on the lost device was Intellectual Property (IP) that was a trade
secret, the loss could result in millions of dollars of lost competitive advantage or
expenditures in R&D. If it was personal data, such as customer data that was subject to
data breach laws, those losses could also result in millions of dollars in fixing the
problem.

13
In a 2010 USA study, Ponemon studied 45 data breaches with the most expensive to
resolve being $31 million and the lowest at $750,000, with the average cost per
customer record lost exceeding $200 (Ponemon, 2010). In a 2008 Ponemon study
(Ponemon, 2008), one of the key findings was that “Business travelers lose more than
12,000 laptops per week in U.S. airports.” In an InfoGraphic provided by Kensington
(Kensington, 2011) “1 Laptop is stolen every 53 seconds, 70 million Smartphones are
lost each year with only 7% being recovered, and 57% of those lost Smartphones were
not protected with enabling security features”. These statistics for mobile devices are
mobile devices in general, i.e. there is no breakdown or analysis of business owned vs.
personal devices. However, Kensington in the InfoGraphic did indicate that “4.3% of
Smartphones issued to employees are lost or stolen each year.”
When addressing the mobile device issue alone – even before factoring in BYOD –
data is leaving the enterprise on portable devices and many of those devices are
disappearing with the data. The problem is going to get worse as more enterprises
deploy mobile devices. By the end of 2013, 78% of enterprises are expected to have
deployed tablets. (Kensington, 2011).
2.4 Cloud Computing and Services
Cloud storage creates many challenges for the business. These include data security and
privacy, regulatory compliance, data integrity and availability, and forensics. When
corporate data is moved onto a cloud provider that has not been vetted by the
enterprise, the data may be at risk.

14
Examples of cloud storage include file lockers such as Dropbox, Rapidshare,
Megaupload, iCloud, and Skydrive. Users will use cloud storage for data backup, but
may also use these facilities as an intermediary for transferring corporate data to either
another corporation or for home access. If inadequate security controls are
implemented, cloud services may be breached by hackers and data stolen. If an
employee leaves the organization, the existence of these extra copies may be unknown
to the organization which lacks knowledge and control of rogue copies of its data. The
ex-employee would then have access to this data and the breach can be harmful to the
business. It is common for these services to be used by an employee who wishes to
work with the data at home and uses these services to bypass security controls put in
place by the organization for the purpose of preventing the data from leaving. The
employee had good intentions and just wanted to get their work done but they find the
security restrictions inhibiting and so find a way to circumvent the controls.
Another use of cloud services is in the Social Media space. Although Social
Networking is part of Social Media, Social Media includes tools such as instant
messenger, chat, streaming presentations (e.g. WebEx) and collaboration tools (e.g.
Google Docs, Office 365). These tools provide a method of exfiltrating corporate data.
For example, a user may wish to use Google Docs for creation and editing of
documents because they prefer using that tool over the current corporate standard or
they are technically familiar with it. .

15
2.5 Bring Your Own Software (BYOS)
Microsoft Windows has approximately a 90% market share for the desktop market.
(NetMarketShare, 2013). The remainder includes Mac OS and Linux. There are many
other choices in Information Technology (IT) such as browsers (e.g. Internet Explorer,
Firefox, and Chrome), Search Engines (Google, Bing), Computer Languages (C, C++,
C#, Basic, COBOL), and E-Mail Clients (Outlook, Lotus Notes).
BYOS is about a choice by the user to use what they may already know and what they
are most comfortable with. Instead of learning new tools (the corporate standard) they
use and implement the tools with which they are most familiar.
Then there is the choice of using software or tools to which the organization may have
blocked access. This may include tools, as mentioned above, in the cloud services.
However, the user may also wish to use social networking software or sites such as
Twitter, Facebook, and Youtube. These sites may be part of the employee’s personal
life and there is no current business requirement for the software or services.
If a user has a personal device, then these services and tools may already be installed on
the personal device. An organization can block installation and access on corporate
owned devices but how will personal devices be handled and managed? BYOD devices
and services – which occur on personal devices – will require a policy and management
strategy to address how these devices and services will be used (or not used) with
corporate data and applications.

16
2.6 Device Standardization, Support and Management
Large enterprises that purchase equipment try to standardize on a limited amount of
suppliers, vendors, models, software and configurations. This minimizes the variables
that need to be evaluated in performing root cause analysis when resolving hardware
and software failures. If a support issue arises, the probability of the current help desk
staff at successfully resolving the problem is higher. If the organization standardizes on
Microsoft Windows and does not provide support for MAC OS then a user with a MAC
may receive limited support from inside the organization due to a lack of expertise. In a
BYOD scenario, the support center (help desk) could be faced with resolving user
problems on a variety of hardware and software, because without standards – anything
could show up. Some organizations that allow BYOD provide limited help desk support
for personal devices, in other words: “you are on your own”. In a Corner study, “For
each type of device, over 40 percent of companies that allow employees to supply their
own devices require the employees to contact the vendor directly.” (Rains, 2012). A
possible solution for the organization may be to outsource the helpdesk function for
support of personal devices.
2.7 Adapting the Enterprise to Issues of Mobile Devices and Cloud Services
The enterprise is most likely faced with addressing mobile and cloud technologies by
themselves. BYOD only adds another layer of complexity to the overall problem.
Regardless of whether a mobile device is company owned or personally owned, these
devices are prone to being lost or stolen.

17
2.8 Ownership
BYOD devices may have hardware and software comingled. As an example, suppose
an employee brings in a personal device to be used for business use. As a piece of
hardware, ownership of the personal device may be simple, the hardware belongs to the
employee because the device is personally owned. What happens if the personal device
is not adequate, and requires an upgrade? Common examples are increases in memory,
increases in storage, and increases in processing power (e.g. add an additional CPU). If
the employee pays for the upgrade out of pocket, then the device is still most likely a
“personal” device. What happens when the organization pays for the upgrades? Now
there is a comingling of company owned parts imbedded into the employee’s personal
device. If the organization reimburses the employee for upgrading the device (i.e. allow
the employee to expense the cost) who owns the upgrade since it is company paid?
What if the cost of the entire device is reimbursed?
Software may be a more common example. If the personal device requires additional
software for the employee to perform their job, who will buy and pay for the software?
If the organization pays for the license, will the organization be able to reclaim the
license when the personal device is no longer used (e.g. employee is terminated)?
Comingling business assets with an employee’s personal assets may make it difficult to
determine who owns the assets. Some enterprises have strict policies that forbid
personal use of business assets. Other organizations may allow the reasonable personal
use of business assets. An example is the telephone where the employee may be
allowed to make limited personal phone calls during business hours. Surfing the

