Risk Management of Enterprise Mobility including Bring Your Own Device (BYOD)

Overview of Enterprise Mobility

Download CSOC Protect Notice: Risk Management of Enterprise Mobility including Bring Your Own Device (BYOD) (PDF), June 2013

Table of Contents

Executive Summary – Introduction to Enterprise Mobility

Enterprise mobility enables employees to perform work in specified business-case scenarios using devices such as smartphones, tablets and laptops, while leveraging technologies that facilitate remote access to data. A well-designed enterprise mobility strategy can create opportunities for organisations to securely improve customer service delivery, business efficiency and productivity. In addition, employees obtain increased flexibility to perform work regardless of their physical location.

This document is developed by the Australian Signals Directorate (ASD), also known as the Australian Signals Directorate (ASD), to provide senior business representatives with a list of enterprise mobility considerations.

These include business cases, regulatory obligations and legislation, available budget and personnel resources, and risk tolerance. Additionally, risk management controls are provided for cyber security practitioners.

This document aims to assist readers to understand and help mitigate the significant risks associated with using devices for work-related purposes that have the potential to expose sensitive data. Risks are primarily due to the likelihood of devices storing unprotected sensitive data being lost or stolen, use of corporately-unapproved applications and cloud services to handle sensitive data, inadequate separation between work-related use and personal use of a device, and the organisation having reduced assurance in the integrity and security posture of devices that are not corporately managed. Additional risks arise due to legal liability, regulatory obligations and legislation requiring compliance, and the implications for the organisation’s budget and personnel resources.

Risks can be partially mitigated through a policy outlining the permitted use of devices, including the required behaviour expected from employees, which is complemented by technical risk management controls to enforce the policy and detect violations.

Business cases for enterprise mobility that involve accessing non-sensitive data might permit employees to use their personally-owned devices, referred to as Bring Your Own Device (BYOD).

Business cases for enterprise mobility that involve accessing and potentially storing sensitive data might permit employees to use devices that are listed on a corporately-approved shortlist of devices. Such devices are partially or completely corporately managed to enforce policy and technical risk management controls. These controls can include preventing unapproved applications from running and accessing sensitive data, applying patches to applications and operating systems in a timely manner, and limiting the ability of employees to use devices that are ‘jailbroken’, ‘rooted’ or otherwise run with administrative privileges. Optionally, some organisations might provide devices to employees, permit a reasonable degree of personal use, and retain ownership of the devices for legal reasons that facilitate the organisation monitoring devices, remotely wiping sensitive data, performing security and legal investigations, and retaining ownership of intellectual property.

Before implementing enterprise mobility for a specific business case, organisations must decide whether applying the chosen risk management controls would result in an acceptable level of residual risk.

Potential Benefits of Enterprise Mobility

Potential benefits of enterprise mobility include:

Potential Benefits of Using Personally-Owned Devices

Potential benefits of using personally-owned devices for enterprise mobility include:

Develop an Enterprise Mobility Strategy

Developing an enterprise mobility strategy is fundamentally important to an organisation successfully implementing enterprise mobility to achieve business outcomes with an acceptable level of risk. In the absence of a strategy, the organisation’s mobility might be driven by employees, without clear measures of success and without adequate consideration of risks.

An enterprise mobility strategy might involve starting with a pilot trial consisting of a small number of users and a business case that is low risk, high value and has clear measures of success. Subsequently reviewing the success of the trial, including the costs and the impact to the organisation’s security posture, enables the organisation to make an informed decision as to whether to increase their use of enterprise mobility.

The following sections in this document provide guidance for the steps associated with implementing the enterprise mobility strategy that the organisation has developed.

Determine the Extent of Existing Enterprise Mobility

The extent of existing authorised and unauthorised enterprise mobility can be informed by talking to business representatives and employees, reviewing the organisation’s asset inventory of assigned devices, and using security controls to detect:

Develop Business Cases with Suitable Mobility Approaches

Justified business cases for enterprise mobility have tangible and measured benefits to the organisation, its employees and customers. These benefits outweigh the risks and costs to the organisation. Clearly defining each business case, including specifying what organisational data needs to be accessed, provides a better understanding of the opportunities and benefits versus the risks and costs to the organisation.

Example Business Cases

Organisations developing enterprise mobility business cases might decide to permit employees to:

Example Enterprise Mobility Approaches and Scenarios

An example enterprise mobility implementation might involve a combination of the following approaches.

Scenario A

This scenario involves using devices with a hardware model and operating system version that:

Scenario B

This scenario involves using devices with a hardware model and operating system version that:

For Australian government agencies, non-sensitive data is defined for the purpose of this document as data that is unclassified. Examples of non-sensitive data are unclassified computer based training courses and unclassified intranet web applications.

