Security Testing
Tomaso Vasella
Mobile Technology in Corporate Environments
Risks of Disappearing Privacy
time to read: 18 minutes
The borders between work environment and private life appear to disappear before our very eyes. The strict division of private, business and public life is basically impossible to maintain. This tendency does not come without consequences.
Smartphones, tablets, netbooks and notebooks are increasingly present in our everyday lives. This tempts people to use all these devices for both personal and professional matters. This is an effect that experts call IT Consumerisation. Using privately owned mobile end user devices (henceforth called smart devices) and gadgets in a business environment can lead to serious risks concerning confidentiality of business as well as compromising of the user’s own privacy. In addition to that, employees can unwittingly violate standing data protection rulings in a corporate environment.
The main motive for the use of smart devices by employees are comfort, mobility, flexibility, productivity, convenience and commodity as seen when working outside the office. In addition to that, the younger generation expects that equipment and technology is located where they are located. It appears unacceptable to not be able to rely on the many features of a smart device during office hours.
But: When do office hours end if the division between work and leisure has disappeared? Without the limit of time, the creed appears to be that the same thing that provides advantages, efficiency, mobility, fun and distraction in our private lives also provides use in a business environment.
Despite the many apparent advantages, the invasion of smart devices in a corporate environment can be problematic due to the fact that these are consumer devices and therefore not manufactured to be used in said environment. They often lack basic security features such as access restriction, encryption or virus protection. In addition to that, the devices have open, unsecured interfaces to social media providers as well as public cloud and collaboration services and private mail accounts. The applications – usually referred to as apps – are not tested for corporate use. Using certain apps runs the risk of transferring data to third parties.
- Today, many apps would fail a basic security check and display grave risks for security
- Employees load apps from app stores onto their devices that interact with business resources or perform business tasks. Many of these apps are inadequate when it comes to security on a corporate level. They’re potential targets of attack and violate corporate guidelines
- Many a business in inexperienced when dealing with mobile application security. If there are security checks, they’re more of an afterthought, an alibi exercise. Often, the app’s developers perform the security checks, and they are more concerned with functionality rather than security.
- Sensitive information may leave the protected corporate environment, could go public and could be abused.
- Complexity by number of smart devices can lead to lack of standardization.
- Legal uncertainty based on lack of experience can lead to costly legal procedures
- New attack vectors open up, the possible damage unpredictable
This leads to an uncontrollable risk.
Paradigm Shift
Regardless which concept of integration of smart devices we’re talking about, they’re variants of the same basic schemes:
- BYOD – Bring your own device: Employees bring their private smart device into the corporate network and use it for business purposes. Tasks they’re used for vary. The big promises of saving cost that were made years ago probably didn’t come to pass
- CYOD – Choose your own device: Employees get to choose a mobile device from a pre-approved list. It fits their tasks and individual preference.
- COPE – Corporate Owned, Personally Enabled: Rarely used. Corporate hands employees a smart device that they may use for leisure as well. Employees are responsible for maintenance and compliance with corporate security guidelines.
In order to better understand the melding of the formerly strictly divided spheres of leisure and business, we can look at the technological as well as cultural development.
