Table of Contents

Abstract........................................................................................................................................................ 1 Introduction ................................................................................................................................................. 2 Definitions and background ....................................................................................................................... 3 Benefits and challenges ............................................................................................................................... 4 Benefits Challenges Security risks and their management........................................................................................................ 5 Identification and authentication Authorization Confidentiality Integrity Non repudiation

Solutions that exist in market to implement BYOD ................................................................................ 6 Implementation plan................................................................................................................................... 7 conclusion .................................................................................................................................................... 8 index and figures ......................................................................................................................................... 9 references ..................................................................................................................................................... 8

Abstract
In this modern age of technological device (mobile smart phones, Tablets, Laptops and other advanced gadgets) use we see everyday tasks being tackled with the aid of these devices from performing basic communication to doing day to day business. These devices are specifically connected to a network that connects them so that this communication of devices in achieved, there is a variety of internet service providers worldwide in which their main aim of business is to keep these devices connected, providing content to these devices and other services. Since technology is always advancing in development, we see the world shift every year in using newly developed devices. Business transactions and other E-Commerce activities are now performed on the fly through these devices, as they have the technology such as Wireless networking and mobile data access embedded in them, and these devices are almost always connected to the internet, with information security being the major problem to be addressed. Software technologies such as Skype allow for business meetings and conferences to be held over long distances, addressing the issue of time management and availability of clients.

Introduction
Information exchange, information access and information deliverance are at the core of communication not only for corporate businesses but also governmental organizations and amongst individuals. With regard to the last board meeting where the issue of Bring your own device was raised, a thorough treatment of the bring your own device will be discussed in order of what bring your own device is, what benefits (financially or otherwise) can bring your own device provide to the company that undertakes it, the risks involved with this issue to the company more specifically information security since its a higher priority for a companys success, a detailed discussion of the solutions that are currently being implemented to realize the success of bring your own device is provided and an implementation plan is provided if ever this company wants to undertake bring your own device as its solution to a better business strategy for doing day to day business.

Definitions and Background

Bring your own device is a popular trend in which employees come with their own devices to work or an employers workplace to do their jobs, accessing the workplace database , files, email and other resources to accomplish their allocated tasks. These devices connect to these resources by mainly the Wi-Fi technology being provided by the facility or workplace and access to these resources is authenticated to ensure security and identity of the person in use of the provided resources, making sure that the resources the company provides is in use by the employees only. The concept of bring your own device emerged as people are hungry for the power of technology and the ease of use that these devices provided by modern technology have. Companies and businesses must adhere to these emerging technological changes to see their success rate increase,

but these changes can be expensive to adhere to, having all devices and computers changed every two years to be counter effective to the growth of a business. Since many people around the world always upgrade to the latest technological advancements in devices, having employees bring their own device to the workplace is an opportunity for the company to save by letting employees use their own devices to access the concerned companys resources to see their day to day business achieved. In the United States, research shows that 56 percent of American adults own a smart phone and 43 percent of people older than 16 owned a tablet computer. These statistics are only exponentially increasing in most third world developed countries, outlining the reliability and productivity of using these devices. Since maintenance and upgrading to these smart devices and tablets in companies is counter effective, why not let employees bring their device of comfort for everyday use in the workplace?, For as long as the job is securely and effectively done, regards of what device was used must not be of importance in the concept of bring your own device. Network servers and routers can easily be configured to provide access to these devices, and since enterprise servers can be bought in small amounts, upgrading them and configuring them would impact the company in a big way. 90 percent of companies think that BYOD will be the norm for companies in the next two years, while 84 percent of companies consider it at least somewhat likely they would have expanded their BYOD options to include multiple devices and with 83 percent of companies hoping to have BYOD fixed policies in place within the next two years. See table 1 for the employee-owned devices at work in the various countries that have BYOD expanding within their companies and globally. The conventional use of the desktops in the workplace is coming to its end. Most employees access mail and other work related information on their smart phones and portable devices and thus make use of a wide array of technologies to be productive. In such a way, work can continue even at home or even before employees reach the workplace, bringing a new dynamic on how productivity of employees is addressed. Not only will employees be productive, this adds excitement and mobility in doing ones job, this can attract young employees and provide many ways for intercommunication between employees within and outside the facilities of work. Although security concerns are on the rise, the benefits of bring your own device to any company bring cost effectiveness and increases the productivity of employees. Cloud computing is yet another technology that has assisted in making the success of the concept of bring your own device. The ability to virtualize a server and scale it without affecting the end users is a great way to keep employees liable and identified in the access of resources. Compromising a virtual server may not bring long term damages and cost deficiency, as it can be scaled or shutdown and another secure one easily established. The problem lies in the importance of the data that was compromised, how to deal with recovery from the loss and the accountability of such a loss. The emerging trend of bring your own device has thus primarily been because of the rate at which technology is growing and improving, how people are engaging in this advancement and purchasing these devices for everyday use. Thus many companies cannot keep up with the rate of growth technology is going, upgrading to newly designed devices and the accompanying

