BYOD policies

[jellyjoo100]

Hi, does anyone here have any experience in BYOD (bring your own device) policies? Maybe your workplace has one, or you have heard about it some more? My business partner is considering integrating a BYOD policy in our business, although I am a bit on the fence when it comes to security… I have been doing my research, and it mostly offers to get a VPN. What do you think? Any information would be much appreciated. 

[dalekphalm]

7 hours ago, jellyjoo100 said:

Hi, does anyone here have any experience in BYOD (bring your own device) policies? Maybe your workplace has one, or you have heard about it some more? My business partner is considering integrating a BYOD policy in our business, although I am a bit on the fence when it comes to security… I have been doing my research, and it mostly offers to get a VPN. What do you think? Any information would be much appreciated. 

What exactly would you like to know? The big one when it comes to keeping company data secure, is adding BYOD devices to an MDM (Mobile Device Management) service, like Meraki, AirWatch, etc.

 

That way you can enforce basic policies like "Have a passcode on your lock screen" - and depending on the device, it may give you more enhanced options (iOS can to some degree segregate corporate data, for example).

 

You can also "pre-load" configuration payloads, like a VPN connection back to the office VPN Server (And no I'm not talking about commercial "privacy" VPN's like NordVPN, which are largely useless to enterprise customers who can just host their own instead).

 

Personally I use Meraki pretty heavily - though not for BYOD devices.

 

Do you have any specific questions?

[Eigenvektor]

1 minute ago, dalekphalm said:

That way you can enforce basic policies like "Have a passcode on your lock screen" - and depending on the device, it may give you more enhanced options (iOS can to some degree segregate corporate data, for example).

Android has something similar, known as a Work Profile, where work data lives in a separate profile from the user's data. That would be the most secure option regarding BYOD for Android, because it prevents mixing private with work data. In this case you're looking for an MDM that supports Android Enterprise. This puts some restrictions on devices in terms of minimum supported Android version.

 

Overall iOS is still far more business friendly in terms of what MDMs can do, with Google playing catch-up.

[dalekphalm]

6 minutes ago, Eigenvektor said:

Android has something similar, known as a Work Profile, where work data lives in a separate profile from the user's data. That would be the most secure option regarding BYOD for Android, because it prevents mixing private with work data. In this case you're looking for an MDM that supports Android Enterprise. This puts some restrictions on devices in terms of minimum supported Android version.

 

Overall iOS is still far more business friendly in terms of what MDMs can do, with Google playing catch-up.

Agreed on all points. Meraki supports both Android and iOS for their MDM - as do a number of other companies, I'm sure. We've never actually used Android with our MDM, because we basically use it for iPads that are used in a class-room like situation with kids and aren't "assigned" to a specific user. But we may end up add some, if a proposal goes through (we might end up getting about 10-12 Android tablets and managing them w/ Meraki).

[amdorintel]

a big corp i know of likes apple for byod

[dalekphalm]

17 minutes ago, amdorintel said:

a big corp i know of likes apple for byod

That's because the Apple remote management system is far more robust than the Android one. It works with a lot more variation of OS, and Apple PUSH commands typically are very reliable.

[jellyjoo100]

11 hours ago, dalekphalm said:

What exactly would you like to know? The big one when it comes to keeping company data secure, is adding BYOD devices to an MDM (Mobile Device Management) service, like Meraki, AirWatch, etc.

 

That way you can enforce basic policies like "Have a passcode on your lock screen" - and depending on the device, it may give you more enhanced options (iOS can to some degree segregate corporate data, for example).

 

You can also "pre-load" configuration payloads, like a VPN connection back to the office VPN Server (And no I'm not talking about commercial "privacy" VPN's like NordVPN, which are largely useless to enterprise customers who can just host their own instead).

 

Personally I use Meraki pretty heavily - though not for BYOD devices.

 

Do you have any specific questions?

Thanks for your answer, I'll keep Meraki in mind. Regarding a VPN, I don't have the budget to "host my own" leaving the only option of outsourcing. 

My only specific question I guess was about keeping compnay data secure why having a BYOD policy. 

