BYOD - Wipro

www.wipro.com
BYOD
An erosion of Information Security and Privacy
Author:
Yogesh Hinduja
Associate Practice Partner
Wipro Consulting Services
Table of Contents
Introduction
3
BYOD – Opportunities and Challenges
3
Assurance towards BYOD Information Security and privacy issues
4
Conclusion
6
About Wipro Consulting Services
6
About Wipro IT Services
7
Introduction
the professionals who own smart phones, 70% of them use it to
access corporate data.
BYOD (bring-your-own-device) is one of the most prominent recent trends
largely driven by the need to improve productivity while maintaining worklife balance. This trend has been adopted enthusiastically by a workforce
influenced by an “anytime, anywhere, any device” culture. A recent survey
from Gartner showed that 70% of the respondents were planning to jump
on the BYOD bandwagon within the next 12 months underscoring its
popularity.While BYOD delivers several benefits, however, it brings with it
Lack of Application Security controls
A high degree of vulnerability is faced on platforms such as Android.
Without adequate application security controls, enterprises face the
prospect of huge data loss. Nearly half of the enterprises that allow
employee-owned devices to connect to a company’s network have
experienced a data breach.
a host of security related issues.
Device Support
This paper explores the security related challenges related to BYOD
and proposes an approach to handle them.
Managing large device stacks in terms of tracking and controlling access
requires considerable effort. It involves supporting a variety of devices
and their operating systems, and maintaining an expected level of service.
BYOD – Opportunities and
Challenges
Impact on Data Privacy
Owing to the nature of BYOD, both enterprise-sensitive information as
well as confidential customer information can be compromised easily
The benefits to be derived from enabling BYOD in an enterprise are
and this has a tremendous import on data privacy.
plenty and each is significant and worthwhile pursuing on its own. The
important ones are – it enables more flexibility, reduces IT costs and
increases productivity for both the business as well as employees.With
an increasingly mobile workforce, BYOD appears to be the solution
that IT organizations the world over have been waiting for.
Malware infections or phishing scams
The chances of BYOD devices to be infected with malware is high
leading to unauthorized access to the enterprise network. This is a
dangerous trend as professional hackers can cause severe damage to a
company’s IT infrastructure by making use of bot masters.
While this is definitely a game-changing trend, it has significant
ramifications on the enterprise, especially on the security aspect.
Employees are not only bringing their own devices, but launching their
own network services and this can potentially be a severe threat.
Despite this almost 80 per cent of today’s BYOD activity remains
inadequately managed by IT departments. In fact, a Gartner study
reports that a woeful 33% of organizations surveyed have policies in
place to address BYOD related issues.
Some of the key challenges associated with introducing BYOD in an
organization are,
The answer lies not in abandoning the BYOD initiative as some have
but in setting up proper security measures.
Uncontrolled Access
The biggest risk that BYOD creates is the seemingly uncontrolled
access to the network, both in terms of what information is
accessed and retrieved, and what happens to that information if a
12% of companies surveyed shut down their BYOD
programme altogether after experiencing a breach.
device is lost or stolen. Recent research reports show that out of
3
Assurance towards BYOD Information Security and privacy issues
BYOD is no simple technology implementation – it involves a complete reorientation to data access and privacy policies. This requires the IT
organization to understand the enterprise landscape completely before embarking on the implementation. It is therefore essential to adopt a holistic
view that addresses people, process, technology and cultural aspects for BYOD to be sustainable in the long run.
Any approach to BYOD implementation needs to necessarily consider these four pillars for the following reasons (Fig 1),
Achieve better performance and results
Process
Focus
People
Focus
Identify best practices that can be leveraged to give a jump start
Detect areas of improvement and enhance current process
Visualize process and identify associated risks and bottlenecks and
create opportunity for improvement
Identify the capabilities and organizational structure that enable faster
transformation
Derive success strategies
Identify actions that are feasible and implementable
Technology
Focus
Identify the supporting tools that ease the process implementation
Identify the opportunities and propose tools that are beneficial to
achieve set goals eliminating risks
Increase productivity, reduce operational and maintenance cost
through effective tools
Culture
Focus
Identify the culture of the organization that needs to be considered
for effective mitigation and prevention of risks
Fig 1: Pillars for Implementing BYOD
For an effective BYOD implementation, enterprises need to follow a five-step process that comprehensively covers information security and privacy
issues. The key is to not only develop safeguards but also communicate them to employees to enforce them effectively.