compatible software. Not only is this constant upgrading to new technological trends expensive but it can be pressure on the expected growth of the company.

Benefits and Challenges

1. Benefits Bring your own device is an excellent cost effective strategic way of reducing spending on gadgets and devices used to access the companys resources and perform job related tasks within and outside the premises of the company, eliminating one of the problems many companies face, that is productivity. Lower costs are realized as employees use their data plans and mobile billings to make calls individually, forcing the company to focus their finances on other development departments. Many companies spend a lot on getting the latest hardware and software installed on their work stations, thus cutting their budget short, causing them to even consider measures of retrenchments to account for the spending on these newly upgraded work stations. This reflects badly on the image of the company and its rather better to endorse employees with data packages and call plans for their devices to perform their allocated duties. BYOD not only cuts on financial and productivity costs, but it attracts young employees to the company, bringing in fresh minds that will encourage more collaborative working and bring out the true potential of the company. This will also cause an employee friendly environment, where there is mobility and device friendliness, giving the company a great work space and a proper degree of freedom. This freedom transforms the workplace, letting employees to work even if they are not in the facilities of work, people can access the companies resources remotely located in a cloud, they can send email back and forth while in the comfort of their own space, thus work is accomplished anywhere the person sees fit. Employees are forever satisfied with how they perform their work, since they use devices of their own choice. Their information is also kept to themselves in which confidentiality is clearly addressed, since they only can access their devices and know how to access the device. The issue of accountability is also solved, since every employee will be liable to the access of the companys resources, if any illegal activities is out to occur with data assets of the company, the authenticated device will be held liable for any damage. Employees can also easily report any difficulty in remotely accessing the companys resources as they will be in their devices and can have their accounts remotely correctly configured. Work engagement is fully realized since the employees will be happy and satisfied with their work environment. Having happy and satisfied employees bring about an energetic team of workers, very enthusiastic about their job and how they accomplish it. With employees yet again offered flexibility with where and when they can work, BYOD makes work engagement the least of the companys issues, as electronic mail and smart phones will keep them interconnected and working rom wherever they may be. BYOD addresses the issue of connectivity, in that its much easier and faster to contact a coworker using a smart phone or other modern portable information technology device like a tablet. Using electronic communication establishes more positive relationship amongst coworkers, rather than

having them talk face to face. The level of relaxation and affection to their work is much higher, since they are in use of comfortable and familiar devices in their daily work. A survey conducted by ipass found that employees who use self-owned devices for work and nonrelated work put in 240 extra hours in doing the work a year. It becomes even easier for employees or end users to switch to the latest version of software or hardware in time, rather than waiting for the company to upgrade its workstations. BYOD also adds a competitive win over companies that dont implement it, attracting younger and the best employees out there. New employees of the company do not need to be trained in using the system in place, since they are familiar with their device use, this increases the productivity and efficiency of the employees. In summary these are the benefits that the company will realize through BYOD implementation as its business strategic solution: Attracting a young pool of employees Transforming the workplace Improved collaboration amongst co workers Liability of access resource Cost reduction and spending on workstation Increased productivity Employee satisfaction Competitive advantage Attractive top employees due to the flexibility BYOD offers