18
Internet and making online purchases at work may be allowed by some organizations as
long as productivity is not affected (e.g. during lunch hour) and the activity does not
affect other users. Employees may use their business e-mail to conduct personal
business. This is actually not rare as in the early days of e-mail, many employees did
not have personal e-mail accounts and relied on being able to use their business e-mail
addresses. This comingling of business and personal e-mail can create issues for the
organization.
Sometimes separation between business and personal use must be maintained, and in
the case of mobile devices there are users that carry two or three cell phones to
maintain that separation. (Rice, 2012) There would be personal phones with personal
phone numbers and business phones with business phone numbers. What happens in a
BYOD environment where a single personal mobile device (e.g. Cell Phone) is used for
both personal and business usage? Who owns the phone number? With the current
technology phone numbers for personal devices are carried from job to job, and now
even from home to home – we take the number with us. If a salesperson uses a personal
mobile device to manage clients, and that salesperson moves on to another job
(different company), how does the business prevent its customers from calling the
salesperson at the salesperson’s new job? The customers know the salesperson’s phone
number, and that may be the phone number they call not knowing that the salesperson
is now working for someone else. This issue has already occurred in social media,
specifically with AOL Instant Messenger (AIM). Salespersons from one company were
communicating with their clients over AIM, one of the salespersons became employed
by a competitor, and by taking the AIM account with him, the salesman effectively

19
took his client base with him. The bottom line is that “Phone number transfer and
ownership” creates issues and an organization needs to determine up front how it wants
to address the phone number ownership, otherwise a sales rep could walk off with sales
leads. (Harris, 2012).
2.9 Employee Privacy
If an organization becomes involved in litigation the contents of personal devices used
for business may be subject to discovery. (Garlati, 2012). Because personal data may be
comingled with the company’s data, personal data such as browser history, chat logs,
personal e-mails, photos, financial account numbers, and private documents stored on
the phone may be exposed. Personal data and privacy become collateral damage to a
discovery request. There has been recent legal activity regarding an employee’s
“expectation of privacy” when using company issued devices for personal reasons.
(Navetta, The Security, Privacy and Legal Implications of BYOD (Bring Your Own
Device), 2012). Switching it around (company data on personal devices) will be just as
complicated, if not worse.
If an organization provides for the backup of the personal device, there are three likely
scenarios that may occur: 1) Only the company’s data is backed up, 2) the company’s
data and some of the personal data is backed up, and 3) the entire device is backed up.
In the latter two scenarios personal data is being stored somewhere, and a copy of that
data is taken out of the possession and control of the owner. Is that data being
protected? Can other employees, who may have a need to know for the business data
that was on that personal device, also have the ability to see and view the employee’s

20
personal data? Is privacy maintained for personal data that is on the device when the
device is brought to the IT department for support?
Mobile devices, such as phones and tablets may have GPS capabilities, and can be used
as personal trackers. Can the organization track the employee’s location, where they are
and where they were? What are the consequences for the employee if this information
is voluntarily handed over to law enforcement?
One of the data protection controls used to mitigate the exposure of lost devices is a
wipe capability. In a remote wipe, a signal is sent to the device, and the device erases
itself and destroys all of the data on the device. A device wipe can also be initiated
locally by actions on the device itself, such as entering the wrong password into the
device a successive number of times. In some devices this number is fixed, in other
devices this number can be configured. In an Apple device that runs current releases of
IOS (e.g. iPhone, iPad and iPod Touch) the device can be configured to automatically
wipe itself after 10 successive failed passcode attempts. (Apple Inc., 2012). Wiping a
device can backfire on the organization and result in legal issues. (Lui, 2012) (Narisi,
2012). A software company wiped a former employee’s personal device and was
successfully sued by the employee for damages. “In Germany it is illegal for companies
to wipe personal data from an employee-owned device.” (Guerra, 2012). Wiping a
device destroys the data and in a discovery case could result in spoliation. (McAfee,
2011)

21
2.10 Personal Sharing of BYOD Devices
Sharing of personal devices could potentially expose corporate data to unauthorized
persons. When a device is a business issued device, the boundaries are usually clear as
to who may use the device. In a situation where personal information and corporate
information are comingled, the boundaries may not be as clear, and could be very
vague. A cross exposure of confidential information may occur, exposure in either
direction. For example, confidential business information, which may include personal
data of customers, could be exposed to other family members who do not have a “need
to know” of that data. What if the data on the personal device is customer medical or
financial data? Does access by a family member represent a breach of that data? It is
definitely unauthorized disclosure.
Exposure in the other direction may occur as well. Suppose personal family data was
stored on a personal device that is used in BYOD, but also shared by family members.
If the device is subject to a discovery proceeding then the personal data could be
exposed. This is a reiteration of the employee privacy concern mentioned above. But
now it is not just the employee’s privacy, it is the employee’s family’s privacy being
exposed as well. If the employee’s spouse uses the device for their personal e-mails,
then if the device is handed over for discovery or forensics, then the employee’s
spouse’s personal contents (e.g. e-mails) are exposed.
The sharing issue is not a new problem. Prior to BYOD, the use of personal devices for
remote tele-working access produced some of the same risks. Usually those personal
devices were the family computer system that was shared by the other family members.