Scenario C

This scenario involves using devices with a hardware model and operating system version that:

For Australian government agencies, sensitive data is defined for the purpose of this document as data that is unclassified with dissemination limiting markers such as For Official Use Only (FOUO), Sensitive, Sensitive:Legal or Sensitive:Personal. Examples of sensitive data are corporate emails, calendars and contacts, as well as files residing in SharePoint, network shares or enterprise-grade cloud storage.

Devices in this scenario might be provided to employees by the organisation, with a reasonable degree of personal use permitted. Organisations might retain ownership of devices for legal reasons that facilitate the organisation monitoring devices, remotely wiping sensitive data, performing security and legal investigations, and retaining ownership of intellectual property. Enabling employees to choose a device from a corporately-approved shortlist is referred to by some vendors as Choose Your Own Device, especially if the device is purchased, owned and managed by the organisation.

Scenario D

This scenario involves using devices with a hardware model and operating system version that:

For Australian government agencies, highly sensitive data is defined for the purpose of this document as data up to PROTECTED.

The comprehensive risk management controls might restrict the device’s functionality to an extent that would overly frustrate an employee using a personally-owned device. Therefore, devices in this scenario might be provided to employees by the organisation, with a reasonable degree of personal use permitted. Devices on the shortlist might be limited to smartphones and tablets that are part of a single vendor’s ecosystem due to the required compatibility with risk management controls. Organisations might retain ownership of devices for legal reasons that facilitate the organisation monitoring devices, remotely wiping sensitive data, performing security and legal investigations, and retaining ownership of intellectual property. Enabling employees to choose a device from a corporately-approved shortlist is referred to by some vendors as Choose Your Own Device, especially if the device is purchased, owned and managed by the organisation.

Considerations for Choosing Enterprise Mobility Approaches

When selecting an enterprise mobility approach for a particular business case, consider the employee’s job role, the sensitivity of the data to be accessed, risk management controls and their impact to employee privacy and user experience. Also consider whether the level of residual risk is acceptable to the organisation, and costs to the organisation such as the level of technical support and financial support provided to employees.

These considerations are represented in Figure 1 which reflects the example enterprise mobility scenarios mentioned previously. Detailed risk management controls for each enterprise mobility scenario are provided in the appendices of this document.

Graph plots from scenario A with any device and limited access to scenario D with managed device and access

Figure 1. Example enterprise mobility scenarios vary in their suitability to handle sensitive data, their cost and their impact to the employee’s user experience.

Identify Regulatory Obligations and Legislation

ASD develops and publishes the Australian Government Information Security Manual (ISM). The ISM advises that legal advice must be obtained before allowing personally-owned devices to connect to organisational systems.

Neither the ISM nor this document are to be considered as legal advice. An organisation’s legal representatives must determine to what extent enterprise mobility can be used based on regulatory obligations and legislation affecting their organisation. Relevant legislation includes the Privacy Act 1988, the Privacy Amendment (Enhancing Privacy Protection) Act 2012, state and territory privacy laws including Acts covering surveillance of employees, the Archives Act 1983 and the Freedom of Information Act 1982. Organisations need to maintain an awareness of relevant legislation and address any associated impacts to their organisation.

Aspects of enterprise mobility requiring legal advice might include:

Allocate Budget and Personnel Resources

Organisations implementing enterprise mobility might encounter a variety of costs such as:

Develop and Communicate Enterprise Mobility Policy

ASD’s ISM advises that enterprise mobility policy must be developed to govern the use of devices accessing organisational data.

Policy relies on user adherence and is likely to be more effective if it exhibits the following characteristics:

Surveying employees can help reveal whether they would be willing to accept the policy and participate in enterprise mobility business cases, noting that some employees might perceive that:

Technical Support

It is impractical for an organisation’s IT help desk to support devices from a large variety of manufacturers running a large variety of operating systems with a large variety of configuration settings. Therefore, the amount of technical support provided to employees depends on the organisation’s personnel resources, whether devices are listed on a corporately-approved shortlist of devices, and the degree to which devices are necessary for employees to perform their job. Technical support might include:

Financial Support

Financial support might have Fringe Benefit Tax implications due to the organisation paying for a device or Internet and telecommunications connectivity that is used for personal use, especially outside of business hours. The amount of financial support provided to employees depends on the organisation’s financial resources and the degree to which devices are necessary for employees to perform their job. Financial support might include:

Monitor the Implementation and Report to Management

Ongoing monitoring of the enterprise mobility implementation includes reviewing logs from Mobile Device Management and other log sources such as network logs, user authentication logs and security software.

