Back to Blog

BYOD Security: Using ABAC to Manage Access to Sensitive Data

by | Jan 24, 2023

The concept of Bring Your Own Device, or BYOD, has been adopted by organizations wanting to take advantage of the benefits. BYOD allows employees to use their personal devices to connect to their business networks and access work-related resources using smartphones, personal laptops, tablets and USB keys. But is a BYOD strategy good for security? Along with the benefits come increased BYOD security risks that require mitigation.

BYOD Benefits and Risks

There are a number of benefits offered by BYOD, including reduced operating costs, such as fewer hardware purchases, and lower costs associated with new employee onboarding. Improved employee flexibility is another advantage, as users tend to carry their personal phones and can promptly reply to incoming calls and messages. This can also lead to better responsiveness, productivity and mobility as users will be familiar with their devices and ready to tackle work-related tasks at short notice.

As a result, employees will retain company data on their personal devices, in the form of emails, message contents, file attachments and possibly more. This data may contain confidential intellectual property, company financial data, or a customer’s personal information. Having this information on personal devices poses serious security and compliance risks if not managed properly.

Organizations must consider what steps they are taking to protect confidential data before they implement a BYOD policy and grant their users access to sensitive (e.g., IP, export controlled data, multinational communications) or regulated data assets (e.g., personal or healthcare information) on their personal devices.

Devices at Work or DEVICES for Work?
The BYOD Security Challenge

The adoption of BYOD was active long before the pandemic accelerated the trend to employee hybrid and remote working. The challenge of BYOD security is not something new. In 2019 Forbes stated that already over 80% of US-based enterprises allowed employees to use personal devices connected to corporate networks. However, securing BYOD devices still remains a challenge for many.

When adopting a BYOD policy, business owners must treat employees’ personal devices like they would a company-issued laptop.

  • The device should have strong authentication, to prevent unauthorized access to company data and applications on the device.
  • A Zero Trust data access policy must be in place to grant the device user access only to the data needed for their role or action.
  • Every device should have a robust malware solution that reduces the risk of devices being attacked, damaged or highjacked by exploitative code that could be embedded in received emails, downloaded from visited websites or installed with infected apps.
  • Finally, the company applications should have a good backup and disaster recovery solution in place. Thus if the device was compromised, stolen or damaged, then your important company data is still protected and can be recovered.

Most company-issued laptops are subject to this type of scrutiny and protection before they are issued to employees. After all, data is one of your company’s most valuable data assets, so why would our employee’s personal devices not be held to the same account?

MDM: Play in your Own Sandbox

Since the introduction of BYOD, many solutions have been adopted to manage company data on external devices and protect against unauthorized access and distribution. Mobile device management (MDM) is a proven method for BYOD device management. MDM is usually deployed as a managed software solution for employee devices. It then applies policies to manage access to company applications and secure data stored on the device.

These policies can enforce robust authentication, restrict the type of apps that are installed on the device and manage how the data is used. Sophisticated MDM solutions can also enforce secure data management by moving sensitive data into an encrypted sandbox. This method ensures that other applications installed on the device do not have access to company data. A sandbox can also be securely wiped when the device owner no longer has need of it (such as when an employee has changed roles or left the organization).

One of the main challenges for deploying an MDM platform is time and resource management. A robust MDM deployment requires significant planning as an organization must consider what BYOD devices will be allowed? What business applications will be accessed? What types of sensitive data can the company permit on employee devices, and what policies will provide an effective security perimeter, without impeding user productivity.

Once these questions have been answered, a security policy implemented and pushed out to end-user devices, a company must then allocate resource to monitor and implement MDM policy updates. The MDM software must be maintained to avoid newly discovered device exploits from compromising company data. A team should also be set up to monitor and act on alerts generated by BYOD devices that are managed by the MDM platform.

ABAC: Dynamic Control at the time of Access

There is another approach to consider, one that is gaining popularity with organizations that allow BYOD because it is easy to implement and does not come at a huge resource cost. Attribute Based Access Control (ABAC) is a data-centric security model that uses dynamic policies to control who can access sensitive information and under what conditions. ABAC policies use attributes from the data, user and user’s environment and, importantly, only allow controlled access if all rules in the policy are met.

Let’s view a simple example of how a single ABAC policy can be used to manage access to confidential data on multiple BYOD devices.

Bethany, a Product Manager, is reviewing new designs for aircraft engine components.

  • Access Scenario 1:
    When Bethany is logged onto her company-issued laptop, in the corporate office, and connected to the company network, she has full access to review the designs and save the approved designs into the Product Team SharePoint site for review.
  • Access Scenario 2:
    That evening, Bethany worked from home, using the company laptop, and connected to the remote network via her household WiFi, using a corporate VPN to secure her connection. The ABAC policy has identified that Bethany is not in the office but she is using a company device on a secure connection. The sensitive documents are still available for review but in a read-only format with a watermark that contains her user information, date and time of access to track the chain of custody.
  • Access Scenario 3:
    The next morning, while Bethany is in line at the coffee shop, her manager replies via email with notes on one of the designs. However, she can no longer view the file in SharePoint as the policy states that confidential intellectual property (IP) can only be viewed on company-issued devices connected to the corporate network.

The single ABAC policy used above ensures that confidential IP is protected in the different interaction scenarios above that took place over a 24-hour period. Dynamic ABAC policies ensure that only the right people can access the right information at the right time based on the scenario at the time of access.

Since the policies are applied at the file level, even if the file had been accidentally uploaded into the workspace, the ABAC policy would ensure that the sensitive information is only visible to authorized personnel using approved devices and applications.

Manage BYOD Security and Access with NC Protect

Employing the ABAC methodology with NC Protect to safeguard data in the M365 suite of applications, SharePoint on-premises and file shares ensures secure information access, usage and sharing across multiple BYOD devices, employees in various company departments, and third-party guests such as partners and contractors.

NC Protect is an agentless solution that is fast to deploy and simple to set up. It is a device-agnostic solution to provide effective data protection on Windows, Mac, Linux, Android and IOS devices. Companies that have invested in MDM solutions to manage their BYOD can also take advantage of NC Protect’s ABAC policies to provide granular control over what users can do with data after access has been granted.

A Microsoft Intelligent Security Association (MISA) partner, NC Protect is integrated with Microsoft’s security technology to better protect sensitive data using Microsoft Purview Information Protection security tools and Microsoft Intune managed devices. Contact us to learn more about how we can help ensure BYOD security of sensitive data.

The State of Remote Work Security

Get insights into the status of organizations’ efforts to secure the new workforce, key challenges and unique security threats, technology gaps and investment priorities.

Share This