Technology
| Past | Present |
|---|---|
| Single device type | Multiple device types |
| Fixed, stationary workspace (Desktop PC) | Mobile and Home Office |
| LAN Access | Multiple access points (LAN, Wi-Fi, VPN, Mobile Data Internet EDGE, GPRS, UMTS, LTE) etc. |
| Company-provided | Mix of BYOD, COPE, CYOD and Company-provided |
| On premise, in-house engineered solutions | Software as a Service (SaaS) consumption, on- and off premise |
Society and culture
- Innovation Speed and Rhythm: The innovations in the field of consumer electrontics are faster than corporate technologies
- Blending of work and private environment: The borders between private use and business use or even public use are disappearing
- User skills and behaviour / maturity: Users become increasingly independent. A culture of trust would necessitate increased responsibility, which is not to be confused with independence. Rising demands to IT use as a result of IT consumerization
- Collaboration and Productivity: Cloud computing and software as a service apparently support collaborative efforts and undermine security in a worst case scenario
- Work Place Strategy: Implementing new productivity tools support various Work Place Strategies such as home office, flex office or remote work
Mobile Devices in Corporate Environment
| Company | Employee / User | |
|---|---|---|
| Wants to be an attractive employer | Wants the newest devices | |
| Wants to increase flexibility and mobility of employees | Wants to be mobile, use home office or perform work tasks during a commute | |
| Considers risks in mobile technology | Wants to be able to work at any time | |
| Looks for reasonably cheap solutions (TCO) | Wants quick and mobile access to corporate data and resources | |
| Necessity dictates division into user groups | Access regardless of device or physical location (coherence) | |
| Looks for solutions to business problems. These solutions might not be compatible with the needs of employees’ private use cases | Cost efficiency (personal perspective when device is being paid for by user) | |
| Influences on the Use of Mobile Devices in Corporate Environment | ||
| Technology | Compliance, Laws and Regulations | |
| High speed of innovation | Stricter laws and regulations | |
| High rhythm of innovation | New standards and best practises (cyber security) | |
| Innovation occurs in waves | Raised awareness (Cybercrime in the media, sensitive data, personal data) | |
| Is being adapted by employees much earlier than company adopts it | Federal Act on Data Protection | |
| Regulators of all kinds such as FINMA at banks |
Security Requirements
Efficient security measures must therefore be much more extensive than the synching of related areas of technology such as versioning of operating systems and apps, support, device management, public and private networks, virtualization. They require an encompassing inclusion of technological, legal, conceptual and societal factors.
Regulatory measures, laws, standards and checks of current risk management strategies are also a requirement.
The fact that privacy of employees is to be protected is also something that can’t be missed. This, however, can easily lead to collateral damage. Meaning that the wrong handling of personal employee data and violation of their privacy can lead to unpredictable reputational damage when this data is available to the public.
Related, it stands to mention that the intended raised availability of employees even after they’ve left the corporate environment – which is supposed to bring great advantages in mobility and flexibility – can lead to violations of employee rights. Business related enquiries outside of the employee’s designated working time can be perceived as an unwelcome factor of stress.
Pragmatic Approach of a Design for Measures in Corporate Environments
Security measures can be approached in any number of ways. One is the categorizing of employees on the basis of sensitivity of their data access with their smart devices.
- Employees that do not have access to sensitive business, client or personal data
- Employees that do have access to sensitive business, client or personal data
On these basic categories, we can define a set of general rudimentary measures that apply to both categories
- Data classification and protection mechanisms regarding confidentiality, integrity and availability
- Policy and agreements with employees about smart devices
- Adequate policies create a balance of governance between established security of the smart device and security of the employee’s personal data on the device.
- The right business conditions regarding private smart devices should be fair and balanced for all parties involved. Employees should be allowed to choose whether or not they want to use their smart device for work purposes.
- Corporate should inform employees about use of smart devices, established security and terms of use. This includes reminders that violation of these terms can lead to sanctions.
- Periodical risk assessments of operating systems and apps on smart devices.
- Checks should be performed semi-annually or upon major release of the operating system in order to maintain compliance with corporate guidelines
- An independent and qualified check should be performed periodically. Important topics here are data security, data leakage client data and protection of personal data and others. If risks or vulnerabilities that may lead to data leaks can be identified, adequate measures of mitigation are to be taken.
Fore more specific measures of protection of both user types, further distinctions can be made depending on whether an employee gets data read only access or data storage access on their smart devices:
Depending on that decision, controls with different specifications and protection levels are to be put in place. Because listing them all would make this article almost endless, I will give you some food for thought in form of an incomplete list:
- Access controls and permissions
- Application Vetting: Checks whether or not an app meets corporate security standards The check includes two main activities: Static and dynamic testing as well as app approval or rejection. Some important terms when talking about App Vetting:
- Device Lock-down and Encryption of All Data and Communications (I/O, USB, WiFi, etc.)
- Enforcement of Security Policies in the device Framework
- Second-level Defenses (Prevent Attacks that bypass Security Framework (Kernel-level)
- In-Field Instrumentation
- Securing Provisioning Process
- Protection against malicious apps, viruses and malware
- Data protection and encryption of data on the device as well as DLP
- Security patching / OS updates
- Permitted use: Which devices, platforms, applications, services and peripherals are cleared for use by corporate?
