by Sean Waugh and Dan Hadaway

First, let us confess that we used BYOD in the title merely so that we’d catch everybody’s attention. It’s a nice buzzword; who wouldn’t feel like partying after seeing it?

But this article is actually about Portable Devices, which is a superset to BYOD. In fact, policy language should establish that Portable Devices include both issued devices and authorized devices. Our boilerplates use the following language:

The purpose of this paper is not really to establish what should be considered in establishing policies to govern portable devices, but in order to get us all on the same page, we should establish that the policy should at a minimum establish that:

• Users are accountable for all activity on portable devices that store bank data, whether owned by the bank or not. If you want to put bank e-mail on your own (BYOD) device, you must agree to be accountable for EVERYTHING that occurs on that device, not just the data inherent in the e-mail.
• Controls will be required by the bank (as a result of your risk assessment) that must be applied and enforced by those with issued and authorized devices. Examples of these controls include:

• Access Management controls including screen lock, user restrictions, wireless security standards, and remote wipe.
• Vulnerability management controls including patch management, antivirus (for devices that require it), etc.
• Application Management controls restricting the types of applications allowed on the devices and other uses of the device.
• Asset Management Controls including procedures for lost devices, restrictions on the amount of data allowed on the device (such as “no more than 3 days of e-mail), as well as procedures governing the device retirement process.
• Audit Controls giving technical staff authority to conduct periodic and random audit of portable devices to ensure proper configuration and policy enforcement.
• Legal controls including a signature page which should be an agreement between the employee and the bank that the employee will follow policy, submit to periodic and random audits, modify practices as a result of those audits, and inform the bank when preparing to retire an authorized device. This agreement should also include appropriate warnings. This currently amounts to notifying the employee that in the event of termination, remote wipe will be implemented which will (in most cases) cause the employee to lose data, including music and pictures that are not backed up.

Beyond establishing what we mean by portable devices, issued devices, and authorized devices, a procedure or standards document should be created that allows us to enforce, via technical controls, practices that our policies and procedures require. The “poor man’s version” of these technical controls is typically in the form of Microsoft Exchange ActiveSync (EAS), which allows limited remote control of portable devices. Most smaller banks, at this time, are finding EAS to be a sufficient solution. Coming down the road, and implemented by larger banks or banks that are aggressively pursuing a mobile strategy, are applications known as Mobile Device Management (MDM) applications. Though EAS has MDM capabilities, these applications offer much more granularity and control over the mobile device. Often, “endpoint security” applications will have an MDM module available.

Exchange ActiveSync

Free with the licensing for Microsoft’s Exchange Server is a utility that allows us to technically enforce certain portable device controls. EAS is a protocol designed for the synchronization of e-mail, contacts, calendar, tasks and notes from a messaging server to a mobile device. Built into it are certain mobile device management controls, which include:

• Enforcement of E-mail, Contacts, Calendar, Task, and Notes restrictions in terms of the amount of data stored on the device. For example, EAS allows us to determine how many days of e-mail will be allowed. We typically recommend three days.
• Enforcement of Screen Lock controls. If the device does not have screen lock enabled, it will not be allowed to sync to the Exchange Server.
• The ability to return the mobile device to “factory default settings,” otherwise referred to as “remote wipe.” When this is initiated, the next time the phone tries to sync with the Exchange Server, it will be returned to factory settings. This means that all data and applications will be removed from the app.

There are two major drawbacks to EAS, which we will call “compatibility drawbacks” and “functional drawbacks.” The “compatibility drawbacks” arise from the fact that EAS does not work with every type of device. Making matters worse, the Microsoft website is not so forthcoming about which devices DO work with EAS. Suffice it to say that iPhones, iPads, and Droid devices should work with EAS. But you won’t know for sure until you try. This is causing most banks to establish an audit procedure for authorized (BYOD) devices at the initiation of approval, to ensure that the above three controls work with synchronization to the device. Other banks are simply restricting authorized devices to the iPhone, iPad, and Droids.

