The rising popularity of BYOD and the remote workforce have made it easy for adversaries to take advantage of insecure, unmanaged devices. When anyone can log in from any device, mobile devices become a prime target, putting your most mission-critical applications and systems at risk. Due to varying workplace situations and employee knowledge, it can be challenging to manage mobile device security effectively. In fact, almost 40% of people use their personal devices for work-related activities.
Because many organizations allow, and some even encourage, some level of BYOD, ensuring that there are no insecure devices on your network or accessing cloud-based resources is critical to the security of your organization. Is your organization ensuring insecure mobile devices don’t get access to your critical data? Review our five-point checklist to make sure.
1. Is the device jailbroken or rooted?
Do you have a way to see if an accessing device is jailbroken or rooted? In order to bypass carrier and operating system limitations, many opt to jailbreak or root their mobile device. Some risks that are attached to these devices include:
- Security: A rooted or jailbroken device removes the first line of defense—the manufacturer's vetting system. Without this security in place to assess web applications and downloads, the user is at high risk of inadvertently installing malware or viruses on their device. This leaves your organization in a dangerous position should the device access sensitive workplace data. Any apps downloaded after device modification can pose serious risks.
- Instability: Modifications to mobile devices are often filled with bugs that not only slow devices down, but disable important features and leave open security vulnerabilities, such as restricted push-based services.
- Limited visibility: A modified device will never enroll in MDM, leaving it unmanaged and dangerous to your organization.
A jailbroken or rooted mobile device poses a huge risk to your business. Luckily, MDM software is able to detect and alert you as to whether a mobile BYOD has been jailbroken or rooted. Most MDMs can then quarantine them from your systems and exile them, preventing any damage to your organizational security.
2. Are mobile operating systems up to date?
A device on your network that is behind on updates could quickly become a threat to the security of your organization. Security updates are used to patch security vulnerabilities, so without regular operating system updates, they can be exploited quickly. Our MDM integration can assist with mandating these updates for both managed and unmanaged devices.
3. Is a PIN or biometric required to access?
This may come as a surprise to some, but a PIN code is actually one of the more secure methods of mobile authentication. Because a PIN code is securely stored locally on the device in question, it isn't transmitted anywhere and it isn't stored on the server. And with “anti hammering” built into modern devices, there is a limit to the number of attempts before the device locks. By having employees create and use a PIN, you are ensuring that a lost, stolen, or unattended device remains secure.
Biometric authentication can also add a substantial layer of security to BYOD mobile devices. Most modern mobile devices have already moved in this direction with fingerprint scans and facial recognition, and for good reason—they add an additional layer of added protection to mobile devices. Should the device fall into the wrong hands, there is still a strong barrier to entry for an adversary.
4. Can this device be trusted? Is it a known device?
Before you allow a device to access your network, it’s important to identify that device. Many older methods of device verification simply "fingerprint the device", or collect information about the software and hardware. Unlike website cookies that are stored on a user's device, device fingerprints are stored server-side and determine which technology, such as the OS and browser plugins along with other active settings, are present.
An asymmetric cryptographic approach, however, uses a method that cryptographically binds a user to the device. This is a significantly stronger way to positively identify a device, rather than traditional fingerprinting.
5. Do you have a way to enforce security and compliance policies on all devices, including BYOD?
Security policies need to be both feasible and enforceable. Without a way to enforce the mobile device policies that you set, your organization will still lack the fundamental security needed to prevent password-based attacks. Now that we have established you have to ask the question:
- Is MDM enabled in order to enforce strong security posture?
- Is this device managed or unmanaged?
- Do you know where devices are logging in from?
- Does this device have a biometric or PIN-enabled?
You need to also ensure that you have actions that will occur based on the answers to these questions. Asking is not merely enough if you are unable to act on the information you collect in real-time.
How can Beyond Identity help you with BYOD and securing your environment from mobile device risks? By cryptographically binding a user's identity to each device and checking the security posture of the device during every transaction, Beyond Identity is able to continuously enforce zero-trust authentication and granularly controls who and what devices are allowed to access cloud apps, resources, and data.