Regular reporting to management helps them to understand and address unacceptable risks, and assess whether the benefits of enterprise mobility to the organisation justify the risks and costs to the organisation.

Information to report to management includes:

Facilitate Organisational Transformation

Organisations might update their business processes to leverage enterprise mobility, potentially even transforming the organisation to embrace opportunities such as activity-based working by:

Further information

This document complements advice in the Australian Government Information Security Manual, ASD Protect publication BYOD Considerations for Executives and ASD device-specific hardening guides.

Contact

Note: The Australian Signals Directorate, formerly known as the Defence Signals Directorate, was renamed in the 2013 Defence White Paper.

Australian government customers with questions regarding this advice should contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.

Appendices

Using the Appendices

These appendices provide guidance for four different example enterprise mobility implementation scenarios.

Appendix A: Arbitrary Unmanaged Devices for Internet Access

This appendix provides guidance to manage risks associated with Scenario A. This scenario involves devices with a hardware model and operating system version that:

This implementation can enable organisations to apply more stringent web content filtering controls on the corporate network to reduce the risk of corporate workstations becoming compromised.

High level objectives associated with this example scenario include:

Corporately-Enforced Risk Management Controls

The organisation is able to manage risk by enforcing the following technical controls.

Filtered and Monitored Network Traffic

Implement:

Separation Between the Organisation’s Corporate Network and the Guest Wi-Fi Network

Separate the organisation’s internal corporate network from the guest Wi-Fi network that enables corporately unmanaged and untrustworthy devices to access the Internet.

Corporate Workstations Configured to Block Access to Unauthorised Devices

Configure corporate workstations to block access to unauthorised devices, for example USB devices, Bluetooth devices, Wi-Fi access points, mobile hotspots and other devices with 3G/4G connectivity. This helps mitigate the risk of corporate workstations either exchanging data with unauthorised devices, or tethering to devices and accessing the Internet via an unmonitored and unfiltered Internet gateway.

User-Reliant Risk Management Controls

The following technical controls and policy controls to manage risk rely on employees complying with policy.

Anti-Malware Software

Obtain written employee agreement to use anti-malware software which helps mitigate devices being compromised.

This control is less applicable to devices that use a strong sandbox design, and limit the execution of applications to only those that are cryptographically signed by a trusted authority and originate from an application marketplace with a good history of curation to exclude malware.

Additional Information

The organisation might offer anti-malware software free of charge when employees access the Internet via a captive portal and agree to the policy.

Signature-based antivirus software is a reactive approach that is unlikely to protect against targeted malware that the antivirus vendor doesn't have visibility of. Anti-malware software extends signature-based antivirus software to typically include heuristic detection, identification of applications behaving suspiciously, as well as reputation checking of applications and websites accessed.

Avoid Behaviour that is Unauthorised, Excessive, Offensive or Unlawful

Obtain written employee agreement to:

Appendix B: Arbitrary Unmanaged Devices For Non-Sensitive Data

This appendix provides guidance to manage risks associated with Scenario B. This scenario involves devices with a hardware model and operating system version that:

For Australian government agencies, non-sensitive data is defined for the purpose of this document as data that is unclassified. Examples of non-sensitive data are unclassified computer based training courses and unclassified intranet web applications.

This appendix builds upon and incorporates the high level objectives and risk management controls discussed in Appendix A which covers arbitrary corporately unmanaged devices used to access the Internet via the organisation’s network infrastructure. High level objectives associated with the example scenario in Appendix B also include:

Corporately-Enforced Risk Management Controls

The organisation is able to manage risk by enforcing the following technical controls.

Segmentation and Segregation Between Devices and Organisational Systems

Appropriately architect and segment the organisation’s corporate network using a combination of security enforcing mechanisms such as firewalls, reverse proxies, Virtual Local Area Networks and Virtual Private Networks. This helps mitigate devices accessing unauthorised organisational systems and data.

Web Application and Operating System Vulnerability Assessment and Security Hardening

Perform vulnerability assessments and security hardening of web applications and operating systems running on organisational systems that are permitted to be accessed. This helps mitigate devices compromising organisational systems and their data.

Appendix C: Corporately Approved and Partially-Managed Devices for Sensitive Data

This appendix provides guidance to manage risks associated with Scenario C. This scenario involves devices with a hardware model and operating system version that:

For Australian government agencies, sensitive data is defined for the purpose of this document as data that is unclassified with dissemination limiting markers such as For Official Use Only (FOUO), Sensitive, Sensitive:Legal or Sensitive:Personal. Examples of sensitive data are corporate emails, calendars and contacts, as well as files residing in SharePoint, network shares or enterprise-grade cloud storage.