4
Proposed Approach
1
Identify the need
Assess the need through
employee survey questionnaire
on the type of applications
employees use their devices
3
4
Identify the need and type of
devices employees tend to use
Gap Analysis
BYOD Initiative
Promote BYOD to instill
flexible environment and make
the workplace more enjoyable
Assess and analyze the gaps
Analyze control
requirements to determine
risk mitigation strategies
2
Assess the
security and risk
issues
Do a cost/benefit analysis
5
Finalize the
plan and
develop BYOD
policy and set
up a process
Finalize on the coverage in
terms of what is allowed
and disallowed based on
risk assessment, cost/benefit
analysis
Develop a policy to
promote only companyapproved devices
Identify data security, privacy issues through
a detailed risk assessment on the category
of the devices that employees tend to use
Set up a process on
employees declaring
the device use with an
“acceptable use” policy
Review the current capability of dealing
with the issues involved and adequacy of
existing controls in place
Create and maintain the
repository of allowed devices
tagged with unique IDs
Communicate
and harden the
devices
Communicate the BYOD
policy and promote
Harden the devices to
ensure that unknown or
third party applications are
not used in an unauthorized
manner
Fig 2: Approach for Implementing BYOD
There is a range of security measures available that need to be implemented both at the device level and at the enterprise network level. At
the device level, simple measures such as authenticated passwords or auto-locking can be enforced. Naturally, the enterprise network will
require more sophisticated measures to ensure secure remote access.
Once the BYOD policy is finalized, it is critical to get employee buy-in given as they are one of the key stakeholders in the BYOD ecosystem.
Hence, promoting the BYOD policies is a critical success factor.
5
Conclusion
The BYOD landscape is growing every day, the adding complexities to an enterprise’s IT environment. It is crucial for enterprises who are exploring
the BYOD adoption to have a comprehensive implementation plan in place to avoid security incidents that can have significant ramifications. For a
successful and secure BYOD program enterprise IT organizations need to,
•
Measure the outcomes of BYOD programs - Organizations that have deployed or are considering deploying BYOD programs must
measure the impact of BYOD programs.
•
Building Awareness – To extract best practices from the BYOD program, organizations needs to focus on employee awareness and
acceptable use of technology. Employees should be made aware of the sensitivity of data and their role in protecting organization information.
It appears that there is no turning back from this trend as a more technology-savvy workforce prefers to follow the BYOD path. Enterprises will be
wise to invest time and efforts in this initiative and ensure it is implemented effectively to avoid costly errors.
6
About the Author
Yogesh Hinduja
Yogesh Hinduja is an Associate Practice Partner with Wipro Consulting Services with over 13 years of
extensive consulting experience in the domain of Information Security, Business Continuity Management,
IT Risk Management, Project Management,Transition, Migration, Network, Client Relationship Management
and Operations Management across various countries.
About Wipro Consulting Services
Wipro Consulting Services (WCS) is a division of Wipro Ltd (NYSE:WIT), a $7 Billion enterprise that employs over 135,000 employees across the globe.
WCS offers Business Advisory, IT Consulting and Risk and Compliance services designed to improve business performance, drive operational efficiency
and maximize ROI. With 1350+ consultants based in Western Europe, North America, India, Asia Pacific and the Middle East, our integrated Consulting,
IT, BPO and Product Engineering services combine the benefits of expert proximity with global leverage to provide technology edge and speed to your
strategic programs. NYSE: WIT | Over 135,000 Employees | 55 Countries
About Wipro IT Services
Wipro IT Services a part of Wipro Limited (NYSE:WIT) is a leading Information Technology, Consulting and Outsourcing company, that delivers
solutions to enable its clients do business better. Wipro delivers winning business outcomes through its deep industry experience and a 360
degree view of “Business through Technology” – helping clients create successful and adaptive businesses. A company recognized globally for its
comprehensive portfolio of services, a practitioner’s approach to delivering innovation and an organization wide commitment to sustainability,
Wipro IT business has over 135,000 employees and clients across 54 countries.
For more information, please visit or contact www.wipro.com us at [email protected]
Disclaimer:The material in this document is provided “as is” without warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability,fitness
for a particular purpose, title and non-infringement. The material are subject to change without notice and do not represent a commitment on the part of Wipro. In no event shall Wipro be
held liable for technical or editorial errors or omissions contained in the material, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages
whatsoever resulting from the use of any information contained in the material. The materials may contain trademarks, services marks and logos that are the property of third parties. All other
product or service names are the property of their respective owners
7
DO BUSINESS BETTER
W W W. W I P R O . C O M
N Y S E : W I T | OVER 135, 000 E M P L OY E E S 5 4 C O U N T R I E S | C O N S U L T I N G | S Y S T E M I N T E G R AT I O N | O U T S O U R C I N G
WIPRO INFOTECH, DODDAKENNELLI, SARJAPUR ROAD, BANGALORE - 560 035, INDIA TEL : +91 (80) 2844 0011, FAX : +91 (80) 2844 0256, email : [email protected]
©Copyright 2013. Wipro Limited. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical,
photocopying, recording, or otherwise, without express written permission from Wipro Limited. Specifications subject to change without notice. All other trademarks mentioned herein are the
property of their respective owners. Specifications subject to change without notice.