Finding the Balance in BYODTechnology, Policy Go Hand-in-Hand
Security leaders managing bring-your-own-device programs in their organizations often need to strike a balance between protecting corporate data and offering convenience for employees.
Elayne Starkey, Delaware's CSO, says the balance is to maintain a secure government network and allow the functionality for her employees to use their own devices.
"It would have been real easy to just stay secure and not allow any personal devices," she says in an interview with Information Security Media Group [transcript below]. "That's the easy answer, but it's the wrong answer. Or it was the wrong answer for us anyway."
Matthew Speare of M&T Bank says the implementation of third-party mobile device management software offered the ability to maintain security and allow employees to use their mobile devices as they wish. "At the same time, [we] have the ability to identify and kill any enterprise data ... when the employee leaves or should they lose it," the senior vice president of information technology says.
Aside from technology, organizations need to maintain clear mobile policies. "For us, our focus is going to be on segmenting those personal devices with our MDM solution," says Christopher Paidhrin, IT security compliance officer at PeaceHealth Southwest Medical Center.
"Here's the required encrypted policy-enforced segment," he explains. "If you don't access it in a certain period of time or if your device goes missing, that portion is going to be wiped."
Speare says policy is at the forefront of managing mobile devices. "We just don't by default approve this," he says. "We require that the end-user goes through training and also sign off that they realize that ... it's a privilege to be able to use [their device] in the corporate environment."
In the second installment of a multi-part interview series, the three security leaders discuss:
- The state of mobility within their organizations;
- Mobile device management systems and other tools they employ;
- Tips for improving mobile security awareness.
About the participants:
Christopher Paidhrin is IT security compliance officer at PeaceHealth Southwest Medical Center, where he has worked for 12 years. Earlier, he worked in higher education, as well as in private sector and entrepreneurial ventures, where he held a number of director-level positions.
Matthew Speare is senior vice president, information technology, at M&T Bank. He is responsible for developing and sustaining an information risk program that protects the personal information of millions of customers of M&T Bank, the nation's 17th largest bank holding company, based in Buffalo, New York.
Elayne Starkey is CSO for the State of Delaware, a role she's held for seven years. She is responsible for the enterprisewide protection of information assets from high-consequence events, including cyber and physical terrorism and natural disasters.
State of Mobility
TOM FIELD: Elayne, talk a little bit about the state of mobility within your organization today. I know that you have been aggressive in adopting mobility technologies. Talk a bit about how you expect the state of mobility to change in 2013.
ELAYNE STARKEY: We do have a somewhat established BYOD program here in Delaware, if you call 14 months established. I guess in this space it is. This is all about trying to support our employees in a way that they wanted to do their work. The way they wanted to do their work is to not carry around a zillion devices on their hip, and immediately that introduces some security concerns. So for us, it turned out to be an effort, as in many of the initiatives that I get involved in, to find the balance. Let's find the right balance between creating and maintaining a secure network and balancing the convenience and the functionality that our customers, our users, are asking for. It would have been real easy to just stay secure and not allow any personal devices. That's the easy answer, but it's the wrong answer, or it was the wrong answer for us anyway.
We proceeded to implement a fairly rigorous BYOD program that requires minimum security controls on all devices before they ever connect to the state network. We enforce that through technology, and it's been quite successful. Right now, we're looking at a 20-percent reduction in government-owned devices at this point. The reduction number will go up, along with an 18 percent reduction in our wireless costs here in Delaware.
Mobile Device Management
MATT SPEARE: We have seen the migration to BYOD-type programs, mainly around the iPhone and iPad integration, because of the demand and the adoption that these employees had at home. We're doing the same thing in that we provided a mechanism, whereas our mobility in the past has really been around laptops and BlackBerrys, we want to make sure that we can provide the same level of security on those end devices, even if they aren't owned by us. The implementation of third-party MDM type of software, where you can allow the employee to be able to use the device as they wish, and at the same time have the ability to identify and kill any enterprise data that usually involves customer data when the employee leaves or should they lose it, I think that all we're going to see is now that this door has been opened, the usage and demand's going to increase because of the consumerization of these types of devices. People love them. They don't want to carry around two devices, and they're coming up with creative ways to be able to do so.
Mobility in Healthcare
CHRISTOPHER PAIDHRIN: I would just follow up on what Matt had to say. From a healthcare perspective, delivery of care is moving to mobile. You want delivery at the point of care - whether it's the physician provider; whether it's nursing; whether it's assistance; whether it's anyone elsewhere. They want their workstation and/or their work access to move with them as they dynamically address their many tasks, and healthcare is really challenged to be profitable. There are very few profitable healthcare systems, so optimization, efficiency, the efficacy of our tools, are all principal drivers in our service sector.
Of course, the workforce wants to be productive, so, as Matt was saying, we adopted MDM, mobile device management. Underneath it requires IAM - identity and access management - because many of those individuals may or may not be employees. We have to have these policies, as Elayne was mentioning. You've got to have the policies and you've got to have the controls before you can allow access to new technologies. For us, our focus is going to be on segmenting those personal devices with our MDM solution. Here's the required encrypted policy-enforced segment. If you don't access it in a certain period of time or if your device goes missing, that portion is going to be wiped. And everyone must accept those enforced policies because we have to address the emergent new legal domain called individual liability. It's no longer just corporate liability or a HIPAA liability. There's the responsibility that the individual takes when they use their personal device for workplace service.