Devices in this scenario might be provided to employees by the organisation, with a reasonable degree of personal use permitted. Organisations might retain ownership of devices for legal reasons that facilitate the organisation monitoring devices, remotely wiping sensitive data, performing security and legal investigations, and retaining ownership of intellectual property. Enabling employees to choose a device from a corporately-approved shortlist is referred to by some vendors as Choose Your Own Device, especially if the device is purchased, owned and managed by the organisation.

This appendix builds upon and incorporates the high level objectives and risk management controls discussed in Appendix B which covers arbitrary corporately unmanaged devices used to access non-sensitive data. High level objectives associated with the example scenario in Appendix C also include:

Some of the risk management controls described in this appendix might be unnecessary or impractical depending on the organisation’s business case, the sensitivity of data accessed by devices, the use of other risk management controls, and the type of device noting that some controls focus primarily on smartphones and tablets rather than laptops.

An example shortlist of devices from which employees can choose is a smartphone or tablet device running:

[Mention of any vendor product is for illustrative purposes only and does not imply ASD’s endorsement of the product. All trademarks are the property of their respective owners.]

The shortlist of devices is regularly updated to reflect newly available devices on the market and is limited to only devices that:

Corporately-Enforced Risk Management Controls

The organisation is able to manage risk by enforcing the following technical controls.

Overview of Managed Separation, Remote Virtual Desktop and Mobile Device Management

ASD’s ISM advises that devices without ASD-approved encryption should not store unclassified FOUO/Sensitive data and must not store classified data. Additionally, ASD’s ISM advises that employees should be prevented from installing unapproved applications that can access unclassified FOUO/Sensitive data or classified data.

Risk management controls used to follow this guidance include using managed separation such as an encrypted managed container, preferably combined with Mobile Device Management to provide some basic assurance in the device’s underlying operating system configuration, or using appropriately configured remote virtual desktop software. Use of the phrase ‘remote virtual desktop software’ in this document incorporates virtualised applications and ‘Virtual Desktop Infrastructure’ (VDI).

Organisations might choose to use managed separation for some business cases such as an ASD-evaluated encrypted managed container on evaluated smartphones with small screens, and remote virtual desktop software for other business cases such as unevaluated devices or devices with large screens.

Detailed information about managed separation, remote virtual desktop software and Mobile Device Management is provided in the following pages of this appendix. Figure 2 shows the comparative ability of these risk management controls to protect organisational data and their negative impact to the employee’s user experience. All of the implementations shown include basic risk management controls such as applying vendor security patches in a timely manner, using up-to-date anti-malware software and performing backups of work data to backup servers specified by the organisation. These risk management controls won't prevent a malicious employee from copying organisational data by taking a screenshot or photograph of their device’s screen.

Graph shows increasing controls has an increased user experience impact

Figure 2. Risk management controls vary in their ability to protect organisational data and their negative impact to the employee’s user experience.

Managed Separation

Managed separation helps protect and isolate organisational data stored on devices. Organisational data is logically separated from the employee’s personal operating environment, limiting the ability of such data to spread, and facilitating the remote wiping of only organisational data.

Additional Information

There are several different types of separation mechanisms including partitioning functionality built into the operating system as well as mechanisms bolted on top of the operating system such as managed containers.

Emerging technology includes type 1 hypervisors and type 2 hypervisors providing a locally-virtualised operating system. Some separation mechanisms are designed to ensure that organisational data can only be accessed by applications that have been vetted by the organisation.

Managed containers, type 2 hypervisors or other mechanisms bolted onto the operating system provide reduced security if there is inadequate assurance in the integrity and security posture of the operating system.

Use of a managed container has the following corporate benefits with associated potential impacts to the employee’s user experience:

Organisations considering using a managed container need to determine whether the vendor has access to organisational data or cryptographic keys used to decrypt organisational data.

Remote Virtual Desktop Software

Appropriately configured remote virtual desktop software helps keep organisational data in the organisation’s data centre and not stored on devices, while still enabling employees to access organisational data and applications.

Additional Information

ASD’s ISM advises that unclassified FOUO/Sensitive data or classified data exchanged during the entire remote virtual desktop session must be encrypted using ASD-approved encryption.

