This is part two in a two-part series. Check out the first installment, "Why BYOD scares me."
I've been working with quite a few companies over the last two years, helping them craft sensible BYOD policies. One fact is abundantly clear: BYOD will require a different security framework than traditional computing.
Last week I discussed many of the challenges of BYOD. This week I'm presenting my solution, which is basically a framework any organization can use to gain insight into the heart of the BYOD problem.
[ In an earlier post, Roger Grimes explains why BYOD scares him. | Take a guided tour of the latest threats and what you can do to stop them in "Fight Today's Malware," InfoWorld's Shop Talk video. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]
The framework is intended to help companies assess the relative risks of BYOD hardware and the level of access they should have to different types of data. In so doing, companies can codify their level of risk tolerance as it applies to BYOD. It's my hope that this framework will (at least partially) satisfy the "never say manage" BYOD believers, as well as folks like me who believe managed devices will always play a role.
One detail that struck me is how companies tend to have similar BYOD questions and concerns, even though no two businesses are alike. The framework discussed below is being accepted or evaluated by a giant software/services company, military contractors, volunteer groups, agriculture companies, banks, financial services firms, and consumer product developers.
Framing the BYOD problem
The central tenet of the model is that devices with different levels of trust should have different levels of trusted data access, from none to full access.
To implement this, your organization needs to decide on what BYOD factors could possibly impact the amount of trust placed in a particular BYOD session. As one example, at Microsoft, we consider the following four broad categories: the device and its security, session origination location, identity/authentication, and the data/service/application being accessed.
Each component of the first three factors is given an assurance rating, from least secure to most secure. For example, IDs authenticated using simple PINs with no account lockout are among the least secure authenticators. Log-ons using smartcards or tokens with PINs and with account lockout would be among the most secure. Complex passwords, biometrics, and finger-swipe log-ons would all be ranked along the security continuum under the identity/authentication factor. IDs belonging to internal employees might be more trustworthy than global IDs or third-party vendors -- and so on.
BYOD items that have strong default settings and controls, full disk encryption, mature antimalware controls, and/or full manageability would be considered strong. Devices without any of those would be considered weak.