This paper takes an enterprise architecture approach to describe the IT Security Architecture impacts of migrating from an employer supplied “use what you’re told” (UWYT) model to an employee purchased “bring your own device” (BYOD) model. More and more employees and executives demand the option to use their consumer IT devices to do their work. This blend of work and life, combined with flexible work hours also contributes to an atmosphere where people want to be able to work with the tools of their choice.
Unblocking The Main Thread Solving ANRs and Frozen Frames
BYOD for Employees
1. IST 725 Final Paper – BYOD for Employees May 1, 2012
Bring Your Own Device for Employees
Understanding the IT Security Architecture Impacts
Leo de Sousa – IST 725
Leo de Sousa Page 1
2. IST 725 Final Paper – BYOD for Employees May 1, 2012
Table of Contents
Abstract ........................................................................................................................................... 3
Introduction ..................................................................................................................................... 4
EA3 Cube Framework Overview .................................................................................................... 8
IT Security Architecture Overview ............................................................................................... 10
Current State - UWYT .................................................................................................................. 11
Future State - BYOD .................................................................................................................... 15
BYOD Management Plan ............................................................................................................. 22
Conclusion .................................................................................................................................... 24
References ..................................................................................................................................... 26
Leo de Sousa Page 2
3. IST 725 Final Paper – BYOD for Employees May 1, 2012
Abstract
This paper takes an enterprise architecture approach to describe the IT Security Architecture
impacts of migrating from an employer supplied “use what you’re told” (UWYT) model to an
employee purchased “bring your own device” (BYOD) model. More and more employees and
executives demand the option to use their consumer IT devices to do their work. This blend of
work and life, combined with flexible work hours also contributes to an atmosphere where
people want to be able to work with the tools of their choice. “Work is no longer a place you go
to, and then leave, but an ongoing activity.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 3)
Organizations will have no choice but to address the demands of their employees. IT
departments in particular, play a key role in articulating the IT security impacts of BYOD
programs on their organization. Blount explores the Consumerizaton of IT – Security
Challenges by describing the challenges, the opportunities and the benefits. “This important
trend is not just about new devices; it’s about the entire relationship between IT and its user
population.” (Blount, 2011, p. 3) BYOD is not just a technology or device specific issue.
To better understand the impacts of the BYOD trend on organizations, we need a model to
describe the current state, the future state and develop a management plan to understand the
changes required. Dr. Scott Bernard developed and published the EA3 Cube Framework as
“management program and a documentation method”. (Bernard S. A., 2005, p. 33) This paper
follows the EA3 Cube framework to help understand the transformative impacts of BYOD on IT
Security. Focusing specifically on IT Security Architecture, this paper will use the following
layers from the Security Architecture Framework to understand and communicate the impacts of
BYOD for organizations: (Bernard & Ho, 2007, p. 10)
1. Information Security Governance
2. Operations Security
3. Personnel Security
4. Information and Data Flow Security
5. Application Development Security
6. Systems Security
7. Infrastructure Security
8. Physical Security
After reading this paper, the reader will have an overview based on an enterprise architecture
framework, of the IT Security Architecture impacts implementing an employee BYOD program
has on organizations.
Keywords: BYOD, data, devices, enterprise architecture, it security architecture, mobility,
policy, risk management, security, UWYT
Leo de Sousa Page 3
4. IST 725 Final Paper – BYOD for Employees May 1, 2012
Introduction
More and more employees and executives demand the option to use their consumer IT devices to
do their work – “bring your own device” (BYOD). This blend of work and life, combined with
flexible work hours also contributes to an atmosphere where people want to be able to work with
the tools of their choice. “Work is no longer a place you go to, and then leave, but an ongoing
activity.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 3) Organizations will have no choice but
to address the demands of their employees. IT departments in particular, have a key role to play
in articulating the IT security impacts of BYOD programs on their organization.
The predominant endpoint model in organizations is an employer supplied endpoint devices such
as personal computers and phones (UWYT). This dominant model allows organizations to
tightly control access to corporate digital assets including systems and applications as well as
corporate structured and unstructured information. In this paper, an endpoint is defined as any
device that allows a user to interact with organizations’ digital assets over a network – “the
device at the end of a transport layer of a network.” (Wikipedia, 2012)
BYOD programs present some difficult questions that require changes to policies, business
practices, information security, systems and IT infrastructure.
• What devices are acceptable for employees to use?
• How do employers ensure that the devices employees choose to use have appropriate
security and encryption software?
• What happens if an employee device is lost containing corporate data?
• What amount of control will the employer demand vs. what an employee is willing to
grant on personal devices?
• What risks do employers run when an employee owned device contains unlicensed or
illegal software and content?
• What are the risks and impacts of these “gateways” to corporate network as they
travel with their owner to their homes, coffee shops and vacations?
• What role does identity management and application virtualization play in enabling
and securing BYOD approaches?
• How to segregate employer supplied applications from employee owned
applications?
