Technology

Shadow IT And Bring Your Own Device Policies

Striking the balance between smart (phones) and stupid (policies).

By  
on

The term “Shadow IT,” first minted in an era when software shipped on (literally) floppy disks, originally described utilization of unapproved technology within an enterprise IT environment. Because these technologies had not been vetted or configured by IT personnel, they were effectively outside positive control of the company and therefore introduced significant risk.

The vast majority of Americans own smartphones today, up to 77% from 35% when the Pew Research Center last performed its survey of smartphone ownership in 2011. Millennials are more attached to their phones than any other demographic with more than nine-in-ten Millennials (92%) owning smartphones and forming a critical component of a more technology-focused and mobile, if not remote, workforce. According to Daniel Newman at Dell, 95 percent of employees report using at least one personal device while at work.

The convergence of all these factors leads to the inevitable question: how can companies allow the use of personal devices for company business and properly measure, monitor and mitigate the extraordinary risks generated by the conduct of company business on these devices?

In information security circles, devices which are unauthorized or not formally controlled by organizations, form the basis for a category of unapproved IT devices and services (including apps/programs/services) referred to as “Shadow IT.” The name is derived from the fact that these devices do not exist in an entity’s official information technology infrastructure, or the company does not formally have an official IT support or governance division to manage these devices. Ultimately, the existence of Shadow IT introduces a presence of potential risk to an organization’s security posture which is well, a bit “shadowy” in nature.

Today, when employment law attorneys and security companies are asked to provide input on how to address Shadow IT within information security policies to reduce risk for organizations, the answer quickly becomes rooted in the concept of having a bring your own device (BYOD) policy as well as a monitoring policy that reduces the risk vector.  After all, BYOD expands the threat surface to an organization due to an increased number of devices with access to sensitive data and data increasingly leaving the network through these mobile devices.

Statistics around BYOD devices reveal that allowing personal devices at work creates productivity gains totaling over a third of an employee’s workday.  Some of the immediate gains by smart phone usage include increased speed in responding to communications and improved collaboration.  This is because smart phones are not only used as Shadow IT but also to access corporate data systems remotely and under valid policies proscribed by IT departments, which begs the question of how to create inroads to allow for mobile device access to corporate networks and bring shadow IT into the proverbial light.

One answer lies in creating a governance and security policy framework that addresses the use of all devices and services with respect to corporate data, networks and resources. This can be achieved by through clear and strong documentation requiring approval for all information technology devices and services prior to those connecting to a corporate network.  Expanding upon this is the requirement that any devices that connect to a company network must be configured to baseline standards set by the Information Security Department.

Sponsored

Another element of the control framework includes establishing technological controls over all devices.  This can mean specifically allowing monitoring within a network environment to detect unauthorized devices and services (including applications) and then blocking any device that does not fit within the corporate policy. This empowers the IT department or third parties (when necessary) to monitor, block and scan the networks for sketchy technology that can pose risk to a network – rogue devices, outliers, and forgotten technology including legacy IT. The use of Mobile Device Management (MDM) and Network Access Control (NAC) are well documented controls which achieve many of these technological stopgaps. However, there are many things that need to be considered, planned and implemented when using these defense-in-depth mechanisms since they can also provide a false sense of security and even expose alternate unforeseen vulnerabilities. This is why third-party penetration testing of such control systems is such a crucial step within the design and implementation phase.

Bring-your-own-device policies can encompass those two elements and go even farther – including considering which devices are permitted and tying the technology and policy into an acceptable use policy. Such a policy can help set limitations on which applications can be installed on devices that contain corporate information or connect to corporate networks.

A well-planned internal control framework, and proper technological implementation of MDM, NAC, and asset inventory and control can help abate much of the risk associated with Shadow IT and BYOD. These internal controls are not only a good way to align company interests (control, increased productivity, accessibility) with those of a more liberated workforce (freedom, remoteness, productivity away from the office), they are also a way to demonstrate compliance when it comes to regulatory scrutiny around how to protect sensitive data within an organization.  Make sure you also think through corporate culture, distributed workforce considerations and get corporate and executive buy-in, before devising a plan of action. Below are some considerations that should help facilitate discussions with IT stakeholders and help organizations of all sizes make the best decisions about how to better defend against today’s most sophisticated attacks.

Cross-Functional Considerations:

  • Which stakeholders are responsible for and manage/control devices/data?
  • Should the organization even allow BYOD?
  • What value does it add to the corporation or morale/efficiency of the employees and is that worth the risk or management overhead?
  • How to properly balance what data is allowed on the device vs what is needed to add work value from having that data accessed remotely.
  • What is the liability of the company for lost personal data if the device is remotely wiped and not backed up?
  • How to weigh or a explain legal risks that the employee is giving up by having company data on a personal device.
  • Where is the liability when phone or carriers do not update vulnerable devices for new exploits or vulnerabilities released?
  • How to mitigate the risk for older or unpatched phones not supported or the updates not released by the carrier for certain periods of time.

Sponsored

Technical Considerations:

  • Forcing VPN when on untrusted WIFI or always on VPN even when on cellular.
  • Ability to test and ensure the enforcing of strong passcodes or requirement for biometrics.
  • Enforcing strong lockout policies with short timeouts to avoid publicly lost phone access.
  • Policies and technology to push locked screen information push, providing means to contact, display, or return a locked phone to corporate security or IT.
  • Full phone encryption including all connected media and backups.
  • Monitoring for and denying access to corporate apps when a device is rooted or jailbroken.
  • Blocking installation of dangerous apps including forcing all apps to be obtained and installed from the App stores and validated/signed applications/developers.
  • Conversely, the a ability to white-list applications allowed on device.
  • Remote capability to track and remotely wipe the device.

Risk-Reducing Technology:

  • Multiple profiles on Android (work and personal).
  • MDM for both Android and iPhone.
  • Use of company administered privacy-enabling and data-minimizing apps.

Jennifer DeTrani is General Counsel and EVP of Nisos, a technology-enabled cybersecurity firm.  She co-founded a secure messaging platform, Wickr, where she served as General Counsel for five years.  You can connect with Jennifer on Wickr (dtrain), LinkedIn or by email at dtrain@nisos.com.

CRM Banner

Topics

, ,