ASD’s experience is that remote virtual desktop software does not necessarily keep organisational data in the data centre or prevent such data being transferred to and from devices. Some remote virtual desktop software contains functionality to deliberately enable organisational data to be copied to and from devices, including the ability for malware on devices to be introduced into the remote virtual desktop as shown in Figure 3 below.

In this example, an employee  is accessing their Android device’s file system and  removable media from within the remote virtual desktop running Microsoft  Windows. The   employee  is able to copy organisational data to their device, and introduce malware into  the  remote virtual desktop. This employee behaviour results in a less stringent  audit trail than if  email was used to extract organisational data or to introduce malware.

Figure 3. In this example, an employee is accessing their Android device’s file system and removable media from within the remote virtual desktop running Microsoft Windows. The employee is able to copy organisational data to their device, and introduce malware into the remote virtual desktop. This employee behaviour results in a less stringent audit trail than if email was used to extract organisational data or to introduce malware.

There are a variety of ways in which organisational data might leak out of the remote virtual desktop and be stored unprotected on devices. Risk management controls to help mitigate such data leakage include:

The following impacts of remote virtual desktop software should be considered prior to implementation:

Mobile Device Management

Mobile Device Management configures and audits devices, including enforcing aspects of the policy such as:

Additional Information

ASD’s ISM advises that mobile devices accessing unclassified FOUO/Sensitive data or classified data:

Using Mobile Device Management to enforce an organisation’s unreasonably strict policy, especially when the employee is not using their device for work-related purposes, might negatively affect the employee’s user experience.

Organisations considering using Mobile Device Management need to determine whether the vendor has access to sensitive data such as a device’s unlock passphrase.

Multi-factor Authentication

Multi-factor authentication helps mitigate an adversary accessing organisational systems by using compromised employee corporate account credentials.

Additional Information

ASD’s ISM advises that multi-factor authentication must be used for remote access to government systems.

Employees should log off organisational systems when finished, so that multi-factor authentication is required to regain access. Organisational systems should be configured to log users off after an idle timeout period.

A physically separate hardware multi-factor authentication token with a time-based value, stored separately to the employee’s device, can provide greater security than a soft token such as an SMS or software application that displays an authentication token value on the employee’s device. If the device is compromised or if its SIM card is reissued to an adversary, the employee’s soft token value can be accessed by the adversary, thereby defeating the multi-factor authentication mechanism.

Using multi-factor authentication doesn't completely mitigate the risk of typing a corporate passphrase into an untrustworthy device. An adversary might obtain the employee’s corporate passphrase when the employee types it into a compromised device. The adversary could then use this passphrase during a subsequent intrusion, for example by either gaining physical access to a corporate workstation and simply logging in as the employee.

Alternatively, the adversary could use a spear-phishing email to compromise any employee’s workstation on the corporate network and use the previously obtained passphrase to access sensitive data on network drives.

To help mitigate this risk, either require multi-factor authentication for all employee logins including logins to corporate workstations in the office, or require that corporate passphrases entered by employees into untrustworthy devices are different to corporate passphrases entered into corporate workstations in the office.

Encryption of Data in Transit

Encrypting data in transit helps mitigate organisational data being accessed by an adversary who has access to a device’s network communications. Such access might result from the use of a Wi-Fi access point that is unencrypted, or the use of any networking infrastructure that is not controlled by the organisation and is therefore considered untrustworthy.

Additional Information

ASD’s ISM advises that ASD-approved encryption must be used to encrypt unclassified FOUO/Sensitive data or classified data in transit over untrustworthy network infrastructure. For example, data sent over an untrusted network such as the Internet could be protected by using ASD-approved encryption implemented via a Virtual Private Network or remote virtual desktop software. ASD-approved Wi-Fi Protected Access 2 (WPA2) could be used for protecting data that only requires protection when exchanged between a device and an organisation’s Wi-Fi access point.

ASD’s ISM advises that split tunnelling must be disabled on devices supporting this functionality when accessing an organisational system via a Virtual Private Network.

Remote Tracking, Locking and Wiping

Remote tracking helps to recover a device that has been lost or stolen.

Remote locking and wiping helps to protect organisational data on a device that has been lost, stolen, or de-provisioned including when the employee ceases employment.

Additional Information

The consequences of wiping an employee’s personal data can be reduced by educating employees to regularly backup their personal data or by using managed separation to avoid wiping personal data in the first place.

Attempting to remotely track, lock or wipe a device that is not network accessible will fail. For example, remote wipe functionality is circumvented if the thief configures the device for ‘aeroplane mode’, which can easily be done from the locked screen of some devices such as a Nexus 7 tablet running Android version 4.2.2 Jelly Bean.