22
2.11 Application Cohabitation
Mobile devices such as Smartphones and tablets use applications that are acquired and
installed differently than software installs for Desktop systems. Apple created its
iTunes store for APP delivery. Blackberry has its APP World for its applications, and
Google Play is an APP store for the Android market.
Apple in January 2013 had 775,000 applications and claimed 40 billion downloads, and
an estimated growth of 641 new applications per day. (Rowinski, 2013). Google Play
which distributes Android apps is close to Apple’s growth, but is approaching at a
faster rate and will soon pass Apple’s figures. At 600+ applications per day, which
exceeds 19,000 applications per month, is anyone going to evaluate and vet each
application for bugs and malicious code? Apple supposedly does a good job at this, but
some rogue applications still get through. In 2012 Google Play (the official app store of
android apps) introduced a service called Google Bouncer which is an automatic
scanning tool that scans submitted apps and tries to determine if they may be malicious.
The scanning includes runtime behavior analysis to determine if the application is
acting in a malicious manner. (Hou, 2012). Security researchers have already analyzed
the behavior of Bouncer and were able to get malicious applications past Bouncer.
Sensitive corporate data can be put at risk if unregulated 3rd
party applications are
stored on the mobile device. (Phneah, 2013). The user of the device usually assumes
that the application is safe to install and use, and does not realize the security
implications inherent in these applications (Phneah, 2012). The malicious code in these
applications makes many of them a completely packaged Trojan. Unless the enterprise

23
can vet the software and control the installation of applications, a bad application can
breach the entire contents of the device, including the corporate data stored and
processed on that device.
To complicate matters, Websense predicts for 2013 that the problem will get worse. In
their 2013 Predictions, “Legitimate mobile app Stores will host more malware in
2013”, and predict “Malicious apps will increasingly slip through validation processes.
They will continue to pose risks to organizations enabling bring your own device
(BYOD) policies. We will see an increased volume of malware hosted in legitimate
mobile app stores. In addition, jail-broken/rooted devices and non-sanctioned app stores
will pose significant risk to enterprises as more allow BYOD” (Websense, 2012).
2.12 Regulatory Requirements
Most regulatory requirements, including government (e.g. HIPAA, GLBA, FCRA) and
industry (e.g. PCI) address the privacy of the data. Privacy involves data access (Who,
When, Where, Why and How) and the controls put in place to control access. One of
those controls is data encryption, and may include full disk encryption technologies.
In the case of mobile devices, either the device or the container holding the data may
need to be encrypted. Protection of the data may be required for both “at rest” and “in
motion” states.
2.13 Device Backup
If the mobile device is wiped out, the data may need to be recovered. It is in the best
interest of the business to backup the data to prevent permanent data loss, but it is also

24
in the best interests of the owner of the personal device to perform backups. The wipe
operation is a security feature that must be enabled and configured manually, and when
activated the entire contents of the mobile device are made unreadable. Activation is
usually initiated by a remote command to the device (remote wipe) but can be triggered
in other ways. One of those other methods is when multiple successive invalid passcode
attempts are made. For example, an Apple iPad can be configured to have a passcode,
and if there are 10 invalid attempts to enter the passcode, the device can be configured
to self-wipe. In BYOD, this is a personal device, and if one of the employee’s young
children takes the device because they want to play Angry Birds and can’t figure out
the passcode, they could end up causing the device to self-wipe. In any case, a wipe
destroys all the data, and then what does the employee and business do – since they
both have data on that device that may be needed?
Recovery of that lost data can be minimized by backups. But who is responsible for
taking the backup? What about the backup image itself? iTunes can be used for Apple
devices to take a backup of the device during synchronization of the device and the
backup can be stored on the workstation or in the cloud (iCloud). If the entire device is
backed up, then both personal and corporate data will be stored in the backup file. In
these scenarios additional copies of corporate data are created outside of the mobile
device. If these backups are not encrypted then the backup file is vulnerable to data loss
if they are compromised. The backups are probably not within the scope of a remote
wipe that may be initiated at employee termination. If an employee is terminated, the
organization may decide that continued possession of the data by the (now ex-)
employee is a major risk and issues the remote wipe command to destroy the data. If

25
the employee has backups of the device data, including the company’s data, then the
remote wipe would not be completely effective.
2.14 e-Discovery & Forensics
If an employee is arrested, the mobile device in that employee’s possession may be
subject to search. (Rasch, 2011). In United States 4th
Amendment case law, this
exception to the warrant requirement is called a “search incidental to an arrest”. If this
occurs, with a device that contains business data, then there is a potential that the data
may be disclosed. This is not just a BYOD issue; it is also a risk even with corporate
owned devices.
As previously mentioned, information on the devices can be discoverable, and a
business may be required to provide the contents of the device as part of a discovery
request. This could cause the personal information of the employee to be disclosed
depending on degree of separation on the device of business vs. personal data. If the
discovery request is not complied with due to lost, damaged or destroyed data
(spoliation) the failing party could be sanctioned for not providing the requested data.
The judge can assume that the destruction was intentional.
An organization may need to establish a “Right to Seize” of personal devices if those
personal devices may contain corporate data and those devices need to be imaged and
analyzed for a corporate investigation. Without initially establishing this right in
advance could inhibit acquiring the device from the employee. Otherwise the employee
could just refuse to turn over the device and the organization may have limited
recourse.

26
2.15 The Exit Strategy
Organizations may sometimes enter into business arrangements without taking into
consideration steps to be taken when that relationship terminates. This also includes
contingency planning when the service is unavailable. Evaluation of these arrangements
may lack the performance of due diligence before the execution of a contract. But an
exit strategy should be designed and be put into place before the engagement begins
and should provide for an orderly departure should termination of the contract occur.
As an example, couples will get married but most don’t plan on a divorce because they
expect the marriage to work out and last forever. Yet there are a few who plan, just in
case a divorce does happen, and one exit strategy may include a prenuptial agreement.
When the employee’s relationship with the company is terminated, there are usually a
standard set of requirements that make up the exit strategy for the company. These
include the return of corporate assets and reaffirmation of confidentiality and non-
competition agreements. However, in the case of BYOD, the device is the employee’s
and does not belong to the corporation. Some of the data on that device does belong to
the corporation, and may even include software purchased and owned by the
corporation and installed on the personal device. A Forester study states: “Thirty
percent thought there wasn’t enough separation between consumer and corporate data
on mobile devices” (PC World, 2010).
This information, and software, is comingled on the personal device and leaves the
employer with two options: Divest the data and software, i.e. figure out which is
corporate data and corporate assets (e.g. software) and remove it – leaving the personal

27
data intact. The other option, one that may be easier for the company, is to completely
wipe the device of all data. These options assume that the data and assets are
comingled, but if the data is distinctly separated via some method of partitioning, then
wiping corporate data may be easier. Part of the exit strategy will be solving the
problem of how to keep corporate data separate from personal data on the personal
device allowing an automatic selective wipe of corporate data.
2.16 Lost and Stolen Devices
Losing a mobile device can be a nightmare for an enterprise. If sensitive corporate data
is on the device at the time the device is lost, the expense of addressing a data breach of
the device’s contents will far outweigh the costs of the physical asset. In a 2011
Ponemon Cost of a Data Breach Study found: “Nearly 40% of organizations in the
study had a data breach resulting from a lost or stolen mobile device, including tablet
computers, Smartphones and USB drives that contained confidential or sensitive data”
(Walker, 2012) . Mobile devices may be protected by remote wipe and self destruct
failsafe mechanisms, but that assumes proper configuration and handling. Yet the same
study also found that 39% of data breaches in the U.S. involved employee negligence.
This might indicate that proper configuration and handling was not occurring.
Configuration of the device assumes that protection mechanisms are available, either by
the manufacturer or an add-on that provides security features for the device.

