10 Steps for BYOD Security

Best Practices Guide

2013 ForeScout Technologies, Inc. All rights reserved. Call Toll-Free: 1.866.377.8771 www.forescout.com
Industry Whitepaper 10 Steps for BYOD Security
ForeScout Technologies, Inc. www.forescout.com Page 1
Overview
Mobile devices such as smartphones and tablets have entered the workplace en masse, quickly becoming essential tools
for employees. A recent market study found that 95% of organizations in the United States currently permit employee-owned
devices, and many organizations are going a step further and actually requiring employees to purchase their own mobile devices.
IT departments have been forced to respond to pressure from executives, business units and employees to provide widespread
support for BYOD (bring your own device) environments.
While the benefits of BYOD are undeniable increased productivity, faster decision making, greater job satisfaction and a more
attractive and flexible work environment there are inherent security risks associated with BYOD adoption that IT organizations
must address and mitigate. Market research identifies the top three BYOD concerns of IT management today as network secu-
rity, data security and device security. Consequently, while there are costs savings associated with reduced corporate device
purchases, BYOD environments necessitate additional investments in IT infrastructure and management software, as well as
the development of policies and procedures to effectively manage and secure personal devices.
Here, we outline the important steps that an organization should undertake when implementing a successful BYOD program
one that contains the appropriate policies, procedures and security measures to protect your data and your network.
1. Form a committee
A BYOD program must meet the needs of multiple
constituencies for it to be successful. A team that includes
members from diferent IT departments (e.g., security, network,
endpoint and application) plus a representative sample of users
from various business units is preferable. It is important to
decide who is accountable for the overall success of the BYOD
program. BYOD policies should be an agreement between the
employee and business unit management, with input from HR.
The role of IT should be to simply implement and enforce the IT
controls to support these policies.
2. Gather data
Document the status quo. Review current policies and
prevailing attitudes toward IT security and management.
Identify which departments/groups/individuals have been
most active and supportive in developing and embracing
policies in the past. Gather data about:
Device count by platform, OS version, ownership (company,
personal, non-company personnel)
Assessment of data currently passing onto and through
mobile devices
Mobile device applications in use, app ownership and app
security profles
All entry paths used by mobile devices, such as cellular, Wi-Fi,
bridge to workstation or VPN