Successfully remotely wiping a device provides the organisation with a false sense of security if the data has already been accessed or copied by the person who found or stole the device.

Low Privileged Corporate User Accounts

Using corporate user accounts with reduced privileges and limited access to sensitive data helps mitigate an adversary accessing sensitive data by using compromised employee corporate account credentials or a compromised device.

Additional Information

ASD’s ISM advises that privileged accounts should not be allowed to remotely access organisational systems containing unclassified FOUO/Sensitive data or PROTECTED data.

Provide a secondary corporate user account, which has reduced privileges and limited access to sensitive data, to employees who either:

Network Architecture Controlling Access to Organisational Data and Systems

Network Access Control helps to implement contextual security to determine if an employee attempting to access organisational data should be permitted based on:

Devices that don't comply with security policy can be quarantined to have limited Internet access but no access to organisational systems.

Devices simultaneously connecting to the organisation’s network and an additional network via 3G/4G or Wi-Fi can bridge the two networks thereby creating an additional Internet gateway on the organisational network.

Risk management controls to help mitigate this include:

The network flow of sensitive data to devices can be limited by using mechanisms such as Enterprise Rights Management or Data Loss Prevention solutions, for example to prevent a device downloading an email from the organisation’s email server if the email or attachment contains specific keywords indicating sensitive data.

Operating System Exploit Mitigation Mechanisms

Limit devices on the shortlist to those devices with operating system exploit mitigation mechanisms such as:

User-reliant Risk Management Controls

The following technical controls and policy controls to manage risk rely on employees complying with policy.

Regular Backups of Work Data

Obtain written employee agreement to regularly backup work-related data created or modified by their device, only to backup servers specified by the organisation. This helps mitigate an employee’s work being lost due to sudden cessation of employment or their device being damaged, lost or stolen.

Access to Emails, Files and Other Data of Archival Significance

Obtain written employee agreement to ensure that work-related data of archival significance is accessible to the organisation. This involves employees using their work email account instead of their consumer-grade webmail account, and using corporately-managed file storage instead of storing files locally or in consumer-grade cloud storage. This helps mitigate:

Avoid Unauthorised Cloud Services for Data Backup, Storage or Sharing

Obtain written employee agreement to avoid exposing sensitive data to consumer-grade cloud services used for webmail, data backup, data storage or data sharing.

Additional Information

Some consumer-grade cloud storage and sharing services automatically sync between an employee’s devices, potentially copying sensitive data to a device that has not been approved to handle such data.

To facilitate the authorised exchange of data between devices, the organisation might need to arrange employee access to a corporately managed and remotely accessible file storage and sharing capability, hosted in-house or by a trusted third party.

Strong Passphrase Configuration Settings

Obtain written employee agreement to use strong passphrases and associated configuration settings.

Obtain written employee agreement to avoid configuring their device’s operating system or applications to remember organisational authentication credentials such as corporate passphrases used to access organisational systems.

Additional Information

Recommended device configuration settings, based on the sensitivity of data being accessed or stored, are provided by ASD’s ISM, device consumer guides and device hardening guides. ASD’s iOS Hardening Configuration Guide (PDF) advises the following configuration settings for iOS devices that access or store PROTECTED data:

Security Incident Reporting and Investigation

Obtain written employee agreement to immediately report security incidents and cooperate with security and legal investigations including providing the organisation with access to their device for forensic analysis.

Additional Information

ASD’s ISM advises that employees must be directed to report security incidents to the organisation as soon as possible.

Security incidents requiring reporting include a device suspected of being infected with malware or otherwise compromised, as well as device loss or theft. Additional activities, while not necessarily considered to be security incidents, that need be reported by the employee to the organisation include de-provisioning a device for sale or passing to a family member, or if the employee ceases employment.

An organisation’s cyber security team requires plans and procedures to respond to security incidents, for example disabling and monitoring the employee’s organisational accounts including Virtual Private Network and remote access accounts, as well as remotely tracking the device and wiping organisational data if appropriate.

Organisations permitting the use of personally-owned devices are accepting the residual risks of their use, such as any potential security incidents or consequences of legal proceedings including electronic discovery for litigation cases and freedom of information requests. Therefore, organisations need to ensure that they have risk management controls to prevent and respond to security incidents and legal investigations. Organisations should not assume that ASD or CERT Australia have the legal authority and resources to assist with performing incident response or forensic analysis that involves personally-owned devices.

A security or legal investigation might require an employee to temporarily surrender their device, which the employee might refuse unless required by law, for example due to law enforcement having evidence of a crime to warrant seizing the device. Organisations performing appropriate logging and regular backups of work-related emails and files assists with electronic discovery or other investigations involving employees who refuse to cooperate or who have departed the organisation.

