The rapid growth of enterprise mobility and a growing reliance on BYOD means most enterprises have to deal with the challenge of keeping corporate data on unmanaged mobile devices secure. Clearly, there is a balance to be struck between employee privacy, mobility, usability and corporate security. But while control and visibility are normally synonymous with good security, in the mobile security use case, these factors can have unintended side effects.
In a bid to gain visibility and control over the mobile devices connecting to their enterprise networks, many firms have turned to Mobile Device Management (MDM) software. However, there are downsides to taking this approach. MDM solutions require the installation of a software agent on each personal computing device, whether that device is privately owned by an employee or owned by the firm. The installation of agent-based MDM tools on mobile devices creates a new and unexpected challenge around the issue of end-user privacy and data protection.
Most employees understand that by enabling MDM software on their personal devices, they are surrendering at least some control over data to their employer. What most people and businesses do not realise, is the extent to which this is the case. In a week-long experiment, Bitglass set out to test the extent to which MDM could be used to monitor and control users' smartphones and tablets without their knowledge.
Everyone participating in the trial gave permission for the IT team to push MDM certificates to their devices, a practice commonly used to route data through the corporate network via a VPN or global proxy. In just seven days, the MDM software gathered a range of information about employees' interests, activities, identity and relationships. The findings should serve as a wake-up call for firms gearing up to comply with the EU General Data Protection Regulation (GDPR), which gives employees more control over their personal data.
But first, let's review what information was accessed during the experiment:
- By routing traffic through a global proxy, we were able to capture employee browsing activity. Access to their web history meant we could see everything, from their Amazon product searches to sensitive healthcare queries and even political affiliations and interests.
- Our researchers were able to break SSL encryption, using a global proxy and trusted certificate. By re-routing SSL-based traffic unencrypted, we gained access to users' personal email inboxes, their social networking accounts and banking information. In other words, all secure logins were exposed as usernames and passwords used to log into sensitive accounts were transmitted to our server in plain text.
- Our ability to monitor outbound and inbound private communications using MDM extended to third-party apps – even on iOS, where some believe app sandboxing limits employer visibility into user behaviour. That meant we could intercept personal communications sent through apps such as Gmail and Messenger – and take an inventory of all apps installed on an employee's device.
- Most employees were aware administrators can easily track managed devices via GPS. But few realised this data could be used to monitor their behaviour. Our research team was able to force GPS to remain active in the background without notifying the user, draining battery power in the process. In this way, we could review the location and out-of-work habits of employees – where they went after work or travelled on weekends, how frequently they visited the supermarket, and more.
- MDM's remote wipe capabilities represent a particular concern to employees, many of whom store personal contacts, notes and other data on their personal-turned-managed devices. Our team was able to utilise MDM to restrict backups, making a restore from iCloud or similar service impossible, leaving employees little recourse when trying to retrieve lost data.
- The research team was also able to use MDM to restrict core device functionality to lock down and secure devices, limiting user access to camera, apps like FaceTime on iOS and basic features like copy and paste.
With GDPR due to enter into effect in May 2018, European companies will need to review their approach to BYOD security. Both nation-specific regulations and GDPR emphasise the critical importance of transparency in relation to compliance; in other words, employers will need to make it clear what data they are collecting and how it's stored. Beyond this, organisations will need to walk the privacy line, as employees in the EU have the right to withdraw consent, right of erasure, and other privacy rights that may potentially be violated if an invasive solution like MDM is deployed.
Implementing a security solution that fails to respect user privacy will see employees simply working around IT security initiatives; refusing to install MDM software or certificates on their own personal devices, for example. For this reason, organisations should look to take a different approach to the BYOD security challenge. Agentless software does now exist that can control the flow of data to the device without the challenges around user experience and the logistics of deploying the agent. Unlike MDM or MAM solutions, agentless BYOD software can also ensure total compliance with a range of regulations and full visibility and audit capabilities into business data. And because agentless solutions are typically data-centric in nature, they are able to give employees the freedom to access corporate data from any device, without the intrusive privacy implications of MDM.
Contributed by Eduard Meelhuysen, head of EMEA, Bitglass
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.