Ensuring that there is central management of the infrastructure running on corporate networks
allows organizations to meet the audit requirements of privacy legislation like Freedom of
Information and Protection of Privacy Acts (FIPPA) and Health Insurance Portability and
Accountability Acts (HIPAA). Further, organizations that accept payment for goods and
services via payment cards are subject to compliance with Payment Card Industry Data Security
Standards (PCI-DSS). Introduction of consumer based, employee owned devices into corporate
networks increases the complexity of security management systems. There is also an increased
the risk of non-compliance to information security policies. There are costs that will be incurred
to accommodate employees’ having the ability to choose their own endpoints including potential
more costs as pricing and contractual benefits are lost with individual purchases. (ProfitLine,
Leo de Sousa Page 4
2011, p. 2)
5. IST 725 Final Paper – BYOD for Employees May 1, 2012
Sen published a paper that explores the “Consumerizaton of Information Technology Drivers,
Benefits and Challenges for New Zealand Corporates”. Sen suggests the following corporate
challenges need to be understood and addressed: (Sen, 2012, p. 14)
• Cost Constraints and Uncertain Cost Boundaries
• Security Challenges
• Challenges in Support and Control
• Challenges around Evolving Relations and Expectations
• Changing Policy Needs
• Regulatory Obligations
The “use what you’re told - UWYT” model delivers cost management, security management,
centralized support and strong policy enforcement. The challenge with UWYT is it fails to
deliver on social engagement or facilitate the blending of personal and work as defined by
Wallin, “keep employees happy”. (Wallin, 2011, p. 1) Two key groups are driving BYOD
initiatives – “senior managers at the board level asking IT to sync their personal devices with
work and the number of younger employees … with high expectations of using their personal
devices with work applications.” (Ranger, 2012) Wallin confirms this “often, ‘bring your own’
starts on the executive floor” (Wallin, 2011, p. 1) Employee recruitment and retention is
positively impacted by implementing new working practices like BYOD. (6dg, 2012) Employee
satisfaction and motivation are very relevant topics as organizations look to increase productivity
in a globally competitive business environment by having a motivated workforce. Sen’s paper
cites the following corporate benefits: (Sen, 2012, p. 13)
• Accelerates Business Growth
• Productivity through Employees bringing in New Technology
• Employee Productivity through Trust
• Cost Benefits
Employees expect to work with tools that are of equivalent capability as those they purchase for
personal use. This is a significant challenge especially from a cost impact as most organizations
cannot keep up with the rapid developments in consumer IT and fall behind. “Employees expect
to be able to use all the innovative new devices and tools at their disposal, both to do their jobs
and to maintain their always-connected lifestyles while being able to work whenever and
wherever they need to.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 1)
Leif-Olof Wallin from Gartner provides four conflicting goals that need to be considered when
considering moving from UWYT to BYOD.
1. Social – keep employees happy
2. Business – keep processes running effectively
3. Financial – manage costs
4. Risk Management – stop bad things from happening (Wallin, 2011, p. 1)
Leo de Sousa Page 5
6. IST 725 Final Paper – BYOD for Employees May 1, 2012
A whitepaper presented by ProfitLine introduces the concept of liability to describe models of
deploying services. The concept of liability helps categorize the risks that IT Security
Architecture addresses. “Corporate Liable” is defined as “devices/services paid by employer and
contracts are signed by enterprise representative.” (ProfitLine, 2011, p. 2) This describes the
traditional approach of employer supplied and controlled endpoints (UWYT). The contrasting
model is “Individual Liable”: “devices/services purchasing purchased by employee, who is then
reimbursed via expense report or stipend for minutes spent on business calls or emails.”
(ProfitLine, 2011, p. 2) Individual Liable describes the BYOD model for user endpoints in
organizations. Actually, a hybrid of Corporate and Individual liability is the most practical
approach for organizations.
The whitepaper also suggests key risk factors that need consideration: (ProfitLine, 2011, p. 2)
• Sourcing and Contractual Issues – major pricing and contractual benefits are lost when
moving to an Individual Liable model – example for 7000 user profile resulted in a
significant cost increase due to individual purchases over bulk corporate purchases
• IT Support and User Experience – hidden IT support costs and potential user experience
issues – example employees will still call the central IT service desk and the IT
department will have significant difficulty keeping up with the variety of endpoints and
their particular support needs. Also user experience can suffer as they would have to go
to the place they purchased their device for support
• Security – increased security risks and policy ramifications – example security policies
and safeguards must be put in place to protect corporate assets. Creating a user signed off
policy to address issues like controls on personal devices is critical
Orans and Pescatore from Gartner present a model to help understand risk and security pressures
on the value to the business from BYOD. They describe 4 strategies organized in a two
dimensional quadrant with the horizontal axis being “Security Pressure” referring to security
demands from internal and external forces and the vertical axis being “Value to Business”
referring to the value that the user delivers to the business through the use of consumer
technology. They recommend that most organizations begin with the Contain strategy and use
Network Access Control (NAC) to “isolate personally owned mobile devices in a limited access
zone, where they may access a subset of applications and data.” (Orans & Pescatore, 2011, p. 1)
Network Access Control in combination with Mobile Device Management (MDM) and Hosted
Virtual Desktops (HVD) allows organizations to manage all four strategies of Block, Disregard,
Contain and Embrace for BYOD in organizations.
The quadrant diagram below maps the security responses to risk and business value.
Leo de Sousa Page 6
7. IST 725 Final Paper – BYOD for Employees May 1, 2012
High
Embrace Contain
Value to
Business
Disregard Block
Low
Low Security Pressure High
(Orans & Pescatore, 2011, p. 3)
Category Definitions (Orans & Pescatore, 2011, p. 7)
• Block – (or ban) the use of consumer-grade products or services by explicitly prohibiting
their use in an appropriate policy; then enforce the policy by scanning for use or blocking
port numbers of device drivers – example block peer to peer file sharing services
• Contain – actively accepts and facilitates use in well-defined situations and in some cases
implements controls to present the use of the consumer technology – example SSL VPN
• Disregard – essentially means pretending that the consumeration trend doesn’t affect you
or at least not actively looking to see where consumer technologies are in use – example
technology that has no business impact like an mp3 player
• Embrace – refers to the IT organization incorporating consumer-grade technology or
enterprise versions of consumer products/services) and promoting, delivering and
supporting it just like any other IT-delivered product or service – example corporate use
of iPads for employees
Leo de Sousa Page 7
8. IST 725 Final Paper – BYOD for Employees May 1, 2012
EA3 Cube Framework Overview
The EA3 Cube Documentation Framework (Bernard S. A., 2005, p. 38) provides an excellent
starting point to understand the risks and impacts of implementing an employee BYOD model.
The documentation framework structures the layers of an organization so that we can map
changes and their impacts to them.