Addressing App Security, User Behavior
FIELD: Christopher, I would like to follow up, and I would love to hear from everybody else as well about security policies or tools. You mentioned mobile device management, as well as your awareness program. Two of the vulnerabilities that we all see with mobility are the applications that users will download and then just the risky behavior of the users. What are you doing to address applications, as well as user behavior?
PAIDHRIN: As I mentioned, almost all of that is dealt with at the MDM level. We pre-qualify which stores and which applications can be downloaded that interface with the OS level of whatever the mobile device is, so that if we don't maybe restrict gain access, but if the gain is allowed to write and save information to the device, our policy says, "As long as it's not inside our secured area, or has any hooks, links, interoperability or access to read what's in our vault within the mobile device, you can go ahead and do it." But if it attempts to, we have control over the device that will disallow you from downloading that new application until it has been vetted and put on the white list of the approved list of applications.
Again, MDM solutions come in many flavors and have many different capabilities. In healthcare, we needed it to be rather robust to allow users to use their own devices, but to have them consent to a certain degree of organizational management in their respect for us maintaining controls.
Awareness in Depth
FIELD: Christopher, if you would talk about awareness a little bit, what have you found to be most effective in your "awareness in depth" program?
PAIDHRIN: Most effective is the culturization. We have been for over 20 years offering - long before HIPAA in '96 - a "Mum's the Word" campaign. Every year we have an organization-wide participation. Every month we have department initiatives. Every newsletter has a little banner at the bottom that's a security-awareness element. We acculturate security so that the user identifies with the culture. It has become hard-wired into their behavior that this is part of my ownership. I'm a custodian of this information. I'm protecting not only my patients' health and well-being, but I'm protecting their information. That sense of ownership becomes acculturated. That alleviates many of those issues of "I didn't know, I didn't think, I didn't know that was my responsibility." The excuses, the lax attention or the lack of ownership, those go away. It becomes a one-off security remediation or corrective action for an individual, and when we have transparency, when we reveal to our whole house, just as our safety metrics are announced by department, here's what our status is. Here's our compliance. When we announce our top 10 users of the Internet, they may be doing business-related activity, but everyone knows who the heavy users are and who's doing what. It creates a heightened sense of awareness and that builds accountability and responsibility.
Effective Mobile Policies
FIELD: Elayne and Matt, I would love to hear from you as well. What have you found to be effective security policies or tools you're using with mobility? Speak to awareness as well. I know it's a challenge that you face also.
SPEARE: From our standpoint, we looked at this by having a very robust MDM tool and, additionally, limiting our exposure into having to provide a solution for multiple different device types. The number-one device type that our employees wanted was iPhones and iPads; to a lesser extent Android or any type of Android tablet. Being that the architecture of an iPhone or the iOS allows us to have a greater sense of exactly where files will be, even when you manipulate them around the device itself, we felt pretty confident that we could provide a robust security mechanism.
With that, we said, "This is what we would support for year one while we're working through architectures for non-Apple devices." We've limited the exposure. The second part has been very transparent in the required training and also the kind of acknowledgement of what is the end-user's responsibility. We just don't by default approve this. We require that the end-user goes through training and also sign off that they realize that, while this is not a corporate device, it's a privilege to be able to use it in the corporate environment. There's a level of control that they have to turn over to us and then what their responsibilities are.
Also, in the case of where they have not done what they were required to do, we made it relatively painful for failing to do so, such as removal from the program, and saying sorry but you're not back in because you have not been able to demonstrate that you can do this responsibly. Overall, that hits some people that were a little complacent in the past when they hear of these kinds of things happening. They tend to pay a lot more attention.
STARKEY: Very similar to what Chris and Matt described, our portable network device policy and standard had been updated to reflect the changes. Every user that agrees to sign up for this has to agree to meet seven minimum security controls, and they're very similar to the controls that we have enjoyed for many years on the BlackBerry environment. We've been a BlackBerry shop here for many years, and while it's not the device of choice today, there have been some great things from a security perspective that we've tried to model as we've moved forward into the MDM phase of our mobility.
We require strong passwords. We require a history of passwords on the device, so they can't keep reusing the same password. Passwords expire. There are inactivity timeouts, and there are lock-outs after failed attempts, and it gives us the ability to remotely wipe for lost and stolen devices, or otherwise compromised devices; and [there's] encryption as well.
Those are some of the things that the BlackBerry came standard with, and we've had to enforce that. We also require our users to read and sign off electronically an acknowledgement statement. They're consenting to some level of oversight, even though it's their personal device. Moving forward in 2013, we will actually retire our BlackBerry solution and our BES server completely. It has now been replaced with an MDM solution that allows for a much broader selection of different kinds of devices by our customers.
STARKEY: Getting the message out in various venues. We have prepared some really wonderful communication pieces, and communication pieces are great as long as people read them. What we've taken is a multi-faceted approach, not just relying on one way. Maybe an e-mail will go out, but then there have been some additional opportunities to join a web conference to learn more about it. People learn different ways and we have to recognize and respect that, so we give them different ways to hear the message. I think in this case that has been pretty successful.