UK government provides advice to CIOs grappling with BYOD
Need help assessing the strengths and weaknesses of commercial mobility platforms for your enterprise but can't bear the expense of hiring a consultant or purchasing a pricey analyst report?
Look no further than our friends across the pond.
The United Kingdom's Communications-Electronics Security Group, the central government agency that serves as the country's technical authority for information assurance, publicly released a suite of documents that could greatly benefit enterprise CIOs.
The agency issued documents detailing security guidance for the following mobile platforms:
> Android 4.2
> Samsung devices with Android 4.2
> BlackBerry 10.1 (EMM Corporate)
> BlackBerry 10.1 (EMM Regulated)
> Apple iOS 6
> Windows Phone 8
Each platform is assessed against 12 security recommendations, including authentication, application whitelisting, device update policy and assured data-at-rest protection. The platform-specific reports also recommend methods CIOs can employ to satisfy these security recommendations should a platform fall short in a given category.
The virtual private network is one significant risk of using Android 4.2, say report authors. The VPN on the platform has not been independently assured to "foundation grade" and it doesn't support some of the UK's requirements of assured VPNs (.pdf download).
"Without assurance in the VPN there is a risk that data transiting from the device could be compromised," according to the report.
A chief concern when using Apple iOS 6 is that applications must opt-in to the various data encryption classes on a per-file basis--with the exception of its mail app.
"Files other than e-mail and attachments will not be encrypted when the device is locked, and could be extracted without knowledge of the password, using a vulnerability in the platform," write report authors.
BlackBerry 10.1--both corporate and regulated--does not have dedicated hardware to protect its keys.
"If an attacker can get physical access to the device, they can extract password hashes and perform an offline brute-force attack to recover the encryption password," says the report authors.
The extensive per-platform reports detail many considerations for enterprises allowing their workforce to use these devices.
Among other takeaways from the reports--15 in all published Oct. 14--is the conservative advice that UK government agencies avoid allowing employees to bring their own device at all.
The agency argues that device management must be applied at the time of provisioning to ensure a "known good" state before accessing the network. This scenario is extremely rare in the case of BYOD because "provisioning" is when an employee purchases his personal smartphone or tablet.
- go to the CESG device security guidance landing page
Encryption flaw in WhatsApp could allow attackers to decrypt messages
Nearly two-thirds of organizations do not enforce encryption policies, says analyst
Firms mull self-destructing data apps