Enterprise Architecture (EA) is described by the formula (Bernard S. A., 2005, p. 32):
Enterprise Architecture = Strategy + Business + Technology
The EA3 Cube framework describes an Enterprise Architecture by documenting the current state
of an enterprise and then documenting the future state with the changes implemented. The
documentation approach has six basic elements. (Bernard S. A., 2005, p. 37)
1. EA documentation framework – levels, segments and artifacts
2. EA components
3. Current State view
4. Future State view
5. EA Management Plan
6. Planning Threads – IT security, IT standards and IT workforce
Here are images of the EA3 Cube Documentation Framework: (Bernard S. A., 2005, p. 38)
Leo de Sousa Page 8
9. IST 725 Final Paper – BYOD for Employees May 1, 2012
Implementing BYOD will touch all the components in the EA3 Cube framework particularly the
Security/Standards/Workforce planning thread. There will be changes required to the
architecture layers of data and information, systems and applications and networks and
infrastructure. There should be a special focus on access and protection of data and information
as digital information is growing exponentially in their enterprises. Enabling access to digital
information on personally owned devices like laptops, tablets and mobile phones requires added
security measures to protect against data breaches. Meeting employee demands for
personalization must be balanced with the organizations’ need to meet legislation compliance.
Looking at the EA3 Cube framework, we can see how each component interacts to enable secure
sharing of data and information to BYOD devices. Enterprise Security Architecture (ESA) is
one of the planning threads in the EA3 Cube framework. Enterprise Security Architecture helps
identify issues and the risks that could impact a company and its employees when implementing
a BYOD program. ESA also provides a framework for planning and implementing secure
business practices.
Leo de Sousa Page 9
10. IST 725 Final Paper – BYOD for Employees May 1, 2012
IT Security Architecture Overview
Enterprise Security Architecture is a vertical planning thread in the EA3 Cube framework as it
touches all the layers in the model. Bernard and Ho present a Security Architecture Framework
(SAF) that has eight layers: (Bernard & Ho, 2007, p. 10)
1. Information security governance
2. Operations security
3. Personnel security
4. Information and data flow security
5. Application development security
6. Systems security
7. Infrastructure security
8. Physical security
These eight layers are important to consider when shifting from employer supplied “use what
you’re told” (UWYT) to an employee purchased “bring your own device” (BYOD) model. Here
is an image that represents the Security Architecture Framework with the EA3 Cube layers on the
right: (Bernard & Ho, 2007, p. 11)
Leo de Sousa Page 10
11. IST 725 Final Paper – BYOD for Employees May 1, 2012
Current State - UWYT
Current State (EA3 and SAF) Fully Managed Endpoints - UWYT
The predominant organizational model of IT managed endpoints is employer supplied endpoints.
Think of this as the “use what you’re told – UWYT” model. (Lomas, 2011) This has been the
predominant model for IT departments supplying endpoints to their businesses for the decades.
“UWYT treats the user as just another socket to be plugged into the network – a plug specifically
selected to fit the needs of the IT department, not the socket.” (Lomas, 2011) The Block and/or
Disregard models are used for UWYT environments. (Orans & Pescatore, 2011)
This section characterizes the information security attributes for UWYT so that we can compare
this to the future state implementing BYOD. One of the key aspects of the UWYT model is that
it limits the scope and costs of implementing IT security practices and policies by restricting the
choices for endpoints used by employees. This is a Corporate Liable model for risk.
Information Security Governance
“The purpose of the ‘IS Governance’ layer in the SAF is to define security strategies, policies,
standards and guidelines for the enterprise from an organizational viewpoint.” (Bernard & Ho,
2007, p. 11)
The centralized nature of this model relies on IT being the only source for endpoint technology.
This is the Corporate Liable model for managing endpoints. IT departments have a mandate by
their organization to protect the company by standardizing and implementing policies that
enforce the Block and/or Disregard model. (Orans & Pescatore, 2011) Some companies employ
the Contain model for email and calendar access on BYOD devices, but they have not created a
formal BYOD policy. This introduces risks of data leakage from not being able to manage lost
or stolen devices. Most senior executives are unaware of this corporate risk. Many
organizations do not have an information security policy and rely on human resources policies
that align to a UWYT model. There is no question that the employer has all the control in this
model. This layer focuses on policy, policy formation, evaluation, and standards (including
legislative compliance – HIPPA and FIPPA).
Operations Security
“The purpose of the Operations Security Layer is to define the enterprise’s intra-organizational
and operational needs as they interact with and require access to the enterprise IT services, in
order to identify and address security needs at the enterprise’s organizational level.” (Bernard &
Ho, 2007, p. 12)
With the centralized UWYT model, organizations can limit the scope of operations security to
the assets deployed for use to employees. This has a lesser ongoing cost for the following
activities: risk assessment, vulnerability assessment, contingency planning, incident handling
team, disaster recovery planning, business continuity planning and security operations center.
Leo de Sousa Page 11
12. IST 725 Final Paper – BYOD for Employees May 1, 2012
Personnel Security
“The purpose of the Personnel Security layer is to ensure that enterprise personnel are accessing
and utilizing its information and technology services safely, securely and in accordance with
their predefined roles and responsibilities of their job functions, through proper access control
plans and detection of employee anomalous behavior.” (Bernard & Ho, 2007, p. 14)
The UWYT model allows for security taps and monitoring into a known (centrally provisioned)
IT architecture. Monitoring of endpoints requires installation of security software on the device.
This security practice is much easier to implement when configuration and disbursement of
devices come from a central source. Two key activities in this security layer are “Due
Diligence” practices and security awareness training. These two activities are easier for
companies to implement with a Corporate Liable UWYT model. Limiting the device types
allows for the creation of standard training materials and instructions for employees.
Information and Data Flow Security
“The purpose of the Information & Data Flow Security layer is to identify and classify
information and data as it moves through the enterprise – in order to justify adequate security
controls.” (Bernard & Ho, 2007, p. 16)
The UWYT model facilitates information and data flow security by standardizing controls to
manage the risks of data loss and data protection on endpoints. Using information classification
techniques protects the confidentiality and sensitivity of corporate information. The appropriate
access controls, authorization, encryption and backup techniques across all devices and users in
the organization can be determined based on information classification methods. Key activities
in this security layer are information classification, security models, risk controls, risk
management and risk analysis. All of these activities require a commitment of resources and
time. The implementation and management costs are less when the number of models/types of
endpoints that access corporate data is limited.