[dalekphalm]

7 hours ago, jellyjoo100 said:

Thanks for your answer, I'll keep Meraki in mind. Regarding a VPN, I don't have the budget to "host my own" leaving the only option of outsourcing. 

My only specific question I guess was about keeping compnay data secure why having a BYOD policy. 

How can you have a budget for "outsourcing" (which will have a recurring monthly or yearly fee) but not for hosting your own? Can you give a little clarity there?

 

Can you tell me why you think you'd need an "outsourced" VPN service at all?

 

If your main concern is keeping company data secure w/ BYOD, then having an MDM makes life a lot easier, since you can enforce policies. Not having an MDM basically means that you need to have employees police their own enforcement of company policy.

 

Eg: Making sure every employee has a lock screen code on their phone, and that they don't disable it (or, for example, disable the inactivity timeout so that it never locks). With an MDM you don't have to guess, as it's forced on them.

 

In terms of how to keep the data secure, there are a few basics (these can be done generally, and an MDM isn't required):

1. Lock screen passcode must be mandatory

2. Secure passwords on emails

3. Location tracking on devices with company data

4. Remote wipe ability (a lot easier w/ an MDM) in case a device is lost or stolen

5. Using a VPN connection back to the corporate office to ensure data security

 

Using a commercial "outsourced" VPN like NordVPN or whatever doesn't really offer that much benefit to a company - sure it encrypts the connection, so it does mitigate random WIFI attacks at like, Starbucks, but that's it. You're trusting some random company with your data still.

 

By hosting your own - which most Commercial grade routers/firewalls have out-of-the-box support for - will allow you to encrypt the connection, but also give you the benefit of routing that encryption and connection through your system, giving you total control - additionally, it allows you to have access to company resources (eg: internal fileserver) without giving those resources direct access over the internet.

 

Additionally, a company hosted VPN server allows you to enforce other security related policies, such as content filtering, and being "behind" the firewall with IPS and IDS, etc.

 

But really, the basics are just common sense. Ensure the devices are securely locked. Keep them up to date w/ security patches, and for gods sake, don't allow people to use devices no longer supported w/ security patches.

[straight_stewie]

16 hours ago, jellyjoo100 said:

Thanks for your answer, I'll keep Meraki in mind. Regarding a VPN, I don't have the budget to "host my own" leaving the only option of outsourcing. 

My only specific question I guess was about keeping compnay data secure why having a BYOD policy. 

A VPN device meant to connect your remote employees to your internal network has no benefit to your business at all if it's cloudsourced. Literally all it does is cost you money.

Let's think about how a VPN works:

1. You setup a connection between yourself and a remote server.
   1. The connection is configured to automatically encrypt all data between you and the remote server.
2. You configure your machine to route all interesting communications to the remote server.
3. You configure the remote server to decrypt your communications and pass along the packets with new headers (metadata) to the other network it is connected to.

In your example of a cloudsourced VPN, the "other" network the VPN is connected to is just the internet. So when a remote employee would want to access your local network, here's what would happen:

1. The remote employee configures their machine to route the necessary traffic through your cloudsourced VPN.
2. They login to your network:
   1. They send encrypted data addressed to your network gateway to the VPN.
   2. The VPN decrypts said data and sends it over the internet to your network gateway.
      1. Your local network gateway then thinks that it's the VPN server that it's talking to.
   3. Your network gateway sends decrypted data addressed to your VPN server.
   4. Your VPN server encrypts the data and sends it to the remote employee.

This is really bad for you, as it offers your local network no protection.

For a VPN to provide your business network any protection at all, the VPN server must be running on a device physically connected to your network.

There are some things you can do that might be free, or are otherwise less expensive than you might think:

• If you have a firewall acting as your network gateway, check to see if it can be configured to also act as a VPN server. This is very common with enterprise class network hardware.
• If you do not have a firewall acting as your network gateway, consider getting one.
  • They can be built relatively inexpensively out of spare or used hardware, making the only significant expense the Network Interface Cards.
  • According to NetGate pfSense community edition "remains a free and open product available for your personal or business use", as long as you don't turn around and try to sell the pfSense software, that is.