28
2.17 Mobile Device Malware
Security Endpoint Protection (e.g. antivirus, antimalware, and antispyware) is still in
catch-up mode. Mobile device malware may be more profitable to the attacker than
desktop infections when considering the number of mobile devices that are now online.
In the earlier days of Smartphone usage, enterprises used devices from Research in
Motion (RIM) which carried the Blackberry brand. Blackberry devices came out in
2002, and were the first Smartphone’s that were optimized for wireless e-mail use (The
National Cyber-Security Advisory Council (CNCCS), 2011). These devices were
accepted by corporate IT departments and were considered secure, and RIM became the
standard for corporate Smartphones. Even in a 2012 nCircle survey, when asked
“Which mobile devices carry the greatest security risks?” the response was: 36%
Android, 24% Apple iOS, 10% RIM, and 18% Windows (nCircle, 2012). This indicates
that the IT security professionals responding to the survey still consider Blackberry to
be a safer bet than Android or Apple, or even Windows phones. RIM also provided
software to be used for the security management of the Blackberries, called Blackberry
Enterprise Server (BES). With BES, device configurations for the blackberries could be
automatically pushed to the devices.
Although malware attacks for mobile devices were seen as early as 2004, endpoint
protection focused on desktop systems. Endpoint protection, such as antivirus, was
rarely seen for a Smartphone. With the proliferation of the iPhone, with its popularity
and quick gain of market share in the Smartphone arena, the attackers now have a new
attack vector worth exploiting. The mobile device market continued to grow with the

29
introduction of the iPad tablet and the introduction of Android Smartphone and tablets.
“Gartner predicts that by 2014 Android will be the most popular platform and
Smartphones will outsell PCs by 2013” (The National Cyber-Security Advisory
Council (CNCCS), 2011). Malware protection for these devices now exists, although in
some cases still considered immature, and is not in widespread use. This provides a ripe
target for cybercriminals because the gates to the devices are wide open and no one is
guarding these gates.
2.18 Jailbreaking
Jailbreaking an Apple iOS device (e.g. iPhone, iTouch, iPad) is a process of gaining
root access to the underlying device operating system and removing controls and
limitations of the device (Wikipedia, 2013). When an iOS device has been jailbroken it
can be used to shop for non-sanctioned apps in non-sanctioned app stores (Websense,
2012). These unsanctioned “Mobile Marketplaces” are repositories for pirated
applications that are infected with malware and pose a significant risk to the user and
the organization if the infected app is installed and allowed access to corporate data.
Since Jailbreaking provides the user total control over the device, i.e. root access, any
application installed on the device can be compromised, including controls added to the
device to protect data. Configuration applications such as MDM and MAM may be
bypassed or overridden, and virtualization container solutions can be compromised.
Any lockdown of the device would be difficult, if not impossible, if the user of the
device held root access to the device (or in the case of a Microsoft Windows device –
Administrative rights). In the case of a virtualization solution that sits on the device,

30
root access to the iOS provides control of the hypervisor, which provides almost
unrestricted access to the virtual machine guests.
2.19 Insecure Application Coding and Configuration
No one can code a bug-free application. And there are no testing tools that can detect
all possible defects in program code. If there were such a testing tool, then it would
contradict Alan Turing’s “Halting Problem”. While these theories hold, there will
always be risk within an application that the code can be exploited and compromised,
i.e. all applications will never be 100% secure. This is where risk management enters
the mix, since we can’t be 100% secure, what would we consider “secure enough”, and
is it realistic to achieve a residual risk which is “secure enough” and acceptable to the
business?
Can a PC, workstation, server, or mobile device be configured securely? Organizations
expend great amounts of resources to try to figure out what the optimum mix of
security and operational settings should be. This is hard to achieve because “one size
does not fit all”. If it did, then the manufacturer of the software would set the options at
the factory and that would be it. But there is a triangle of three variables that
organizations attempt to balance: Security, Performance and Cost. It takes a lot to
achieve the balance, and sometimes within a single organization this balance may vary
depending on the usage and location of the equipment.
If an organization has to expend all these resources to figure out how a device should
be configured, then an individual user will probably not get involved with setting
security configurations, most users will just use the device out of the box “as is”.

31
Obviously the industry has not learned from its prior mistakes. With the majority of
Microsoft Windows XP workstations on the Internet, in an always on/always connected
mode, these machines became the choice of cyber criminals to attack, infect, and turn
into zombies or bots. It was becoming so bad that Microsoft attempted to reduce the
attack surface of Windows XP systems in Windows SP2 (Service Pack 2) by turning on
the Windows built-in firewall by default. Since one size does not fit all, turning on this
feature did break some applications, but it was considered an improvement that reduced
many attacks that were being launched against those systems. Now with mobile
devices, we are faced with these same issues again for as mobile devices are not
configured secure out of the box, they are not “secure by default”.
A problem with so-called Secure Application Coding is education/training. It is not
until recently that programming classes in the university and vendor training classes
included application security. Students learned how to program – how to write code but
security was not usually taught as part of programming and, thus, was never considered
or it was expected that the student would pick that skill up somewhere else. In some
curriculums, application security is provided by separate security courses, which if not
taken, will still leave the student lacking security knowledge. This is a bolt-on
approach, and not really integrated. The result will be application coders that continue
to write insecure code because they lack the methodology of secure coding practices.
3. Recommendations
The recommendations made here are not meant to be complete, exhaustive, or mutually
exclusive. They attempt to address some of the issues shown in Section Two of this

