BYOD - Wipro
Transcription
BYOD - Wipro
www.wipro.com BYOD An erosion of Information Security and Privacy Author: Yogesh Hinduja Associate Practice Partner Wipro Consulting Services Table of Contents Introduction 3 BYOD – Opportunities and Challenges 3 Assurance towards BYOD Information Security and privacy issues 4 Conclusion 6 About Wipro Consulting Services 6 About Wipro IT Services 7 Introduction the professionals who own smart phones, 70% of them use it to access corporate data. BYOD (bring-your-own-device) is one of the most prominent recent trends largely driven by the need to improve productivity while maintaining worklife balance. This trend has been adopted enthusiastically by a workforce influenced by an “anytime, anywhere, any device” culture. A recent survey from Gartner showed that 70% of the respondents were planning to jump on the BYOD bandwagon within the next 12 months underscoring its popularity.While BYOD delivers several benefits, however, it brings with it Lack of Application Security controls A high degree of vulnerability is faced on platforms such as Android. Without adequate application security controls, enterprises face the prospect of huge data loss. Nearly half of the enterprises that allow employee-owned devices to connect to a company’s network have experienced a data breach. a host of security related issues. Device Support This paper explores the security related challenges related to BYOD and proposes an approach to handle them. Managing large device stacks in terms of tracking and controlling access requires considerable effort. It involves supporting a variety of devices and their operating systems, and maintaining an expected level of service. BYOD – Opportunities and Challenges Impact on Data Privacy Owing to the nature of BYOD, both enterprise-sensitive information as well as confidential customer information can be compromised easily The benefits to be derived from enabling BYOD in an enterprise are and this has a tremendous import on data privacy. plenty and each is significant and worthwhile pursuing on its own. The important ones are – it enables more flexibility, reduces IT costs and increases productivity for both the business as well as employees.With an increasingly mobile workforce, BYOD appears to be the solution that IT organizations the world over have been waiting for. Malware infections or phishing scams The chances of BYOD devices to be infected with malware is high leading to unauthorized access to the enterprise network. This is a dangerous trend as professional hackers can cause severe damage to a company’s IT infrastructure by making use of bot masters. While this is definitely a game-changing trend, it has significant ramifications on the enterprise, especially on the security aspect. Employees are not only bringing their own devices, but launching their own network services and this can potentially be a severe threat. Despite this almost 80 per cent of today’s BYOD activity remains inadequately managed by IT departments. In fact, a Gartner study reports that a woeful 33% of organizations surveyed have policies in place to address BYOD related issues. Some of the key challenges associated with introducing BYOD in an organization are, The answer lies not in abandoning the BYOD initiative as some have but in setting up proper security measures. Uncontrolled Access The biggest risk that BYOD creates is the seemingly uncontrolled access to the network, both in terms of what information is accessed and retrieved, and what happens to that information if a 12% of companies surveyed shut down their BYOD programme altogether after experiencing a breach. device is lost or stolen. Recent research reports show that out of 3 Assurance towards BYOD Information Security and privacy issues BYOD is no simple technology implementation – it involves a complete reorientation to data access and privacy policies. This requires the IT organization to understand the enterprise landscape completely before embarking on the implementation. It is therefore essential to adopt a holistic view that addresses people, process, technology and cultural aspects for BYOD to be sustainable in the long run. Any approach to BYOD implementation needs to necessarily consider these four pillars for the following reasons (Fig 1), Achieve better performance and results Process Focus People Focus Identify best practices that can be leveraged to give a jump start Detect areas of improvement and enhance current process Visualize process and identify associated risks and bottlenecks and create opportunity for improvement Identify the capabilities and organizational structure that enable faster transformation Derive success strategies Identify actions that are feasible and implementable Technology Focus Identify the supporting tools that ease the process implementation Identify the opportunities and propose tools that are beneficial to achieve set goals eliminating risks Increase productivity, reduce operational and maintenance cost through effective tools Culture Focus Identify the culture of the organization that needs to be considered for effective mitigation and prevention of risks Fig 1: Pillars for Implementing BYOD For an effective BYOD implementation, enterprises need to follow a five-step process that comprehensively covers information security and privacy issues. The key is to not only develop safeguards but also communicate them to employees to enforce them effectively. 