CESG updates its BYOD guidance

CESG, the Government’s National Technical Authority for Information Assurance, has updated its advice for organisations considering a ‘bring your own device’ (BYOD) approach.

It says the revised guidance is in response to the “rapid increase in the use of mobile devices and the growth of remote and flexible working staff now expecting to use their own laptops, phones and tablets to conduct business”.

The guidance, which went live last week, describes the key security aspects to consider in order to maximise the benefits of BYOD while minimising the risks.

The advice updates an earlier pre-Alpha version, which contained only a small amount of information, mainly an insight into where CESG was going with its BYOD thinking.

CESG says the guidance should be used to inform risk management decisions for BYOD deployments and is particularly relevant for public sector organisations operating at the ‘Official’ government security classification level.

This guidance applies to any type of BYOD software product running on a personally-owned device, including:

•Container applications on personally-owned smartphones;

•Bootable USB media on home PCs; and

•Remote desktop or remote application products.

The BYOD guidance covers the BlackBerry Secure Work Space, the Excitor G/On OS and Windows To Go. For those organisations planning BYOD, there is also guidance for risk owners assessing the risks associated with a BYOD approach, including device security considerations, enterprise considerations and architectural approaches.

The guidance warns that personally-owned devices are designed to facilitate the easy (and often automatic) sharing of data and device owners are used to sharing personal information with other users and in the cloud, therefore any BYOD policy should highlight the risks of sharing business data with unauthorised users.

CESG says organisations need to consider how security problems in personal applications (eg, blogs and social media) may affect their applications, information and network services. For example, users may inadvertently send social networking posts from their corporate identity instead of their personal account if both are configured on the device. The automatic backup of data on a device to a cloud-based account or to the user’s PC is a risk that needs to be managed.

There are a range of technical services, such as mobile device management (MDM), that can help to remotely secure, manage and support personally-owned devices. However, the guidance says it is important to balance technical controls with usability; if a solution is too restrictive, then staff may find workarounds or use unsafe alternatives to achieve their business goals.

Staff should also be made to authenticate themselves before being given access to business data. Since personally-owned devices are more likely to be infected by malware, some authentication credentials could be compromised. CESG says organisations should consider using different credentials for BYOD access to business systems from those devices that are given broader access. For example, usernames and passwords should not be shared between personally-owned devices and the business desktop environment.

Organisations also need to anticipate increased device support. A successful BYOD approach could lead to services being accessed by different types of device. Implementation of any of the security controls previously applied to corporately owned devices would then need to be applied to a variety of hardware and software combinations. This will increase support demand in terms of:

•The need to support a greater number of device types;

•Keeping multiple operating systems patched and up to date; and

•Responding to security incidents across a variety of devices and operating systems.

As BYOD implementation expands, sufficient IT support capability and expertise will be needed to manage a growing range of devices and device platforms. The associated cost of supporting a variety of devices, operating systems and user d