32
paper. Keep in mind that BYOD is part of a much bigger issue, and even if BYOD is
not addressed, the underlying problem of mobile devices will most likely need to be
addressed. Many of the issues mentioned above exist in mobile devices that are owned
by the enterprise. BYOD suffers from the same problems and issues as business owned
mobile devices. The “mobile device” problem itself requires a solution and is the bigger
problem to be considered regardless of who owns and manages the device.
3.1 Establish Policies for BYOD
The content of actual policies is beyond the scope of this paper and would be left for
further research. But policies for mobile devices are required and needed. BYOD
policies need to be developed and put into place regardless of whether BYOD is
adopted or banned by the organization. Policies are needed even if BYOD is not
adopted as a contingency in handling incidents where personal devices manage to slip
in. Something as simple as a USB flash drive can cause havoc unless policies are in
place.
Policies are usually administrative in nature, but can be enforced using the three main
security control types: Administrative, Technical and Physical. Policies must be backed
up with training to inform the users of the policie’s existence and contents. This is
usually accomplished via security awareness training. In some organizations the
employee is required to sign an acknowledgement form indicating that the employee
has read and understands the policies.
Having a policy and putting it out there is not enough. In a survey of 547 IT
Professionals performed in 2nd
Quarter 2012, 71% answered “Yes” to the question:

33
“Does your organization have a mobile device security policy?” (nCircle, 2012). This is
an increase since the survey showed that 58% answered “Yes” back in 2010. In the
same survey a question was asked whether the organization enforced that policy, with
85% responding “Yes” in 2012 (up from 65% in 2010). 85% is a high number, but
policies are not always effective unless they are enforced. Policies should be
implemented and they should be enforced. Overall security policy enforcement,
according to the survey is lower, where the question was: “Does your organization
adequately enforce adherence to its internal security policy?” which was answered
“YES” by 68% in 2012, down from 71% in 2010.
A properly written and enforced policy is an organizations first line of defense.
Policies must communicate how devices will be managed by the IT department, and the
access required by the business to their devices in order to protect corporate data and
assets (Apperian, 2011).
Citrix recommends these areas to be covered in a BYOD policy (Citrix, 2012):
• Eligibility
• Allowed Devices
• Service Availability
• Rollout
• Cost Sharing
• Security
• Acceptable Use
• Support and Maintenance

34
3.2 Contracts and Agreements
Contracts and agreemenst can be an extension of policies but may need to be
individualized. Although an organization may do this through a policy, there may be
advantages of having an employee explicitly agree to certain terms of mobile device
usage, especially when the device is owned by the employee.
Two examples are seizure and wiping. In the case of seizure, if data belonging to the
enterprise is stored on the employee’s device, the organization may need to retain the
right to seize the device from the employee for eDiscovery and forensics investigation
purposes. In the case of wiping, the organization may retain the right to wipe the device
without liability due to the loss of personal information on the device. Wiping may be
required when the device is lost/stolen or at employee termination. “Employees must
also understand the consequences of conditions that might dictate the need for a
complete wipe of a device” (Apperian, 2011) . Just in these two examples there may be
global implications of what may be allowed with and without an agreement, and the
contents of agreements and policies should be worked out with legal counsel.
3.3 Offer CYOD instead of BYOD
An organization may retain better control of mobile devices with a “Choose Your Own
Device” strategy instead of “Bring Your Own Device”. In CYOD, the organization will
continue to purchase and own the device, but the employee chooses the device. If the
employee prefers an Apple iPhone instead of a RIM Blackberry phone, the employee
can pick the iPhone and the company will purchase, configure, and support the device.
In this scenario, the device is not completely forced onto the employee, there is some

35
choice – creating middle ground on device selection. When the employee relationship
terminates, the equipment may either be returned or some companies will provide a
buyback program where the employee can buy the device from the company.
3.4 Secure Containers
“Containerization refers to a solution that creates an encrypted data store or container
on a device” (Faas, 2012). This concept may also be called a “secure bubble”. The
encryption and authentication to the container is independent of the device settings. The
entire device might not be encrypted and the device might not have a passcode, but the
container is a secure repository in itself. All the corporate data can be stored in one
place and segregated from personal data. This dividing line can prevent or limit the
comingling of corporate and personal data and should make it easier for the corporate
data to be wiped at a later time without destruction of personal data.
At some point in time the data obtained from the container will need to be unencrypted
into clear text so that the application can use and process the data. Attacks on the
communications channel between the container and the application could be vulnerable
to eavesdropping or main-in-the-middle attacks so this channel needs to be secure. The
application that processes the data in clear text form could be vulnerable to an attack,
such as a man-in-the-middle application, where the clear text form of the data is
extracted from the application’s working data store, such as stacks and registers.
Modification of the executable could be made in a way that adds rogue program code to
store or transfer corporate data off the device.

36
Storage of corporate data in a container may be safe while the data is stored, but the
security of the access by the application to the data will depend on how well the
application is protected. The segregation can make the exit strategy easier because it
can reduce or solve the comingling problem.
Containerization may also be called sandboxing and virtualization. The concept of a
hypervisor may exist within the firmware (bare metal) or run under the mobile device’s
operating system like VMWare (Cocking, 2012). Apple provides sandboxing for 3rd
party applications installed on iOS devices (Apple Inc., 2012). These 3rd
party apps are
isolated from the other apps and the operating system, and can only communicate via
supplied APIs. 3rd
party iOS applications are those installed from the APP store, but
Apple’s preloaded applications are stored in the root folder and are not subject to the
same restrictions of a sandboxed application (Zdziarski, 2012). If the iOS device is
jailbroken then pirated applications could be installed outside of the sandbox and into
the root folder, allowing the application to run commands that would otherwise have
been restricted.
3.5 Remote Access Terminal Solutions
Citrix’s approach is desktop virtualization which is accessed via a secure SSL
connection (Citrix, 2012). In this scenario, the applications and the data reside on a
virtualized desktop, and the mobile device runs either an application or a web browser
to remotely access the desktop. Remote access is accomplished via a “thin client”
running on the mobile device with the intent of keeping a small footprint on the device.
This provides device independence because the customized application is not running

37
on the device. The data is protected inside the corporate perimeter and the data never
leaves the safe confines of the data center.
This concept could use any desktop virtualization solution, such as VDI (Virtual
Desktop Infrastructure) as provided by VMWare View. In a remote access solution the
mobile device acts as a remote terminal and all the heavy lifting is done at the remote
desktop. This solution assumes that the device is connected to a network and the remote
desktop is available. Offline processing may be impossible if the remote connection is
not operational.
Because all the data is in the data center, the risk of a lost device is minimized. No data
is on the device. If the employment relationship is terminated, there is no data on the
device. In either of these cases the employee’s credentials that access the remote
desktop must be disabled to prevent remote access after device loss or employee
termination, but once disabled then the data should be safe.
3.6 Mobile Application Management (MAM)
“Mobile application management is the delivery and administration of enterprise
software to end users’ corporate and personal smartphones and tablets” (TechTarget,
2013). MAM focuses on application delivery while MDM focuses on device
provisioning.
3.7 Mobile Device Management (MDM)
In Gartner’s Magic Quadrant for Mobile Device Management Software, MDM is
defined as: “Enterprise mobile device management (MDM) software is primarily a policy

