Let’s talk about trust.
So far, my BYOD guidance has been to give your employees a lot of value without allowing their devices to access your internal corporate network. Frankly, the ability to trust any mobile device inside the firewall is a hard sell for security folks. The closest I’ve ever seen was encrypted Windows Mobile 6.1/6.5 devices that could actually join the corporate Domain, be managed by group policy, and connected via an always-on Mobile IKE VPN.
While you’re thinking that a VPN connection is the ticket to protect corporate data, you might not be ready to trust your whole network with your whole device.
Verizon’s ICSA labs ranked mobile malware and cybercriminals targeting and infecting app stores as the top two security threats for 2012. They want to lure users into downloading infected apps where the infection will spread beyond the smartphone or tablet and into the corporate network. This gives me enough pause that I don’t feel the need to punch holes in the firewall to create a VPN tunnel between my device and the internal network. Even on PIN-enforced devices with encrypted file storage, this could lead to a false sense of security.
The 3rd party apps that your BYOD users freely download can be a bigger threat to sensitive data leakage then losing the phone in the back of a taxi.
How can this be?
Many people have grown numb to paying attention to the ‘device capabilities’ apps request permission to access when they download them from an app store. For instance, when the home screen wallpaper you’re downloading wants read/write access to your contacts, the file store, SD card, the phone dialer, and the Internet, you should probably think twice. The problem is too many folks just impatiently tap “Accept” or “Okay” and put their device at risk. Other people jailbreak or root their devices so they can side load or download a broader set of potentially risky apps.
The key takeaway here is that using a VPN to extend your Intranet out to your devices may inadvertently provide rogue apps possessing elevated rights the ability to attack your internal network and/or steal sensitive data by traversing the secure tunnel you created. In worst case scenarios, your mobile VPN is the lowered drawbridge and rogue apps and malware downloaded by your BYOD employees are the Trojan Horse.
Kind of ironic.
For now, keep the tidal wave of devices on the ‘Guest’ Wi-Fi network where they can only access the Internet. Give certified, corporate mobile apps access to discreet internal web services and sites that you publish through a secure gateway.
Sharing my knowledge and helping others never stops, so connect with me on my blog at http://robtiffany.com , follow me on Twitter at https://twitter.com/RobTiffany and on LinkedIn at https://www.linkedin.com/in/robtiffany