- Device management:
- Hardware maintenance
- How big is centralized control?
- Is there containerization in place?
- How can devices be locked, remotely wiped or recovered in case of theft or lost or damaged devices?
- What happens upon loss, theft or damage of the device?
- How much tech support by corporate can employees expect?
Again, privacy of employees must be maintained in a structured, planned way. If IT support has access to the device during a support case, support will also have access to personal data.
Risk Based Approach
In order to compile a risk management strategy, there needs to be a method that explains how to deal with risks on smart devices in the corporate environment. The approach using a risk matrix appears to make the most sense.
One side explains the exposition criteria such as possible implication. These are the corporate requirements. The other side lists the impact the information itself can have. Confronting the two will result in a potential risk.
Likelihood
Rudimentary and general corporate requirements themselves can be divided into two short questionnaires that serve as an indicator for the likelihood of an incident.
| Device and Functionality Properties | ||||
|---|---|---|---|---|
| Privately Owned Device |  | Yes |  | No |
| Offline Storage | | Yes | | No |
| Remote Access | | Yes | | No |
| Encryption | | Yes | | No |
| Other (e.g. Cross Border) | | Yes | | No |
| Third Party Access | ||||||
|---|---|---|---|---|---|---|
| Likelhood of Theft | | High | | Medium | | Low |
| Likelihood of Accidental Loss | | High | | Medium | | Low |
| Likelihood of Malware Infection | | High | | Medium | | Low |
Based on this, we can assess the Likelihood.
| Assessed Likelihood | High |
|---|
Potential Damage
The potential damage describes the risk that information itself can have for corporate interests, be they internal or external.
| Potential Damage Classification | ||||||||
|---|---|---|---|---|---|---|---|---|
| Classification | | Public | | Internal | | Confidential | | Secret |
| Data Records | | None | | One | | Few | | Many |
| Impact on Reputation | | None | | Low | | Medium | | High |
| Confidentiality | | None | | Low | | Medium | | High |
| Integrity | | None | | Low | | Medium | | High |
| Availability | | None | | Low | | Medium | | High |
| Other (e.g. CID) | | None | | Low | | Medium | | High |
Based on this, we can assess the Information Risk.
| Assessed Information Risk | Medium |
|---|
Combining the Corporate Risk and the Information Risk, we can use this matrix to visualize the classifications.
| Potential Damage | |||||
|---|---|---|---|---|---|
| None | Low | Medium | High | ||
| Likelihood | High | • | |||
| Medium | |||||
| Low | |||||
| None | |||||
Summary
From a corporate point of view all employees can cause extensive damage with their personally owned smart devices in a corporate environment. The smart phones, tablets and other smart devices can compromise business data, client data and personal data of employees. And as we all know, this has happened repeatedly. To disregard this clear and present risk is undoubtedly going to lead to huge risks.
In order to find and successfully exploit the advantages of privately owned devices in a corporate world there needs to be a solid strategy that includes technological, legal, cultural and societal aspects and trends. And, of course, an intelligent balance between freedom of employees to use whatever smart device they see fit in a corporate environment and limitations in order to protect business and personal interests.
From an employee point of view the blending of private and business life seems to be full of advantages at first glance. It appears as if using privately owned devices expands personal freedom into their users’ business environment. However, the opposite can be the case. In a globalized, largely digitalized economy where borders between private life and business disappear, personal data is a considerable resource that can lead to extremely lucrative business. Therefore, employees should be made aware of the fact that they should keep their private lives private. Sadly, the trend goes in the opposite direction.
As we can see in media, accents are put on problems with data protection and protection of privacy. At the same time, hopes for simple and quick solutions that can be of technological, societal or legal nature such as Privacy by Design vanish into thin air. Even though the discussion about mass surveillance by secret services rages everywhere, along with the subjects of data protection and the steady mixing of private, public and business life, many feel as if they’re unaffected by this.
This indifference regarding privacy seems highly problematic to me.
About the Author
Is your data also traded on the dark net?
We are going to monitor the digital underground for you!
×
Active Directory certificate services
Eric Maurer
Foreign Entra Workload Identities
Marius Elmiger
Active Directory certificate services
Eric Maurer
You need support in such a project?
Our experts will get in contact with you!