Application Development Security
“The purpose of the Application Development Security layer is to design the authentication,
authorization and accounting (AAA) components into the applications used in the enterprise; to
enforce the application process follow throughout the enterprise; and to ingrain security in the
SDLC.” (Bernard & Ho, 2007, p. 18)
The UWYT model encompasses the entire infrastructure needed to run the enterprise
applications used by employees to do their work. There typically are limitations on the hardware
(Intel PC), operating system (usually Windows) and browser (usually Internet Explorer) to allow
for standard configurations of applications. By controlling the hardware, the workstation or
laptop, applications central application security management is possible. One other attribute of
this layer in the UWYT model is the applications developed, purchased and installed are
predetermined for employees. Key activities in this security layer are common application
vulnerabilities, software development lifecycle and best practices. Standardizing the application
Leo de Sousa Page 12
13. IST 725 Final Paper – BYOD for Employees May 1, 2012
development platforms reduces the number of vulnerabilities that need application security
activities.
Systems Security
“The purpose of the Systems Security layer is to protect sensitive applications and provide
granularity of access controls to sensitive resources.” (Bernard & Ho, 2007, p. 20)
The key activities in this security layer are platform hardening, authentication and authorization,
database security, PKI enabled applications, single sign-on and host based intrusion detection.
The UWYT model facilitates these security activities because installation of system security
occurs at hardware configuration and before end user provisioning. Many organizations use the
Blackberry Enterprise Server (BES) to control access to email and calendars on Blackberry
mobile devices. The BES server also enforces policies like device encryption and mandatory
passwords. It also has the capability to “wipe” the device if it is stolen or lost.
IT departments are recognizing the importance of Identity and Access Management (IAM)
systems. These systems facilitate the provisioning of accounts, role management, authentication
and authorization to applications, systems and information. Many IAM systems rely on human
resource business processes to timely update employee records so that the appropriate access is
granted and removed as the person’s role changes.
Infrastructure Security
“The purpose of the Infrastructure Security layer is to develop a secure infrastructure that meets
all the security requirements of the enterprise and can safeguard against future attacks against the
enterprise.” (Bernard & Ho, 2007, p. 22)
This security layer is critical in protecting organizations. The UWYT model provides layers of
protection at the network level to limit threats from external attacks using network partitioning
and firewall security. It also provides protection from internal attacks by using network
partitioning, internal firewalls and virtual private networks (VPN). Some of the key activities in
this security layer are network partitioning, firewall security, network security testing, network-
based intrusion detection system (NIDS), broadband security, PKI risks, PKI issues and virtual
private networks.
Physical Security
“The purpose of the Physical Security layer is to construct a secure perimeter physical defense
system that safeguards the facility and physical resources for the enterprise.” (Bernard & Ho,
2007, p. 25)
Most organizations that use the UWYT model rely on keeping computer endpoints behind the
protection of physical security including building and facility security and physical assess
controls. Taking UWYT devices out of the physical locations of organizations compromises any
physical security practices that are in place.
Leo de Sousa Page 13
14. IST 725 Final Paper – BYOD for Employees May 1, 2012
Current State Summary
The predominant model of IT managed endpoints in most organizations is employer supplied
endpoints – “use what you’re told” (UWYT). This method of endpoint management has many
benefits such as restricting complexity, managing enterprise risk due to data leakage, limiting
costs and providing strong IT security. This model assumes a Corporate Liable approach, where
“devices/services paid by employer, and contracts are signed by enterprise representative”.
(ProfitLine, 2011, p. 2)
The main attributes of this environment are centralized policies, standards, implementation and
usage. IT departments have a mandate by their organization to protect the company by
standardizing and implementing policies that enforce the Block and/or Disregard model. (Orans
& Pescatore, 2011) The UWYT model limits employee choice and potentially runs the risk of
being uncompetitive when seeking out talented employees. It is a “tightly coupled” model for
managing endpoints for an organization.
Leo de Sousa Page 14
15. IST 725 Final Paper – BYOD for Employees May 1, 2012
Future State - BYOD
Future State (EA3 and SAF) Endpoint Independence - BYOD
Many organizations are struggling to develop an approach to meet their employees’ demands for
using the devices of their choice. Employees expect to work with tools that are of equivalent
capability as those they purchase for personal use. Most organizations cannot keep up with the
rapid developments in consumer IT and fall behind particularly with new functionality.
“Employees expect to be able to use all the innovative new devices and tools at their disposal,
both to do their jobs and to maintain their always-connected lifestyles while being able to work
whenever and wherever they need to.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 1)
Every organization is facing a conflict between corporate and consumer IT spaces. This trend is
driven by employees who want to use the consumer based technology that they are familiar with.