38
and configuration management tool for mobile handheld devices, such as smartphones
and tablets based on smartphone OSs” (Basso, Girard, & Redman, 2012).
One of the objectives of MDM is to manage security settings over a heterogeneous span
of mobile devices making the settings device independent. Through security settings
the IT department can distribute policy and configuration to the devices and enforce
security policy. One set of configuration settings may force the activation of a password
(or passcode) to be used on the mobile device, and set a minimum password length,
with complexity and aging requirements for the password. The MDM should be able to
set and modify any configuration setting on the device that a user can set, and the
MDM may be able to prevent the user from disabling or changing that setting back. The
Jailbreaking process could interfere with the MDM’s processes and result in a insecure
device in violation of the organization’s security policy.
The Blackberry Enterprise Server (BES) has the features of a MDM, but is mainly
homogeneous and usually applies to RIM devices. However RIM is moving forward
with a commercially available MDM platform called Mobile Fusion.
3.8 Network Access Control (NAC)
Controlling and monitoring access to corporate networks will require access control. In
a report by Dell it was reported that BYOD will drive the need for NAC to accomplish
this (Dell Sonicwall, 2013). Mobile devices connected directly to the corporate network
will usually be via a Wi-Fi network (wireless LAN). The three A’s (AAA) of security
(Authentication, Authorization and Accounting) are provided and enforced via access

39
control to the wired or wireless network, and network access control is provided using
NAC.
NAC can control who may, or may not, connect to a network and can be configured to
force the device to comply with security standards before allowing access. For
example, NAC can be configured to prevent connection of a device if the device has
security vulnerabilities such as lack of patching or endpoint protection software.
3.9 Data Self Protection
Data may be protected by using a self-protection mechanism such as information rights
management (IRM) or sometimes called digital rights management (DRM). The data,
usually in the form of a document, has built-in access control that works with
encryption technology to control access to the document. This is also called MCM
(Mobile Content Management), and the idea is to focus on protecting the data while
disregarding perimeter protection. (e.g. The Philosophy of the Jericho Forum).
3.10 Device Behavior
Many of the mobile devices contain location awareness, especially devices that have
built in GPS capabilities. The behavior of the mobile device could be tied into the
location of the device when the data is being accessed. This is called geo-fencing
where data access is restricted to a specific location, and the data may be removed or
made inaccessible when the device leaves the location.

40
4.0 Future Research
The issues provided in this paper do not cover every issue nor does it really go into
depth on each issue. Issues discussed can be further researched with the researcher
going into a more detailed deep dive of the issue. The scope and focus has been on risk
and security, but BYOD and mobile have implications in the area of operational issues
and return on investment (ROI). There are different opinions by the experts as to
whether BYOD really saves the organization money.
Mobile device malware, and anti-malware solutions, are topics of future research.
Endpoint protection may be required, but there is also some thought that an individual
mobile device doesn’t hold that much data and the risk might not be that great. If the
mobile device is connected to the corporate network, it becomes a threat as it provides
an attack vector past the perimeter. The connection of the device to the network
requires an integrated suite of software providing MDM on the device working hand in
hand with network access control (NAC) and the objective is to provide and enforce
Authentication, Authorization and Accounting (AAA) protection.
Configuration of a mobile device is important, and can be automated via a MDM
solution. But the question that needs to be answered is what should the settings be? One
size does not fit all, but a recommendation on what settings should be configurable, and
the pros and cons of each setting would be a separate piece of valuable research.
Support of mobile devices may require beefing up the wireless infrastructure, including
bandwidth increases. 802.11(ac) is a standard in draft state that may provide Gigabit
Wi-Fi in 2013 (Cox, 2013). Although cellular enabled devices (e.g. 3G, 4G, 4G LTE)

41
would connect through the Internet and come in via the firewalls, using Wi-Fi features
of the devices will allow the devices to connect to the corporate WLAN (Wireless
LAN).
Near Field Communications (NFC) is a feature that can be enabled in the phone, and
one of the uses is for wallet applications for electronic credit card payment. But
research is in progress to use the NFC feature for a new kind of proximity access card
such as a employee ID badge used to open security doors. Today, employees in the
enterprise may have an electronic ID card with either a magnetic stripe, a bar code, or a
proximity radio signal. When the employee relationship terminates, the ID card is
deactivated and usually collected from the employee. If the NFC of a personal phone is
used as an ID badge, will de-provisioning of the device be handled differently? This
feature and how it is used should be evaluated and considered.
Research can be done on the question of who pays for the device and other
compensation. Some organizations have taken the position that the employee pays for
the device and the services (tel-co charges). Some organizations will pick up the entire
tab, while there are some that will split the cost. There are different reimbursement
models and implications of each, which could be made part of the ROI examination.
File sharing presents an issue to be examined. The mobile devices are used for
collaboration and when an employee is using 3 or more devices – they want the data to
be up to date and in sync with each of those devices. This requires a way to share the
files across different mobile and desktop devices and may require replication and
synchronization services.