The “functional drawbacks” of EAS are best illustrated by investigating the benefits of more robust MDM software . . . .

Other Mobile Device Management Applications

Mobile Device Management (MDM) software is designed to fill an important gap in the security perimeter by providing tools that apply security policies, configuration of services, and software management capabilities across a wide range of mobile devices. These include corporate owned smartphones and tablets as well as bring your own device (BYOD). As these devices become more widely adopted administrators will be tasked with ensuring the secure transmission of corporate data and applications as well as remotely managing these devices.

There are a number of MDM solutions presently available to address this issue. Many of the market leaders offer free evaluations of their products and are listed below:

MobileIron
http://www.mobileiron.com/en/product-tour/advanced-management/smartphone-dashboard

* Restrict device features, apps, or web browsing as well as enforce encryption
* Extensive reporting including device usage and inventory capabilities
* Ability to remote lock and wipe devices
* Supports Android, Apple, Blackberry, and Windows Phone
* Offered as on-premise service or cloud service
* Does not support containerization for corporate data and applications

AirWatch
http://www.air-watch.com/solutions/mobile-device-management

* Secure distribution of documents through the content locker
* Ability to remote control screens, remote lock and wipe functions
* Restrict device features, apps, or web browsing as well as enforce encryption.
* Offers deployment through cloud, on-premise service, or appliance
* Supports Android, Apple, Blackberry, and Windows Phone
* Pricing is $3.25/mo or $50/perpetual per device plus additional fees for cloud
($0.75/mo/device) or appliance ($5000/once)

Sophos
http://www.sophos.com/en-us/products/mobile.aspx

* Offered as on-premise service or cloud service
* Ability to remote lock and wipe devices
* Restrict device features, apps, or web browsing as well as enforce encryption.
* Integrates with Enterprise Management product
* Supports Android, Apple, Blackberry, and Windows Mobile
* Good reporting including device inventory capabilities

Good Technology
http://www1.good.com/products/mobile-manager

* Manages secure mobile email as well as document access as part of a Suite.
* Restrict device features, apps, or web browsing as well as enforce encryption
* Ability to remote wipe devices
* Supports Android, Apple, and Windows Phone
* Requires Enterprise Suite product for management capabilities
* Allows for multi-factor authentication and strong crypto standards

Zenprise
http://www.zenprise.com/products/zenprise-mobilemanager

* Secure content container with context aware policies for data protection
* Ability to remote lock and wipe devices
* Restrict device features, apps, or web browsing as well as enforce encryption
* Offered as on-premise service or cloud service
* Integrates with third-party NAC solutions
* Supports Android, Apple, Blackberry, and Windows Phone

Other Technical Controls

We believe banks would benefit from the creation of a Portable Device Configuration Standards document that governs how your technical team will set up Exchange, Exchange ActiveSync, and Mobile Devices in order to mitigate risk. A good document will reflect definitions already in the policy document, establish what to look for in a periodic and/or random audit, establish encryption standards for data at rest and in motion, establish wireless configuration standards, establish connection control standards for both issued and authorized devices. Finally, the document should provide guidance on “incident reporting,” especially since most technical team members are going to see those using BYOD as a member of “management” and thus could be a bit intimidated about reporting poor practices.

Again, we believe that this document should govern ALL portable devices (including laptops and tablets), and not just BYOD devices. Thus, the Portable Device Configuration Standards document establishes how you will use MDM or EAS, but also how you will set up your VPN, how employees will connect from a “public network” such as a hotel room, and AVS requirements for laptops, among many other issues.

Our point, and the main deliverable of this paper, is that you shouldn’t just focus in on BYOD.  Take advantage of the momentum and focus senior management currently has on this buzzword to establish standards that apply to ALL portable devices, and you will increase risk mitigation!

We thank our client, John Mickle of Mutual Bank, for allowing us to use his research report in the development of this article.