To put it shortly, if you can build your own gaming PC, you can build a relatively inexpensive device that runs pfSense and acts as a network gateway (for internet access), a firewall (for security), a VPN server (for remote employee security), and a router/switch (for convenience and value in only needing a single device for a small network).
 

This, in combination with @dalekphalm's more in-depth answer about Mobile Device Management would make for a good start to securing your local network when it's being used by remote employees.

[dalekphalm]

1 hour ago, straight_stewie said:

A VPN device meant to connect your remote employees to your internal network has no benefit to your business at all if it's cloudsourced. Literally all it does is cost you money.

Let's think about how a VPN works:

1. You setup a connection between yourself and a remote server.
   1. The connection is configured to automatically encrypt all data between you and the remote server.
2. You configure your machine to route all interesting communications to the remote server.
3. You configure the remote server to decrypt your communications and pass along the packets with new headers (metadata) to the other network it is connected to.

In your example of a cloudsourced VPN, the "other" network the VPN is connected to is just the internet. So when a remote employee would want to access your local network, here's what would happen:

1. The remote employee configures their machine to route the necessary traffic through your cloudsourced VPN.
2. They login to your network:
   1. They send encrypted data addressed to your network gateway to the VPN.
   2. The VPN decrypts said data and sends it over the internet to your network gateway.
      1. Your local network gateway then thinks that it's the VPN server that it's talking to.
   3. Your network gateway sends decrypted data addressed to your VPN server.
   4. Your VPN server encrypts the data and sends it to the remote employee.

This is really bad for you, as it offers your local network no protection.

For a VPN to provide your business network any protection at all, the VPN server must be running on a device physically connected to your network.

There are some things you can do that might be free, or are otherwise less expensive than you might think:

• If you have a firewall acting as your network gateway, check to see if it can be configured to also act as a VPN server. This is very common with enterprise class network hardware.
• If you do not have a firewall acting as your network gateway, consider getting one.
  • They can be built relatively inexpensively out of spare or used hardware, making the only significant expense the Network Interface Cards.
  • According to NetGate at , pfSense community edition "remains a free and open product available for your personal or business use", as long as you don't turn around and try to sell the pfSense software, that is.

To put it shortly, if you can build your own gaming PC, you can build a relatively inexpensive device that runs pfSense and acts as a network gateway (for internet access), a firewall (for security), a VPN server (for remote employee security), and a router/switch (for convenience and value in only needing a single device for a small network).
 

This, in combination with @dalekphalm's more in-depth answer about Mobile Device Management would make for a good start to securing your local network when it's being used by remote employees.

Agreed on all points.

 

I would also point out that you can simply run the VPN Server on a spare Raspberry Pi or an old workstation, or literally any hardware, if your Router/Firewall doesn't support hosting one. All you need is maybe add a 2nd NIC, and configure it to route between your Firewall and your internal network.

 

There are many options there.

Scale is also a factor. How big a company are we talking? How many users? How many BYOD devices? How many users remotely accessing company data? Etc.

[Radium_Angel]

Can't add anything to the conversation other than a laugh for you:

 

I work for a gov't agency. They recently put out a BYOD policy for us, stating home systems are allowed to be used, with the following exceptions:

No Mac devices

No Linux devices

No Windows devices

 

I wish I were kidding....

[dalekphalm]

5 hours ago, Radium_Angel said:

Can't add anything to the conversation other than a laugh for you:

 

I work for a gov't agency. They recently put out a BYOD policy for us, stating home systems are allowed to be used, with the following exceptions:

No Mac devices

No Linux devices

No Windows devices

 

I wish I were kidding....

Break out the BBC Micro!

[Radium_Angel]

1 hour ago, dalekphalm said:

Break out the BBC Micro!

Yeah, they never said anything about SGI, Sun, or my old fav, BeOS.

Now if I could find an SGI or Sun laptop...I'd be in business.

[dalekphalm]

2 hours ago, Radium_Angel said:

Yeah, they never said anything about SGI, Sun, or my old fav, BeOS.

Now if I could find an SGI or Sun laptop...I'd be in business.

You could run any Unix OS, like FreeBSD too!

 

And technically depending on the wording, you could still run iOS, since iOS isn't a Mac (though it is an Apple!)