With the market leadership of Apple consumer devices like the iPhone and iPad, companies are
struggling to keep up with the functionality and features in their corporate fleet of technology
endpoints. This is not just a staff level pressure but touches all levels of organizations as board
members bringing tablets to their executive meetings. Some of the categories this trend impacts:
mobile phones, storage, innovative services, dynamic content creation, update cycles and style
and customization. (Bernnat, Acker, Bieber, & Johnson, 2010, p. 3)
Corporate vs. Consumer IT (Bernnat, Acker, Bieber, & Johnson, 2010, p. 3)
Corporate Space Consumer Space
Devices with functionality Mobile Phones Smart phones offering tens of
limited to phone calls and email, thousands of useful apps,
typically Blackberry typically iPhone or Google
Phone
Restricted storage for files and Storage Providers such as Google and
email Yahoo offering virtually
unlimited storage
Static employee directories and Innovative Services Social networks such as
cumbersome proprietary Facebook and LinkedIn used for
platforms both socializing and working
Outdated static content within Dynamic Content Options Blogging, wiki, social
corporate intranet – centralized networking and content services
maintenance and control allowing consumers to create,
customize, and manage the
content they want
Long replacement cycles – up to Update Cycles Very rapid updated hardware –
four years for hardware and eight immediate download of new apps
years for software and services
Highly standardized, inflexible Style and Customization High variety of consumer
and often restricted environment devices, systems, applications
(“beige box”) and “skins”
Leo de Sousa Page 15
16. IST 725 Final Paper – BYOD for Employees May 1, 2012
Blount explores the “Consumerizaton of IT – Security Challenges” by describing the challenges,
the opportunities and the benefits. “This important trend is not just about new devices; it’s about
the entire relationship between IT and its user population.” (Blount, 2011, p. 3) BYOD is not
just a technology issue. “In particular, enterprises can only leverage these benefits if they can
effectively control access to their critical systems, applications and information, from both
approved IT endpoints and from these new consumer devices.” (Blount, 2011, p. 3) The two
main types of controls for BYOD will be: controls on the device and controls relating to access
and use of IT systems, applications and information. (Blount, 2011, p. 9)
This section characterizes the information security attributes for BYOD so that we can compare
this to the current state using UWYT. Using Orans and Pescatore’s model, the future state
moves BYOD adoption from Block and Disregard to Contain and Embrace. BYOD impacts all
levels of the Security Architecture Framework. Each of the following sections will compare the
UWYT model to the BYOD model with a focus on the impacts on IT security practices and
policies. This approach creates a hybrid liability model with some Corporate Liable and
Individual Liable components.
Information Security Governance
“The purpose of the ‘IS Governance’ layer in the SAF is to define security strategies, policies,
standards and guidelines for the enterprise from an organizational viewpoint.” (Bernard & Ho,
2007, p. 11)
The decentralized nature of the BYOD model relies on IT departments to protect the corporate
network from unintended risks. This introduces Individual Liability into the Corporate Liability
management of endpoints in an organization. (ProfitLine, 2011) IT departments must also retain
responsibility to ensure secure access to systems, applications and information. BYOD allows
IT departments to reduce their focus on being the source for endpoints. To adapt to the BYOD
demands from executives and employees, IT departments need to shift from their “tightly
coupled” approach to a more “loosely coupled” approach. (Blount, 2011, p. 3) This means
building a management plan to move from the Block and/or Disregard model to a Contain and/or
Embrace model. (Orans & Pescatore, 2011) Some companies employ the Contain model for
email and calendar access on BYOD devices, but they have not created a formal BYOD policy.
This security layer focuses on policy, policy formation, evaluation, and standards (including
legislative compliance – HIPPA and FIPPA). One of the first key action items is to develop a
BYOD policy. “Developing formal BYOD policies is critical, because personally owned devices
present risks to the network in the form of unintended denial of service and other threats to
network stability, such as the spread of malware.” (Orans & Pescatore, 2011, p. 2)
The policy will need to address the requirements of general IT security and specifically
information security and endpoint usage. Employees will need to sign-off on the BYOD policy,
which specifies adhering to established security practices including allowing the employer to
have some level of access on their personal device. Clearly defining who has control of the
various components of the endpoint is important for the policy to be effective.
Leo de Sousa Page 16
17. IST 725 Final Paper – BYOD for Employees May 1, 2012
“Some people believe that consumerization of IT means only supporting new, smarter consumer
devices. But, although that was the first symptom, this trend is actually far more important and
impactful than that. It’s not just about devices – it’s about control.” (Blount, 2011, p. 5)
Operations Security
“The purpose of the Operations Security Layer is to define the enterprise’s intra-organizational
and operational needs as they interact with and require access to the enterprise IT services, in
order to identify and address security needs at the enterprise’s organizational level.” (Bernard &
Ho, 2007, p. 12)
BYOD significantly expands the scope of the operations security practices that need to be in
place. Expanding the number and types of endpoints will require addition investment in the
following activities: risk assessment, vulnerability assessment, contingency planning, incident
handling team, disaster recovery planning, business continuity planning and security operations
center. Support costs will increase for helpdesk and technical staff who will need to support a
multitude of endpoint devices.
“Paradoxically, this trend is likely to both expand the scope and reduce the control of IT. The
scope of responsibility for IT will be expanded because its role now doesn’t stop at the firewall –
the corporate network now extends out to the user and their unique access devices.” (Blount,
2011, p. 7)
Personnel Security
“The purpose of the Personnel Security layer is to ensure that enterprise personnel are accessing
and utilizing its information and technology services safely, securely and in accordance with
their predefined roles and responsibilities of their job functions, through proper access control
plans and detection of employee anomalous behavior.” (Bernard & Ho, 2007, p. 14)
The BYOD model requires an investment in security training programs for employees. Many
users of consumer IT devices fail to keep their security software updated or implement device
storage encryption or even set a device password. This poses a significant risk to organizations
when personal devices contain corporate information and applications. Employers should
establish an organizational change management program to educate employees who use personal
devices to access IT systems, applications and information. Employees will be less inclined to
implement security best practices on their devices unless they understand the risks of not
complying. This is very much a culture issue and if not addressed introduces significant risk to
organizations from data leakages of corporate sensitive information.
Monitoring of BYOD endpoints requires installation of security software on the device. Again,
this will be a culture change issue for employees. The employee will need to allow the employer
access to their personal device to protect corporate information. Employers will implement
mobile device management software to secure and monitor endpoints accessing and storing
corporate data.
Leo de Sousa Page 17
18. IST 725 Final Paper – BYOD for Employees May 1, 2012
Information and Data Flow Security
“The purpose of the Information & Data Flow Security layer is to identify and classify
information and data as it moves through the enterprise – in order to justify adequate security
controls.” (Bernard & Ho, 2007, p. 16)
BYOD will be able to leverage the same information and data flow security as UWYT. Using
information classification techniques protects the confidentiality and sensitivity of corporate
information. Information use on personal devices is an important consideration in mitigating the
risks of data leakage. “… many organizations believe that their own employees pose a more
serious data security threat, via either inadvertent or malicious behavior, than do outsiders.”