Avoid Jailbreaking and Rooting

Obtain written employee agreement to avoid jailbreaking or rooting their device to circumvent the protective security controls implemented by the device’s vendor, which might result in the device being unmanageable by the organisation and easily compromised.

Employee Education to Avoid Physical Connectivity with Untrusted Outlets or Devices

Educate employees to avoid allowing connectivity between their device and either a potentially malicious charging outlet or an untrusted device.

Employee Education about Bluetooth, Near Field Communication and Quick Response Codes

Educate employees to avoid:

Additional Information

ASD’s ISM advises that devices storing or accessing unclassified FOUO/Sensitive data or classified data:

Employee Education to Avoid Installing Potentially Malicious Applications

Educate employees using devices that have an official application marketplace to:

Educate employees using devices that don't have an official marketplace to obtain software from the official website of mainstream vendors.

Employee Education to Avoid Being Victims of Shoulder Surfing

Educate employees to avoid sensitive data on their device’s screen being visible to either:

Additional Information

Using a privacy filter on a device’s screen might negatively impact the device’s touch functionality.

Employee Education to Avoid Common Intrusion Vectors

Educate employees to avoid:

Additional Information

ASD’s ISM advises that all personnel who have access to an organisational system must have sufficient information security awareness and training including an awareness of the social engineering threat.

Security Patches

Obtain written employee agreement to apply all vendor security patches for the operating system and applications as soon as patches are available from the vendor.

Additional Information

ASD’s ISM advises that mobile devices permitted to access unclassified FOUO/Sensitive data or classified data should have security updates applied as soon as vendor patches become available.

Historically, Apple has provided iOS devices with security patches for at least two years from device availability, enabling employees to use devices supported with patches for the duration of their contract with their telecommunications carrier.

Microsoft has stated that, for Windows Phone 8, they will support every device with over the air updates for at least 18 months from the launch of that device though the availability of updates will vary . Microsoft’s lifecycle policy for Windows RT, including the support time period for security updates, is to be communicated when available.

It is comparatively straightforward to apply security patches to some Android devices that don't have third party additions or modifications to baseline Android code. However, applying security patches to other Android devices might be challenging due to the cooperation required from the device’s hardware manufacturer and the employee’s telecommunications carrier to tweak, test and distribute updates. Some hardware manufacturers and telecommunications carriers might focus their efforts on developing and selling newer devices rather than maintaining the security of the employee’s current device, even if the employee is forced to continue using their current device due to a contract with the telecommunications carrier . Some devices are immediately ‘orphaned’ and never receive updates. In addition to vulnerabilities in baseline Android code, some vulnerabilities are introduced by device hardware manufacturers.

Some cheaper Android devices have the bare minimum hardware specifications required to run the version of the operating system shipped with the device, and might not be suited to running newer major versions of the operating system that require additional memory or processing power. Patching vulnerabilities in the operating system running on such devices might be challenging for patches that are only available in newer major versions of the operating system and are not backported to current and previous operating system versions.

Case Study

In 2012, an ASD employee purchased a brand new Android smartphone. The employee subsequently discovered that on the day the smartphone was sold, it contained a vulnerability that at the time had been publicly known for over seven months. The smartphone’s hardware manufacturer and the employee’s telecommunications carrier did not make a patch available.

To demonstrate a targeted intrusion, the smartphone was deliberately compromised by exploiting this vulnerability. The compromise enabled the microphone to be surreptitiously turned on to record nearby audio conversations and the recordings to be transmitted to an adversary over the Internet.

This demonstration highlighted some consequences of organisations permitting the use of devices with publicly-known vulnerabilities that the employee is unable to patch. As of May 2013, over 18 months after the vulnerability was publicly disclosed, a patch hasn't been made available via the hardware manufacturer and telecommunications carrier.

Ownership of Intellectual Property and Copyright

Obtain written employee agreement that the organisation retains ownership of intellectual property and copyright of work performed on a formally assigned task that the employee is paid to perform, regardless of whether the employee performs the work on their device or outside of traditional business hours.

Encryption of Data at Rest

Obtain written employee agreement to use full device encryption to help mitigate organisational data being accessed by an adversary who has physical access to a lost or stolen device.

Additional Information

ASD’s ISM advises that devices without ASD-approved encryption should not store unclassified FOUO/Sensitive data and must not store classified data.

ASD’s ISM advises that ASD-approved encryption should be used to encrypt a device’s internal storage and any removable media.