2. Challenges BYOD has fruitful benefits that may see the growth of a company constantly on the rise, but with benefits comes some challenges in achieving such benefits and they must be overcome to realize the true success of having BYOD in place. Before addressing the security risks, one needs to consider the policies that must be in place and that must be adhered by employees to see the effective and proper use of devices. Compliance to these implemented policies is also another problem since users can access resources remotely and may not adhere to the rules correctly or misuse files since there is no one to monitor misuse of files. Challenges not only lie in the compliance in policies realm but also in properly distributing the data, how and what time can data be accessed. This issue must be addressed before the issue of what methods can be used to access data, thus the media of data storage must be compatible with the technologies embedded within these devices to further have faster access. Flexibility of work area does not mean all of the workplace resources will be available on a 24 hour basis, certain time limits must be enforced, and this will eliminate the need for night employees that must monitor the servers and other services offered by the company, thus cutting on costs. A company that is mostly populated by more older employees may be used to the conventional way of using old workstations to get their job done since they were trained to work on desktops and much older devices. This might bring about confusion to these older age employees and they might request training and even further complain on the movement from old workstations to

modern smart phones and tablets. Thus this might bring about the conflict and quarrel from these older employees, causing the consideration of multiple device use and synchronization in the workplace. Fixing the compliance of policies is to simply have a fixed protocol in places accompanied by the consequences of not following such protocol. Rules and time limits must be implemented to account for when and how the data and resources are accessed, media storage can be virtual in that it can easily be updated to keep up with the accelerated technological growth. Training of older and more experienced employees can be provided to make them efficient when it comes to communicating and synchronizing with coworkers. In summary these are the challenges that can be faced with BYOD implementation: Compliance to enforced policies Compatibility of media storage with modern trends What about older experienced employees? Time limits on access Providing device choice and support

Security risks and their management

Information security is concerned with the protection of data and overseeing how this data is accessed. BYOD introduces many security concerns, but the discussion of the risks of security within the implementation will be discussed in under the five information security services, giving a detailed discussion in each section regarding BYOD. The five information security services include: 1. 2. 3. 4. 5. Identification and authentication Confidentiality Authorization Integrity Non-repudiation

1. Identification and authentication The problem of identifying who uses the system is of major concern with regards to BYOD implementation as a solution to a company. Since devices can be use flexibly and remotely, we have can never have full proof that access to the companys resource is from the employee of the company as devices can get stolen or the user can be held hostage physically forced to retrieve confidential data of the company. The company thus must having remote revoking access capabilities or technologies in use to terminate access to a device that is stolen, finger printing the device to make sure that it can be identified as familiar to the network of the company can be implemented by keeping a database of a list of devices registered for use in the companys premises, this list must constantly get updated to account for users that upgrade and users the are no longer part of the company.

Authentication to the network resources of the company can simply be implemented using a username and password, but with user names being unique and passwords kept secret by the users to make sure that violation of policies is accounted for. Users are encouraged to have multiple passwords for different resources and systems found within the company, since if a users password is compromised not all the systems within the company will be compromised but only a portion may be endangered to attacks. Passwords may be cracked by dedicated intruders, thus system administrators are advised to keep the passwords file safe and protected from intrusion, through encryption of the file and further protection of the database involved. 2. Confidentiality With BYOD as the method and rule of the workplace, work can be performed outside the premises of the company and employees may use a different communication network to perform job related tasks and exchange email and other work related information. With such flexibility and mobility, we can never know who is analyzing and inspecting the network for malicious activity or other corporate espionage intentions, and concerns with how security of networks beyond the scope of the company is implemented is not the companys priority. Thus a policy has to been enforced within the perimeters of the company advising employees not to exchange company data outside network of the company, communication is encourage but data exchange can only be done through the workplaces network. One may argue that the use of antivirus and firewall software may be a good way to counter the problem of attacks performed on networks that are beyond the companys scope. But antivirus and firewall protection can only protect the user up to a certain point, antivirus must update its database of newly created malicious software and what happens when a users antivirus database is not updated in time and the malicious software is within the internet? The device of the user can be compromised, compromising not only the user but the confidential and classified information within the device of the company involved. A security model may be implemented with the company such as the bell & lapadula to categorize files as most highly classified, classified and least classified, access control can be realized in such a model being referenced within the companys security infrastructure, but this can reduce productivity since a file request from a least classified employee to a highly classified employee may take time to process. Thus a policy must be followed that data can only be exchanged within the network of the company and that failure to adhere to these policies may result in severe consequences. Access control lists may be implemented for file sharing within the cloud or database of the company to give rights to only people an employees sees fit. 3. Authorization Firstly who accesses the companys premises must be established, giving the something they possess like a smart card. But the issue of what happens when a power cut occurs and the system for employee authorization is offline, how then do employees have access to their workplace. Yet another problem with smartcards is that they may be stolen or lost, so the result could be authorizing the wrong person or unwanted personnel. Many companies are rapidly moving into authorizing users through what they are, making the field of biometrics grow rapidly. Finger print