(Blount, 2011, p. 15) The appropriate access controls, authorization, encryption and backup
techniques across all devices and users in the organization can be determined based on
information classification methods. Key activities in this security layer are information
classification, security models, risk controls, risk management and risk analysis. All of these
activities require a commitment of resources and time. The implementation and management
costs are less when the number is limited of models/types of endpoints that access corporate data.
There are information control technologies to manage information protection available to help
provide a layer of security. Technologies that limit the ability to copy data, print data or email
data are known as “digital rights management”. IT departments need to assess whether the
digital rights management protection will “travel” with the data as it moves from the corporate
network to a BYOD device. The success or failure of this approach would be a guide to
suggesting to which endpoints should be purchased by employees. Another approach would be
to adopt virtualization strategies that contain corporate information in the data center and only
send screen changes to the BYOD endpoint. This is a more secure approach as the data never
leaves the corporate data center, keeping it protected while allowing the employee to work.
Application Development Security
“The purpose of the Application Development Security layer is to design the authentication,
authorization and accounting (AAA) components into the applications used in the enterprise; to
enforce the application process follow throughout the enterprise; and to ingrain security in the
SDLC.” (Bernard & Ho, 2007, p. 18)
The UWYT model contains the entire infrastructure to run the enterprise applications needed by
employees to do their work. Moving to a BYOD model introduces consumer based, personal
endpoints and a multitude of personal applications. These environments are not the typical
hardware (Intel PC), operating system (usually Windows) and browser (usually Internet
Explorer) used in UWYT models. Application development needs to move to use open, web
standards that can be deployed on any endpoint device. Consideration for the multitude of
applications available from the various endpoint vendors’ “App Stores” is important. Employees
will be downloading free and purchased applications onto their end devices. IT departments will
have no way to vet these applications for security flaws. At this point, there are no simple ways
to verify the security on employee purchased/downloaded applications. There are potential
security risks if the downloaded applications access corporate data on the endpoint device and
Leo de Sousa Page 18
19. IST 725 Final Paper – BYOD for Employees May 1, 2012
propagate the data back out to the internet. Application and desktop virtualization strategies
should be implemented to segregate personal applications from enterprise applications.
BYOD introduces some challenges to organizations that use more of a “buy vs. build” approach.
When procuring new software and applications, the ability to run on multiple platforms becomes
a key requirement. In addition, consideration for the ability to virtualize the software application
will help secure running them on BYOD endpoints. If the application can be deployed to any
browser on any operating system and device, then risks and costs can be managed effectively.
Control of the application would move from physical infrastructure to virtual applications and
virtual desktop management. One other attribute of this layer in the UWYT model is the
applications developed, purchased and installed are predetermined for employees. Standardizing
the application development platforms on open standards reduces the number of vulnerabilities
that need application security activities.
Systems Security
“The purpose of the Systems Security layer is to protect sensitive applications and provide
granularity of access controls to sensitive resources.” (Bernard & Ho, 2007, p. 20)
The key activities in this security layer are platform hardening, authentication and authorization,
database security, PKI enabled applications, single sign-on and host based intrusion detection.
The BYOD model requires a proactive approach to system security because personal devices are
not controlled and have the potential to introduce significant security risks.
BYOD relies on identity management governance processes like role management, access
requests, authentication and authorization. The reliance on human resource business processes to
timely update employee records is more critical with BYOD than UWYT. If an employee leaves
the organization, there needs to be a secure process to remove all corporate assets from their
personal endpoint device. Privilege and access rights cleanup become a fundamental ongoing
security practice in order to protect corporate data.
Infrastructure Security
“The purpose of the Infrastructure Security layer is to develop a secure infrastructure that meets
all the security requirements of the enterprise and can safeguard against future attacks against the
enterprise.” (Bernard & Ho, 2007, p. 22)
This security layer is critical in protecting organizations from internal and external attacks. The
BYOD model introduces a new security layer into the network for wired and wireless networks –
Limited Access Zone (LAZ). Network partitioning, firewall security combined with network
access control (NAC) will manage the risk of personal devices connecting to the corporate
network in the Contain strategy for BYOD. NAC can enforce endpoint protection policies. If
the BYOD device does not have adequate malware protection and is not up to an established
security patch level, it will be blocked from accessing the corporate network. Using the LAZ as
a control boundary protects corporate systems, applications and information. The LAZ should
be established on both the wireless and the wired networks as more employees choose to use
Leo de Sousa Page 19
20. IST 725 Final Paper – BYOD for Employees May 1, 2012
laptops over desktop PCs. Once the Contain strategy is established, it can be grown out to
become the Embrace strategy where all endpoints are personal devices.
“There is a huge operational and support gap between a Contain strategy (let some people
BYOD for some things) and an Embrace strategy (allow everyone to BYOD for almost
everything).” (Orans & Pescatore, 2011, p. 4)
Physical Security
“The purpose of the Physical Security layer is to construct a secure perimeter physical defense
system that safeguards the facility and physical resources for the enterprise.” (Bernard & Ho,
2007, p. 25)
Most organizations that rely on keeping computer endpoints behind the protection of physical
security including building and facility security and physical assess controls. As organizations
deploy more laptops in favor of desktops and begin the Contain strategy of BYOD, they will rely
more heavily on other security layer protections. Many employees will take their employer
supplied laptops home to do work and even on vacation. BYOD devices ignore the physical
security layer and rely on other security layers: information security governance, personnel
security, information and data flow security, application development security, system security
and infrastructure security.