42
Legal and privacy laws were only touched on, and there is opportunity for research into
the different legal and privacy regulations, especially on an international level.
Regulatory compliance, with its international and cultural differences needs to be
examined.
5.0 Summary
BYOD is a current trend that is moving fast. In a business strategy survey of 1,000
TechRepublic and ZDNet members, 44% currently allow BYOD and another 18%
expect to move to BYOD by the end of 2013 (TechRepublic, 2013). In 2012 Forrester
published a report that showed 53% are using their own technology for work purposes
(King, 2012). Organizations are faced with supporting BYOD, and it is a technology
that continues to grow. Combining BYOD with other disruptive technologies such as
Cloud Computing, Social Media and Mobile devices are creating a perfect storm that is
sweeping the enterprise. Given companies are challenged to support mobile by itself,
BYOD just adds another layer of complexity on top of mobile device support.
A challenge with mobile devices, regardless of the owner of the device, is that a single
user may have multiple devices and each device represents an endpoint with its own IP
address. Originally the IT department had to support one endpoint per user, usually the
user’s desktop. Then this expanded when laptop was added for select employees. This
may have been manageable in the past; however, today a single employee could be
easily equipped with four or more devices when adding a phone and a tablet. Most of
those devices would be capable of connecting to the corporate network infrastructure,
with the potential to access sensitive corporate data. “With the rapid adoption of

43
BYOD, the reality of multiple devices per user, and growth of cloud-based services, the
era of managing security capabilities on each endpoint is over“(Cisco, 2013).
A driver for BYOD is the young, future workers. These “millennial” workers, who
have grown up with the technology, come to work with their own personal devices, and
expect the organization to accept and support those devices. Security is not their
concern, they expect the company to enable using their devices without putting the
enterprise at risk, and all they want is anytime/anywhere access in order to be able to
get their work done (Cisco, 2011).
Organizations are embracing the BYO (Bring Your Own) phenomenon in hopes of
reducing cost. It allows the organization to get out of the ownership game, and convert
CapEx (Capital Expenditure) to OpEx (Operational Expenditure). Forrester discusses
an approach scenario as “own nothing, control everything” by using a zero-trust model
where all endpoints are treated as hostile (Jaquith, 2010). While there are claims of
BYOD providing a good return, there are also claims that the “control” part consumes
most of the cost savings. The ROI of using BYOD were not addressed in this paper and
left for future research.
BYO includes devices, software and services. It involves access to both corporate and
personal assets that include hardware, software, and data. One major issue is caused by
the comingling of corporate and personal assets, and presents challenges of how to
provide protection to those assets. The “exit strategy” is required to determine how to
recover corporate assets from a personal device when the employment relationship is
terminated. The numbers of endpoints per user that require protection are increasing,

44
the corporate perimeter is vanishing, and a holistic approach to data protection needs to
focus on directly protecting the data. The concept of de-perimeterization was
introduced by the Jericho Forum.
Before the BYOD issues can be resolved the enterprise must fix the mobile device
problem. If it is a corporate issued device, then the employee will probably put personal
data on the device, (e.g. use corporate e-mail for personal mail, perform personal web
surfing on the mobile device). Many organizations allowed the employee to do this in
the past with corporate desktops that were not locked down while the risks were not
well known at the time. If a personal device is used, then the employee will probably
put corporate data on that device. One of the largest risks in mobile device technology
is the loss of a device that has sensitive corporate data on it. It doesn’t matter who owns
the device, the issue is what is on the device.
The organization should come up with a strategy, and then develop policies for use of
mobile and BYOD in the enterprise. This strategy may be dictated or affected by the
corporate culture. The objective should be worker enablement while corporate assets
are protected within the risk appetite of the enterprise. The strategy and policies should
be planned as a complete lifecycle that includes provisioning of the device, software
and services and carried through to the de-provisioning process. This includes having
an exit strategy for asset recovery at the end of the relationship.
The use of mobile devices will impact other parts of the infrastructure. The use of
mobile devices within the organization may require an expansion of the wireless

45
network. How the organization saves money may also depend on how expenses are
paid and who will be responsible for expenses.
6.0 References
Apperian. (2011). Protecting Corporate Data in the "BYOD" environment. Apperian.
Apple Inc. (2011, October 28). iOS: Understanding data protection. Retrieved from Apple
Support: http://support.apple.com/kb/ht4175
Apple Inc. (2012, May). IOS Security. Retrieved from
http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf
Basso, M., Girard, J., & Redman, P. (2012). Magic Quadrant for Mobile Device Management
Software. Gartner.
Calif Office of Privacy Protection. (2012, January). Recommended Practices on Notice of
Security Breach Involving Personal Information. Retrieved from
http://www.privacy.ca.gov/business/recom_breach_prac.pdf
Cisco. (2011). 2011 Cisco Annual Security Report. San Jose: Cisco.
Cisco. (2013). 2013 Cisco Annual Security Report. San Jose: Cisco.
Citrix. (2012). Best practices to make BYOD simple and secure - A guide to selecting
technologies and developing policies for BYOD programs. Citrix.
Cocking, L. (2012, May 11). Mobile Device Sandboxing 101. Retrieved from Fixmo:
http://fixmo.com/blog/2012/05/11/mobile-device-sandboxing-101
Computer History. (2013, March 12). 1979 - Computers. Retrieved from Computer History
Museum: http://www.computerhistory.org/timeline/?year=1979
Cox, J. (2013, January 2). Technologies to watch 2013: Gigabit Wi-Fi . Retrieved from
Network World: http://www.networkworld.com/news/2013/010312-outlook-
gigabit-wifi-265254.html
Dell Sonicwall. (2013). IT security trends in 2013. Dell.
Dunn, D. (2005, June 20). The PC Replacement Decision. Retrieved from InformationWeek:
http://www.informationweek.com/the-pc-replacement-decision/164900387

46
Faas, R. (2012, November 7). New trend in BYOD security: contain the data, not the device.
Retrieved from CITEWorld:
http://www.citeworld.com/mobile/21036/mobileiron-and-good-break-new-
ground-secure-enterprise-containers-mobile-devices?page=0
Garlati, C. (2012, January 31). The Dark Side of BYOD – Privacy, Personal Data Loss and
Device Seizure. Retrieved from Trend Micro:
http://consumerization.trendmicro.com/consumerization-byod-privacy-
personal-data-loss-and-device-seizure/
Gartner. (2008, May 28). Gartnew Newsroom. Retrieved from Gartner Newsroom:
http://www.gartner.com/newsroom/id/681107
Guerra, D. (2012, December 3). Bring your own device, but who owns your data? Retrieved
from Exact Trak: http://www.exacttrak.com/bring-your-own-device-but-who-
owns-your-data/
Harris, R. L. (2012, February 27). Lessons Learned from a Bring Your Own Device Project.
Retrieved from Avena:
http://www.avema.com/mobile_device_management_blog/byod/lessons-
learned-from-a-bring-your-own-device-project/
Hou, O. (2012, July 20). A Look at Google Bouncer. Retrieved from TrendLabs:
http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-google-
bouncer/
Jaquith, A. (2010, January 22). Own nothing – control everything: five patterns for securing
data on devices you don’t own. Retrieved from ComputerWeekly.com:
http://www.computerweekly.com/feature/Own-nothing-control-everything-five-
patterns-for-securing-data-on-devices-you-dont-own
Kensington. (2011). Cost of Stolen or Lost Laptops, Tablets & Smart Phones. Retrieved from
http://blog.kensington.com/wp-content/ktg/docs/m1_iphone_theft_banner.pdf
King, R. (2012, June 13). Forrester: 53% of employees use their own devices for work.
Retrieved from ZDNet: http://www.zdnet.com/blog/btl/forrester-53-of-
employees-use-their-own-devices-for-work/79886
KPMG. (2013, February). Special Edition: 2013 IT Spending Predictions Consensus.
Retrieved from KPMG: http://www.kpmg.com/TR/tr/Issues-And-
Insights/ArticlesPublications/Documents/2013-IT-Predictions-Consensus.pdf
Lui, S. (2012, December 6). BYOD can put companies in legal bind: analyst. Retrieved from
ZDNet: http://www.zdnet.com/au/byod-can-put-companies-in-legal-bind-
analyst-7000008396/