Full device encryption doesn't limit which applications can access or spread organisational data stored on the device. Therefore, its effectiveness relies upon the use of additional complementary risk management controls.

Encryption needs to be active when the device is not in use. Depending on the type of device, the effectiveness of encrypting a device’s internal storage might be reduced if the device is lost or stolen while it is in sleep mode or powered on and screen locked.

Using software-based encryption might negatively impact the employee’s user experience.

Microsoft has stated that Windows Phone 8 has full internal storage encryption, and that although removable media such as SD cards are not encrypted, they are only able to store music, videos, photos and e-books.

Apple’s iPad, iPhone 3GS and later models use hardware-based cryptographic acceleration for protecting data.

BlackBerry devices support native encryption of internal storage and removable media.

Android version 3 Honeycomb introduced full device encryption, though depending on a device’s manufacturer, third-party software might be required to encrypt removable media.

Cryptographic implementations that have not been evaluated by ASD are unsuitable for protecting classified Australian government data.

Avoid Printing via Untrusted Systems

Obtain written employee agreement to avoid printing sensitive data via untrusted printers outside of the office such as from home, an airline lounge, a hotel or an Internet café. Otherwise, sensitive data might be exposed to third parties due to printers or print servers storing a cached copy of printouts, or printouts being accidentally left on the printer.

Personal Firewall

Obtain written employee agreement to use a personal firewall to help mitigate devices becoming compromised, by limiting the exposure of network accessible services and controlling which applications can access the network.

Additional Information

This risk management control is not applicable to some devices, such as those running iOS, that don't expose personal firewall functionality and avoid using network accessible services. Some devices, such as those running Android, use an inbuilt application permission mechanism to control which applications are able to access the network.

Appendix D: Corporately Approved and Managed Devices for Highly Sensitive Data

This appendix provides guidance to manage risks associated with Scenario D. This scenario involves devices with a hardware model and operating system version that:

For Australian government agencies, highly sensitive data is defined for the purpose of this document as data up to PROTECTED.

The comprehensive risk management controls might restrict the device’s functionality to an extent that would overly frustrate an employee using a personally owned device. Therefore, devices in this scenario might be provided to employees by the organisation, with a reasonable degree of personal use permitted. Devices on the shortlist might be limited to smartphones and tablets that are part of a single vendor’s ecosystem due to the required compatibility with risk management controls. Organisations might retain ownership of devices for legal reasons that facilitate the organisation monitoring devices, remotely wiping sensitive data, performing security and legal investigations, and retaining ownership of intellectual property. Enabling employees to choose a device from a corporately-approved shortlist is referred to by some vendors as Choose Your Own Device, especially if the device is purchased, owned and managed by the organisation.

This appendix builds upon and incorporates the high level objectives and risk management controls discussed in Appendix C which covers devices from a corporately-approved shortlist using a corporately-managed mechanism to access and potentially store sensitive data. Risk management controls in Appendix C that an organisation considers unnecessary to protect sensitive data are likely to be necessary to protect highly sensitive data. High level objectives associated with the example scenario in Appendix D also include maintaining the confidentiality of highly sensitive data.

Corporately-Enforced Risk Management Controls

The organisation is able to manage risk by enforcing the following technical controls.

Device Selection

Limit devices on the corporately-approved shortlist to those devices that are evaluated by ASD and are configured as per ASD’s consumer guides and device hardening guides. Prefer devices that have an application marketplace with a good history of curation to exclude malware, for example by analysing applications for suspicious behaviour, requiring applications to be cryptographically signed by a trusted authority instead of a self-signed certificate, and performing adequate verification of the identity of application developers.

Mobile Application Management and Enterprise Application Stores

Mobile Application Management enables the organisation to inventory, install, update and remove applications and associated data on devices.

Using an enterprise application store enables the organisation to distribute and manage applications developed by the organisation, and vet third party applications to determine their potential to expose highly sensitive data.

Additional Information

ASD’s ISM advises that employees should be prevented from installing unapproved applications that can access unclassified FOUO/Sensitive data or classified data.

The use of Mobile Application Management and enterprise application stores is a more reliable approach to avoiding the use of applications that might expose highly sensitive data, than simply relying on anti-malware software and employees to read user reviews and ratings before installing or updating applications. Whitelisting permitted applications and updated versions of these applications, or less preferably attempting to identify and blacklist every malicious or undesirable application, helps mitigate devices running applications that either:

Some vendor implementations of Mobile Application Management also include functionality to effectively place an application into its own managed container by wrapping it with security policy. Such security policies include:

Mobile Application Management might not be able to block powerful web applications that are written in HTML5 and run within the web browser.