Future State Summary
Blount cites four factors that are contributing to the push to adopt consumer technology into
organizations. The first and most obvious factor is the “continued innovation in personal
devices”. (Blount, 2011, p. 6) As pressure mounts from both executives and employees, IT
departments will have no choice but to adopt some form of BYOD model. The second factor is
“high growth in use of social media and related applications”. (Blount, 2011, p. 6) Employees
are using social media as part of their everyday lives and now integrating social media tools as
part of their work practices. The third factor is the “externalization of the business”. (Blount,
2011, p. 6) This is a seen as a cost saving model particularly to reduce IT costs by using cloud
based services and outsourcing or off-shoring non-core functions. The last factor is “the blurring
of the line between personal and work life.” (Blount, 2011, p. 6) Like social media making its
way into the workplace, work is making its way into personal lives. In the early days of desktop
computing, employees could leave their work at work. Now with light weight laptops, tablets
and smartphones, work is coming home. In some cases, this is part of a planned telecommuting
strategy but in most cases it is being enabled by highly functional consumer technology. The
two main types of controls for BYOD will be: controls on the device and controls relating to
access and use of IT systems, applications and information. (Blount, 2011, p. 9)
BYOD strategies must be considered by organizations as their executives and employees demand
the ability to use personal devices to access corporate information and systems. Organizations
no longer have a choice and need to move from the Block/Disregard strategies to
Contain/Embrace for BYOD. (Orans & Pescatore, 2011) This is a “loosely coupled”
environment where the make and model of the personal endpoint device becomes irrelevant.
Leo de Sousa Page 20
21. IST 725 Final Paper – BYOD for Employees May 1, 2012
This method of endpoint management has many challenges including new policies, culture
change with the blend of personal and work lives, information and system security. The main
attributes of this environment are centralized polices, strong identity management practices,
information categorization and access control and network access control. The BYOD model
expands employee choice and may be a success factor for recruiting employees. It also
introduces new risks to the organization particularly around data leakage that must be planned
for. This is a hybrid liability model mixing Corporate Liable and Individual Liable components
into the organization’s enterprise architecture.
“CIOs must get ahead of the consumerization curve by coming to terms with what is valuable
and productive about the influence of consumer IT.” (Bernnat, Acker, Bieber, & Johnson, 2010,
p. 4)
Leo de Sousa Page 21
22. IST 725 Final Paper – BYOD for Employees May 1, 2012
BYOD Management Plan
Bernard describes the EA Management Plan as “a plan to move from the current to the future
EA” and “a management program that provided a strategic, integrated approach to resource
planning.” (Bernard S. A., 2005, p. 34) The following processes are components of the
management plan:
• Resource Alignment; resource planning and standards determination
• Standardized Policy: Resource governance and implementation
• Decision Support: Financial control and configuration management
• Resource Oversight: Lifecycle approach to development/management
Bernnat et al suggest two approaches to accommodate using consumer IT by employees. The
first option is the “Bring In” approach. This approach “involves opening the corporate IT
environment to private use and letting employees’ digital lives freely enter their work
environments.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 6) The second option is the
“Reach Out” approach. This approach “reaches out to employees, allowing them to use their
personal devices – even PC’s – to do their work.” (Bernnat, Acker, Bieber, & Johnson, 2010, p.
6) Each of these approaches has different resource, policy, support and oversight requirements.
BYOD Resource Standardized Decision Support Resource
Management Alignment Policy Oversight
Plan
Bring In Use existing Implement Employees have a Employees use
Approach resources for Information wide variety of company owned
endpoint Security and BYOD employer supplied endpoints and
management Policy for private endpoints to choose there continues to
because the Web use on be a high degree
endpoints are employer owned Enterprise apps are of employer
employer owned endpoints pre-installed and control
employees can add
personal apps
Reach Out Increase support Implement Employees bring Employees need to
Approach resources for Information their own endpoints ensure their
endpoint Security and BYOD for use at work endpoints comply
management Policy for employee with employer
because of the mix endpoints and Access to enterprise standards
of employer and private Web use apps are controlled
employee owned by virtualization Employers need to
endpoints technologies for establish standards
apps and desktops and monitor
security access
Leo de Sousa Page 22
23. IST 725 Final Paper – BYOD for Employees May 1, 2012
The management plan also addresses Risk Management issues for Employee BYOD programs.
Key areas for risk management are: (Bernnat, Acker, Bieber, & Johnson, 2010, pp. 7-8)
• Security - specifically network security and data leakage
• Productivity - potential lost productivity with web surfing distractions
• Legal and Compliance - ensuring compliance to privacy and copyright laws
• Reputation - employees making poor judgements when interacting on social media
• Support and Maintenance Costs - heterogeneous endpoint environments increase support
costs
• Risks - employees may not be able to do their work (in a timely manner) when their
personal endpoint fails and requires replacement
All of these risks must be considered and planned for either in the creation of policy and the
development of technology/security solutions.
Leo de Sousa Page 23
24. IST 725 Final Paper – BYOD for Employees May 1, 2012
Conclusion
Bernard describes four dimensions of security: physical, data, personnel and operations.