47
McAfee. (2011). Employee Use of Personal Devices - Managing risk by balancing privacy and
security. Retrieved from McAfee: http://www.mcafee.com/us/resources/solution-
briefs/sb-employee-use-of-personal-devices.pdf
Narisi, S. (2012, July 18). 7 ways BYOD could get you sued. Retrieved from IT Manager
Daily: http://www.itmanagerdaily.com/byod-policy-legal-issues/
Navetta, D. (2012, March 28). The Security, Privacy and Legal Implications of BYOD (Bring
Your Own Device). Retrieved from Information Law Group:
http://www.infolawgroup.com/2012/03/articles/byod/the-security-privacy-
and-legal-implications-of-byod-bring-your-own-device/
nCircle. (2012). nCircle 2012 BYOD Security Trend Survey. nCircle.
NCSL. (2012, August 20). State Security Breach Notification Laws. Retrieved from National
Conference of State Legislatures: http://www.ncsl.org/issues-
research/telecom/security-breach-notification-laws.aspx
NetMarketShare. (2013, January 01). Desktop Operating System Market Share. Retrieved
from NetMarketShare: http://www.netmarketshare.com/operating-system-
market-share.aspx?qprid=10&qpcustomd=0
NIST. (2001, September). SP800-30 Rev 1: Guide for Conducting Risk Assessments.
Retrieved from NIST: http://csrc.nist.gov/publications/drafts/800-30-
rev1/SP800-30-Rev1-ipd.pdf
PC World. (2010, May 27). Forrester report finds most data breaches are caused by
employees. Retrieved from PC World:
http://www.pcworld.com/article/2010527/forrester-report-finds-most-data-
breaches-are-caused-by-employees.html
Phneah, E. (2012, August 3). Mobile apps pose biggest threat. Retrieved from ZDNet:
http://www.zdnet.com/mobile-apps-pose-biggest-threat-7000002093/
Phneah, E. (2013, February 04). Five security risks of moving data in BYOD era. Retrieved
from ZDNet: http://www.zdnet.com/five-security-risks-of-moving-data-in-byod-
era-7000010665/
Ponemon. (2010, January 25). Ponemon Study Shows the Cost of a Data Breach Continues to
Increase. Retrieved from Ponemon Institute: http://www.ponemon.org/news-
2/23
Ponemon, L. (2008, June 30). Airport Insecurity: The Case of Missing and Lost Laptops.
Retrieved from Dell:
http://www.dell.com/downloads/global/services/dell_lost_laptop_study.pdf

48
Rains, J. (2012, March). Bring Your Own Device (BYOD): Hot or Not? Retrieved from HDI
Research: https://news.citrixonline.com/wp-content/uploads/2012/04/BYOD-
Hot-or-Not.pdf
Rasch, M. (2011, October 31). People vs. Diaz Fails to Consider Enterprise Data on Mobile
Devices. Retrieved from CSC News:
http://executiveviews.wordpress.com/2011/10/31/people-vs-diaz-fails-to-
consider-enterprise-data-on-mobile-devices/
Rice, J. (2012, May 29). Bring Your Own Device to Work – The IT Dilemma. Retrieved from
The Business Cloud Blog: http://blog.intermedia.net/2012/05/29/bring-your-
own-device-to-work-the-it-dilemma/
Rowinski, D. (2013, January 8). Google Play Will Beat Apple App Store To 1,000,000 Apps.
Retrieved from ReadWrite.com: http://readwrite.com/2013/01/08/google-play-
to-hit-1-million-apps-before-apple-app-store
TechRepublic. (2013). The Executive’s Guide to BYOD and the Consumerization of IT.
TechRepublic.
TechTarget. (2013, February 04). Definition: Disruptive Technology. Retrieved from What-
is.com: http://whatis.techtarget.com/definition/disruptive-technology
TechTarget. (2013, February 21). Definition: Mobile Application Management (MAM).
Retrieved from SearchConsumerization:
http://searchconsumerization.techtarget.com/definition/mobile-application-
management
The National Cyber-Security Advisory Council (CNCCS). (2011). SmartPhone Malware.
Spain: Panda Security.
Walker, R. W. (2012, March 27). Negligent Employees Cause Most Data Breaches; Mobile Is
Key Factor. Retrieved from AOL Government:
http://gov.aol.com/2012/03/22/negligent-employees-cause-most-data-
breaches-mobile-is-key-fact/
Websense. (2012). 2013 Security Predictions. Websense Security Labs.
Wikipedia. (2013, February 19). iOS Jailbreaking. Retrieved from Wikipedia:
http://en.wikipedia.org/wiki/IOS_jailbreaking
Williams, G. (2012, December 11). 2013 Tech Trends: The Hyper-Convergence Effect.
Retrieved from Avanade Blog: http://www.avanade.com/blog/business-of-
technology/2013-tech-trends-the-hyper-convergence-effect/
Zdziarski, J. (2012). Hacking and Securing iOS Applications. Sebastopol: O'Reilly Media Inc.

IT Risk Introduced by Bring Your Own Device (BYOD)

Recommended

Recommended

More Related Content

What's hot

What's hot (6)

Similar to IT Risk Introduced by Bring Your Own Device (BYOD)

Similar to IT Risk Introduced by Bring Your Own Device (BYOD) (20)

Recently uploaded

Recently uploaded (20)

IT Risk Introduced by Bring Your Own Device (BYOD)