4 Proposed Approach 1 Identify the need Assess the need through employee survey questionnaire on the type of applications employees use their devices 3 4 Identify the need and type of devices employees tend to use Gap Analysis BYOD Initiative Promote BYOD to instill flexible environment and make the workplace more enjoyable Assess and analyze the gaps Analyze control requirements to determine risk mitigation strategies 2 Assess the security and risk issues Do a cost/benefit analysis 5 Finalize the plan and develop BYOD policy and set up a process Finalize on the coverage in terms of what is allowed and disallowed based on risk assessment, cost/benefit analysis Develop a policy to promote only companyapproved devices Identify data security, privacy issues through a detailed risk assessment on the category of the devices that employees tend to use Set up a process on employees declaring the device use with an “acceptable use” policy Review the current capability of dealing with the issues involved and adequacy of existing controls in place Create and maintain the repository of allowed devices tagged with unique IDs Communicate and harden the devices Communicate the BYOD policy and promote Harden the devices to ensure that unknown or third party applications are not used in an unauthorized manner Fig 2: Approach for Implementing BYOD There is a range of security measures available that need to be implemented both at the device level and at the enterprise network level. At the device level, simple measures such as authenticated passwords or auto-locking can be enforced. Naturally, the enterprise network will require more sophisticated measures to ensure secure remote access. Once the BYOD policy is finalized, it is critical to get employee buy-in given as they are one of the key stakeholders in the BYOD ecosystem. Hence, promoting the BYOD policies is a critical success factor. 5 Conclusion The BYOD landscape is growing every day, the adding complexities to an enterprise’s IT environment. It is crucial for enterprises who are exploring the BYOD adoption to have a comprehensive implementation plan in place to avoid security incidents that can have significant ramifications. For a successful and secure BYOD program enterprise IT organizations need to, • Measure the outcomes of BYOD programs - Organizations that have deployed or are considering deploying BYOD programs must measure the impact of BYOD programs. • Building Awareness – To extract best practices from the BYOD program, organizations needs to focus on employee awareness and acceptable use of technology. Employees should be made aware of the sensitivity of data and their role in protecting organization information. It appears that there is no turning back from this trend as a more technology-savvy workforce prefers to follow the BYOD path. Enterprises will be wise to invest time and efforts in this initiative and ensure it is implemented effectively to avoid costly errors. 6 About the Author Yogesh Hinduja Yogesh Hinduja is an Associate Practice Partner with Wipro Consulting Services with over 13 years of extensive consulting experience in the domain of Information Security, Business Continuity Management, IT Risk Management, Project Management,Transition, Migration, Network, Client Relationship Management and Operations Management across various countries. About Wipro Consulting Services Wipro Consulting Services (WCS) is a division of Wipro Ltd (NYSE:WIT), a $7 Billion enterprise that employs over 135,000 employees across the globe. WCS offers Business Advisory, IT Consulting and Risk and Compliance services designed to improve business performance, drive operational efficiency and maximize ROI. With 1350+ consultants based in Western Europe, North America, India, Asia Pacific and the Middle East, our integrated Consulting, IT, BPO and Product Engineering services combine the benefits of expert proximity with global leverage to provide technology edge and speed to your strategic programs. NYSE: WIT | Over 135,000 Employees | 55 Countries About Wipro IT Services Wipro IT Services a part of Wipro Limited (NYSE:WIT) is a leading Information Technology, Consulting and Outsourcing company, that delivers solutions to enable its clients do business better. Wipro delivers winning business outcomes through its deep industry experience and a 360 degree view of “Business through Technology” – helping clients create successful and adaptive businesses. A company recognized globally for its comprehensive portfolio of services, a practitioner’s approach to delivering innovation and an organization wide commitment to sustainability, Wipro IT business has over 135,000 employees and clients across 54 countries. For more information, please visit or contact www.wipro.com us at [email protected] Disclaimer:The material in this document is provided “as is” without warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability,fitness for a particular purpose, title and non-infringement. The material are subject to change without notice and do not represent a commitment on the part of Wipro. In no event shall Wipro be held liable for technical or editorial errors or omissions contained in the material, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the material. The materials may contain trademarks, services marks and logos that are the property of third parties. All other product or service names are the property of their respective owners 7 DO BUSINESS BETTER W W W. W I P R O . C O M N Y S E : W I T | OVER 135, 000 E M P L OY E E S 5 4 C O U N T R I E S | C O N S U L T I N G | S Y S T E M I N T E G R AT I O N | O U T S O U R C I N G WIPRO INFOTECH, DODDAKENNELLI, SARJAPUR ROAD, BANGALORE - 560 035, INDIA TEL : +91 (80) 2844 0011, FAX : +91 (80) 2844 0256, email : [email protected] ©Copyright 2013. Wipro Limited. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without express written permission from Wipro Limited. Specifications subject to change without notice. All other trademarks mentioned herein are the property of their respective owners. Specifications subject to change without notice.