(Bernard S. A., 2005, p. 329). These were expanded on by Bernard and Ho into a Security
Architecture Framework to eight security layers. (Bernard & Ho, 2007) This paper used the
eight layers to describe the impacts on IT security architecture when organizations implement a
BYOD model. This table summarizes the differences between UWYT endpoints and employee
BYOD using Bernard and Ho’s model:
UWYT - Employer BYOD - Employee
Information Standardized endpoints with a Block Move to a ‘loosely coupled’ approach
Security or Disregard policy approach – “tightly to endpoint management. This is not a
Governance coupled” control of all layers of endpoint centric approach – focus on
architecture – focus on corporate policy, culture change and controlling
control – this is a corporate liable the applications, systems and
model information layers – requires a BYOD
policy to be in place describing
responsibilities of employer and
employee – this is a blend of a
corporate and individual liable model
Operations Centrally supported data and endpoint Expands the scope of support to hybrid
service, standard security, antivirus model – internal for data, external
and data protection – requires an vendor for endpoint, distributed
acceptable use policy but no mention security, antivirus and data protection
of personal endpoints
Personnel Lesser level of employee technical Higher level of employee technical
ability due to central support, no tax ability due to hybrid support, stipend
implications as these endpoints are model may result in income tax
considered equipment, standard user implications; potential confusion for
experience and support. Lower costs to users resulting in unsatisfactory service,
create and deliver training on standard a BYOD policy must be created. Higher
endpoints costs to create and deliver training
especially about information security
Information Centrally provisioned and secured Leverages centrally provisioned and
and Data information to meet regulatory and distributed security, need an ability to
Flow compliance rules and audits. Access wipe enterprise data but not personal
controls limit data leakage based on data, more controls required to meet
information classification methods regulatory and compliance rules and
audit – digital rights management
Application Entire application infrastructure Focus on open standards that will run
contained to corporate endpoints to on any endpoint; consideration for
limit vulnerabilities and data leakage. future applications (buy or build);
Provides employees with only the strategies needed to separate personal
applications they need and typically apps from enterprise apps due to the
with a lesser user experience possibility of inappropriate data access
System Centralized control of access to Strong reliance on HR business
applications, systems and information processes to timely notify of changes in
using IAM and PKI security, IT employee status; IAM is a critical
Leo de Sousa Page 24
25. IST 725 Final Paper – BYOD for Employees May 1, 2012
controls the access process instead of technology and security strategy and
relying on HR business processes needs investment to properly create role
based access and remove access in a
timely manner
Infrastructure Layered security approach to network Layered security approach for network
access that restricts access to the wired access gets augmented by implementing
network for accessing enterprise a Limited Access Zone for BYOD
applications, systems and information. devices; use Network Access Control to
Blocks external endpoints from verify adequate malware and patch
accessing the network protections before allowing access
Physical This is a key security layer for UWYT Physical security is ineffective for
as it restricts physical access to key BYOD as most of the endpoints are
applications, systems and information. mobile; reliance on the other key
This security layer is compromised as security layers is mandatory to reduce
soon as an endpoint is taken out of the risk
physical protection of the corporate
workplace.
Some final overall considerations for moving from a Block/Disregard strategy to a
Contain/Enable strategy for BYOD are (ProfitLine, 2011, p. 2):
• The major pricing and contractual benefits that are lost when moving to individual liable
• The hidden IT support costs and potential user experience issues
• The increased security risk and policy ramifications
Each organization needs to consider the impacts of the endpoints supported, the data on those
endpoints, identity management, employee on-boarding and off-boarding and providing a
endpoint independent platform to deliver data and information.
A Proposed Approach to Introduce BYOD for Employees
BYOD
Contain/Embrace Strategy
• most organizations will stay at
Implementation based on Contain model for the next 3 to
Policy and Research 5 years
• only a few organizations (mostly
• Pilot Contain Model with small
small ones) will go to Embrace
Technology Research group
model
• Grow out Contain Model
• Mobile Device Mgmt (MDM) • Embrace Model requires all 4
• Hosted Virtual Desktops (HVD) technologies to be in production
Policy Development • Virtual Applications (APPV)
• Network Access Control (NAC)
• Contract Negotiations
• Remuneration Models
UWYT • BYOD Policy
• Information Security Policy
Block/Disregard Strategy
• most organizations are here
today
• there are risks as some
employees are connecting to
employer networks with not
controls
This proposed approach requires executive leadership and strong project management. The
project plan should allow for conducting the policy and research activities in parallel.
Implementing the Policy and Technology strategies requires budget and resources for successful
deployment and ongoing support in a BYOD Contain/Embrace strategy.
Leo de Sousa Page 25
26. IST 725 Final Paper – BYOD for Employees May 1, 2012
References
6dg. (2012). Business Optimisation. Retrieved from 6dg:
http://www.6dg.co.uk/solutions/business-optimisation/
Bernard, S. A. (2005). An Introduction to Enterprise Architecture 2nd Edition. Bloomington, IL:
AuthorHouse.
Bernard, S., & Ho, S. M. (2007, Oct 29). Enterprise Architecture as Context and Method for
Implementing Information Security and Data Privacy. Washington, DC, USA.
Bernnat, R., Acker, O., Bieber, N., & Johnson, M. (2010). Friendly Takeover The
Consumerization of Corporate IT. Retrieved from booz&co:
http://www.booz.com/media/uploads/Friendly_Takeover.pdf
Blount, S. (2011, Aug). the consumerization of IT: security challenges of the new world order.
Retrieved from Computer Associates:
http://www.ca.com/us/~/media/Files/TechnologyBriefs/Consumerization-of-IT-Tech-
Brief.pdf
Lomas, N. (2011, Oct 23). BYO - bring your own device; Cheat Sheet. Retrieved from
TechRepublic: http://www.techrepublic.com/blog/cio-insights/byo-bring-your-own-
device-cheat-sheet/39748120?tag=content;siu-container
Orans, L., & Pescatore, J. (2011, Dec 22). NAC Strategies for Supporting BYOD Environments.
Retrieved from Gartner: http://www.gartner.com
ProfitLine. (2011). The Hidden Risks of a "Bring you own Device" (BYOD) Mobility Model.
Retrieved from ZDNet:
http://i.zdnet.com/whitepapers/Profitline_The_Hidden_Risks_of_a_Bring_your_own_De
vice_BYOD_Mobility_Model_1_19_2011.pdf
Ranger, S. (2012, Apr 19). How the BYOD flood is sweeping away the IT department's priorities.
Retrieved from TechRepublic.
Sen, P. K. (2012, Feb 24). Consumerization of Information Technology Drivers, Benefits and
Challenges for New Zealand Corporates. Retrieved from Victoria University of
Wellington:
http://researcharchive.vuw.ac.nz/bitstream/handle/10063/2095/thesis.pdf?sequence=1
Wallin, L.-O. (2011, Oct 20). Gartner's View on 'Bring Your Own' in Client Computing.
Retrieved from Gartner: http://www.gartner.com
Wikipedia. (2012, Jan 31). Endpoint. Retrieved from Wikipedia:
http://en.wikipedia.org/wiki/Endpoint
Leo de Sousa Page 26