3. Identify and prioritize use cases via
workforce analysis
To be efective, mobile device policies must be contextual to
match the organizations various use cases. You need to plan out:
How will mobile devices be used?
Which mobile applications need to be used ofine such as on
airplanes and in elevators?
What information will be accessible through mobile devices?
What information will be stored on the mobile devices?
4. Create an economic model
Create a financial model that can be added to and adjusted
in subsequent steps. BYOD programs may or may not
lead to direct cost savings; but the ROI derived through
increased productivity, greater job satisfaction, a flexible
work environment and the ability to attract talent cant be
overlooked. Factor in the following:
Device costs (may increase or decrease depending on what
the company covers)
Data connectivity costs (will the organization cover data
plans to achieve economies of scale?)
Software license costs (and tracking software used/installed
on personal devices)
IT infrastructure costs (security, management, bandwidth,
data protection)
Industry Whitepaper 10 Steps for BYOD Security
ForeScout Technologies, Inc. www.forescout.com Page 2
5. Formulate policies
For any medium to large organization, a one size fits all
approach is unlikely to succeed. Different policies for different
groups/departments/types of users must be considered. For
example for the majority of employees you may support
simple applications such as email on the top five mobile
platforms; for the sales organization you may wish to support
a sales force automation package on only one or two mobile
platforms; executives may receive best-effort support for all
applications on their desired platform. Strike the appropriate
balance between user experience and security based on your
organizations desired risk profile. BYOD policies should be
broad-based and protect the wired and wireless networks.
Use cases should address smartphones and tablets that need
wireless access, as well as laptops (Mac and Windows) that
need wired access.
6. Decide how to protect your network
Once you have decided which types of devices to allow, and
what applications and data you are going to permit on each
device, your next step is to determine how you are going to
limit access and protect your network from unauthorized,
non-compliant and rogue devices. While you may be tempted
to manage the BYOD program manually by deploying 802.1X
configurations and certificates to a pre-determined set of
approved personal devices, this approach is likely to prove
cumbersome, static in nature and non-scalable. Network
access control (NAC) provides one of the most flexible and
automated approaches to securing a BYOD environment.
NAC offers device profiling, user authentication, guest on-
boarding, compliance and configuration checks, automated
remediation and a granular policy-based approach to easily
implement the managed diversity model across an enterprise.
7. Decide how to protect your data
In any BYOD project you need to determine how to secure
your data. NAC protects data on your network from unauthor-
ized and non-compliant devices, but you also need to protect
data stored on the mobile device. A multi-platform mobile
device management (MDM) system is the best approach for
managing and securing the information on corporate and
personal mobile devices. MDM systems often provide a set of
mechanisms that enforce separation between corporate and
personal footprints on a device. One such mechanism is the
use of containers to house sensitive information and corporate
apps (such as corporate email) on a mobile device, allowing
employees to retain device control and application choice
outside corporate containers. Containers prevent data move-
ment from one app to another, typically include encryption and
data loss prevention controls, and provide the ability to delete
corporate data without deleting the employees personal infor-
mation (partial wipe).
8. Build a project plan
Create a plan for implementing IT controls to support your
BYOD policies. Determine if the controls will be implemented
in a phased manner or all at once. Some common BYOD
controls include:
remote device management
application controls
policy compliance and audit reports
data and device encryption
augmenting cloud storage security
wiping devices when retired
revoking access when end-user relationship changes from
employee to guest
revoking access when employees are terminated
9. Evaluate solutions
According to Gartner, NAC and MDM are key components of
a broad BYOD security strategy. When evaluating solutions,
make sure you consider the impact on your existing network
and how well the solution integrates with existing IT systems
such as directories, patch management, ticketing, endpoint
protection, vulnerability assessment and SIEM systems. Strike
the right balance between cost, security, and user experience.
10. Implement solutions
Building and refining operational processes is key to scaling
a BYOD project. Begin with a pilot project (select users from
each department or only IT staff) to test and refine BYOD
policies. Broaden the program with a goal of supporting 500
to 1000 employees in specific departments to refine and
scale the operational processes. Then open the program to
all employees, perhaps one business unit at a time, based on
your organizational criteria.
Industry Whitepaper 10 Steps for BYOD Security
ForeScout Technologies, Inc. www.forescout.com Page 3
About ForeScout
ForeScout enables organizations to accelerate productivity
and connectivity by allowing users to access corporate
network resources where, how and when needed without
compromising security. ForeScouts real-time network
security platform for access control, mobile security, endpoint
compliance and threat prevention empower IT agility while
preempting risks and eliminating remediation costs. Because
the ForeScout CounterACT solution is easy to deploy,
unobtrusive, intelligent and scalable, it has been chosen by
more than 1,400 of the worlds most secure enterprises and
military installations for global deployments spanning 37
countries. Headquartered in Cupertino, California, ForeScout
delivers its solutions through its network of authorized
partners worldwide. Learn more at www.forescout.com.
ForeScout Technologies, Inc.
10001 N. De Anza Boulevard
Cupertino, CA 95014, USA
Toll-free: 1.866.377.8771 (US)
Tel: 1.408.213.3191 (Intl.)
Fax: 1.408.213.2283
www.forescout.com
2013 ForeScout Technologies, Inc. Products protected by US Patent #6,363,489, March 2002. All rights reserved. ForeScout Technologies, the ForeScout logo, CounterACT, CounterACT
Edge and Active Response are trademarks of ForeScout Technologies, Inc. All other trademarks are the property of their respective owners. Doc 2013.0008