scanning, retina scan, voice recognition and palm scans are popular and are still being developed, but how do these address security for BYOD in terms of authorization? A combination the authorizing the user and the device must be combined implemented within the company. A registered user device with the company must have a user that identifies its owner. Once a user access the premises they must be authorized with the device they carry if they do carry any to make sure that approved devices are in use within the workplace. See table 2 for the statistics of the threats BYOD has on corporate businesses conducted by the social sciences and business management research, but keep a sharp eye on the lack of control over devices in maximum risk areas. 4. Integrity Integrity of information data entails its contents and formation not ever having to be altered or changed during its deliverance or exchange through any media. Once the integrity of information or data is compromised, its value or worth cannot be considered of use, since an intruder can change data or alter information for personal gain or interrupting the success of a business deal that has major implications to the company. BYOD can bring forth the issue of integrity being compromised in a company where an employee leaves their device to the wrong hands of friends or family, installing software or programs that is untrusted can introduce malware and Trojans that can alter how the device works. Policy enforcement again must be adhered to in this case where the use of software to access the companys resources like the database is used, such software must be approved by the companys information management department. A user who accesses the companys resources knowingly using an unapproved software tool or application puts the company in danger of intrusion to their data assets and thus proper consequences must be met with such an action. Browsing the web and sending mail must be done through a secure network. Securing the communication methods will also ensure that data is protected and more importantly the integrity of the users and the company in general is not subject to intrusions and unwanted access. Most companies use the technology of Virtual Private Networking (VPN) to connect their computer securely and remotely from any location in the world using conventional internet connection methods. But VPN does not support all the operating systems that exist out there, thus VPN for BYOD will not be effective since most smart phones and tablets have the android operating system as the main operating system for the device, while VPN supports windows. Widely used as a secure model for transportation of data is the OSI model, outlining each layer and the services provided layer by layer, the OSI model proves to ensure security in devices that access the network and makes sure that the integrity of the data being traversed is not tampered with. OSI layer and services in a top down approach gives insight of how security is implemented from an end user to a server or from user to user within the network: 1. Application Layer Security Services provided
Authentication Access control

Data integrity Data confidentiality Non repudiation

2. Presentation Layer Security services provided

Data confidentiality

3. Transport Layer Security services provided

Authentication Access control Data integrity Data confidentiality

4. Network Layer Security services provided

Authentication Access control Data integrity Data confidentiality

5. Data Link layer Security services provided

Authentication Access control Data integrity Data confidentiality

6. Physical Layer Security services provided

Data confidentiality

One can see that data is being protected from its creation point, to how its going to be transported till it reaches its destination. Since the physical layer only provides confidentiality service, if this service can be compromised, having the encrypted secures the contents of the data. Thus encryption provides a method of hiding the contents of information being exchanged on the network, providing more difficulty to intruders. Having a secure socket layer (SSL) in browsing makes sure that confidential information that belongs users and the company is protected and secure through encrypting the session the user is engaged in the use of confidential information exchange such as internet banking. 5. Non repudiation Having people be accountable for their actions is vital in the corporate world. Thus having mechanisms where anyone can be accounted for is the first step to non-repudiation. Having a BYOD implementation in place, it would be wise for the authentication to avoid the use of group passwords, since when a person in a group violates a policy, the entire group would have to be accounted for. The use of public key encryption and digital signatures in data exchange and E commerce activities addresses non repudiation, since only everyone has a unique public key and

digital signatures through the use of message digests identifies or provide a finger print to who did what and where. Public keys must be offered by a trusted and known authority, so that the use of public keys is accounted for and we can trust public key encryption as a method of securing our communication within private and public networks. More generally in the risks, we need to account for loss of data and ways of protecting this data. Thus it is vital that even though employees bring their own device, they are allocated a fair usage amount of bandwidth, exceeding this bandwidth can only mean they are trying to access or acquire information beyond their allocated band and this violates company policy of abusing of data and internet access rights.

Solutions that exists in the market to implement BYOD

BYOD is beginning to be a popular trend and more companies are adopting the use of self-owned devices to perform job related tasks. Before discussing any solutions that are out there in the market, its good for the company to go through these essential steps of evaluation to know if they are ready or not to have BYOD implemented in their work place. Know your business and regulatory processes: What is the goal the company seeks to achieve with BYOD? What unique divisions does the company comprise of? What information needs to be accessed by each division? What security strategy will each division implement to have information protected? What are the compliance requirements for industry or organizations? What specific laws are in place for BYOD? Consider bandwidth throttling to account for fair usage of data amongst coworkers. One of the approaches that exist out there is to implement mobile device management, in a way that mobile device management software is in place to secure, manage and monitor mobile devices being currently used in enterprise. This mobile device management software provides features such as the connection set up of the mobile device, the device registration and authentication. This software also provides ways of encryption, password or access codes, compliance monitoring and restrictions based on the device feature. Mobile device management makes it a far easier job for handling BYOD in the workplace as it has all these tools that ensure that BYOD does not go beyond what the company offers. These software are already in place, such as AirWatch, AmTel, MDM, Fancy on, Mobile iron and more. These tools provide maintenance and monitoring for the company that chooses to implement or go the BYOD way. Another software application in use is the mobile application manager and this keeps track only of one application that accesses the companys resources, thus security and accountability is addressed. All business resources can be accessed through this tool. Those who have BYOD in place argue that an effective solution to the best architecture, is for the BYOD service to provide wired, wireless and mobiles access to the network architecture of the

company concerned. This architecture must support the wide array of device brands that exist out there and be able to enforce the business policies across the enterprise realm. This architecture must realize all possible ways of providing internet access and resource access to provide a highly manageable and scalable solution for information technology (Anderson N, 2013). Cisco has several technical and software related actions to better handle BYOD, they make use of an adaptive security appliance within their architecture to handle security functions by providing firewalls and intrusion prevention tactics, as well as providing a secure VPN termination point for mobile devices connecting over the internet, accounting for Wi-Fi and 3G/4G as mobile hotspots of access (Anderson N, 2013). Cisco is an American multinational organization that certifies companies and individuals on networking and the policies than can be realized within the networking environment in enterprise. Cisco identifies a service engine that can drive BYOD to its success, this engine can be the heart of seeing BYOD and the engine can be identified with these points (Anderson N, 2013): Self-registration and engagement in portals Identification and authentication Authorization Device capturing to know which device is in use of the network Approved devices by standards that are registered Employees must be encouraged to partake in certification programs Policies must be clearly defined Blacklisted or lost devices must be reported

With such an engine in place many security risks are collectively sorted out within the parts that drive this engine. Self-registration will encourage a thorough understanding of the framework in place, eliminating confusing and training programs that will only be an expense to the company, as part of the engine that drives this Cisco plan is identification and authentication as any as BYOD infrastructure can never function without it, therefore in any enterprise framework, there need to be a system that identifies and authenticates it employees or end users (Anderson N, 2013). Device capturing is a very good strategy to keep a profile of all the devices that the company has in its premises, this accounts for any unknown device that tries to illegally access rights to resources. Having only approved devices be used in the premises of the workplace sets the company to abide with the law on avoiding the use of illegal or stolen devices to as part of their BYOD infrastructure. The engagement of employees in certification program will aid the users of the end system to further understand how the BYOD framework works and how its implemented, this further improves the working environment thus enhancing the productivity within the work area. Policies must be adhered to and compliance must be reported to ensure that security ground rules are being followed, reporting blacklisted devices and those that are stolen will aid in the successful termination of a device from the companys resources.

Implementation plan
A good way to realize BYOD is have a cloud service in which files can be accessed by employees, and these files must have rights allocated per user on each employees cloud account. Thus a role based access

control system will be in place, where a general worker can never be able to access the files of individuals in higher executive positions. Files or data of the company can never be stored on the handheld device, but

only be accessed for reading if the device is not connected through a VPN for secure transmission of data. Policy must be enforced by management to see the role based access control and proper file handing is addressed. The company must have its own email service for communication between clients and coworkers. Within this email framework, there must be a public key encryption of sent data and messages to address the issue of integrity and confidentiality between two subjects of communication in information systems, with the public key encryption mechanism formally authorized by a wellknown security authority organization that practices only the best standards in generating public keys. Device profiling is crucial since this is a bring your own device infrastructure, devices must be using the correctly configure and trusted software to make use of the tools the company provided, having users be identified with the use of passwords or smart cards in the facility coupled with what device they use within the facilities of the company, accounts for who and which device they used to access resources and company tools. Devices must be properly configure with software that lets the company monitor the use and functionality of the companys resources in remote access areas.

Conclusion
With society moving towards the use of smart phone and tablets, BYOD shouldnt be just a matter of consideration, it should implemented and its true potential must be addressed and realized. Benefits such as cutting on financial costs, attracting younger employees, realizing flexibility and productivity and getting employees happy and enthusiastic about their workplace. Even though BYOD has challenges, they dont fully impede on the success of making BYOD a practical working infrastructure, Security concerns are always a major problem in any framework of enterprise and thus solutions these security problems can be addresses since information security is an ever growing field as technology is always improving.

INDEX OF TABLES AND FIGURES

Table 1 2011 India 34% 2013 India 47% Australia 28% Canada 34% USA 33% Netherlands Germany 43% 35% Table 2 Threats Corporate IT Security Increased costs Potential threats Complexity of set up Lack of control over devices Maximum risk 45.45% 18.18% 13.64% 22.73% 0.00% Medium risk 4.55% 18.18% 18.18% 18.18% 31.82% Minimum risk 9.09% 18.18% 18.18% 36.36% 9.09% UK 34% Global 34.5% Australia 23% Canada 26% USA 29% Netherlands Germany 30% 32% UK 24% Global 27%

References
Rivera, D., Geethu, G., Peter, P., Sahithya, M., Sumaya. K. (n.d). Analysis of Security controls for BYOD. Prashant, K.G., Arnab, G., Shashikant, R. (2013). Journal of global research in Computer Science, Bring your own device (BYOD) security risks and mitigating strategies. Miharika, S. (2012). Journal of Business management & social sciences research (JBM&SSR), B.Y.O.D Genie is out of the bottle Devil or Angel. IBM Corporation (2012). IBM Global Technology Services Thought Leadership White paper, The Flexible Workplace: Unlocking the value in the Bring your own device era. Holmes, B. (2014). Business Journal, Speed Bumps in the Mobile office. Navetta, D. (n.d). The legal implications of BYOD: Preparing personal Device use Policies. Aderson, N. (2013). Cisco bring your own device: Degrees of freedom without compromising the network. Von Solms, SH., Ellof .(1994). Information security. P 6-30 Tanenbaum, AS. (2013). Modern operating systems, 3rd edition. Tips on BYOD available at: http://www.datacenterjournal.com : accessed ( 14 march 2014).