The BYOD Post.
EntSec

The BYOD Post.

BYOD Problem, options.

Bring Your Own Device, Bring Your Own Demise, Bring Your Own ... Advice ?

Bring your own device has enabled many people to be work-ready faster, more cost-effectively for the business, and in the comfort of the user's system that they chose themselves—that nice mouse, that nice keyboard, that lack of 'awkward' NCSC device hardening guidelines, or the cold, perpetually authenticating post-ISO 27001 world this office computer and my identity now live in... just a nice computer that I'm the admin of, with no annoying software...

The conversation we're not surfacing very well is something like this...

Feature Enterprise Software at Home
BitLocker (Full Disk Encryption) Enabled on Windows Pro/Enterprise for data protection Not available on Windows Home
Endpoint Detection & Response (EDR) Advanced threat detection and response (e.g., CrowdStrike, Microsoft Defender for Endpoint) Basic antivirus (e.g., Windows Defender)
Security Operations Center (SOC) & Incident Response (IR) Centralized monitoring and rapid response to security incidents No SOC, incidents handled manually by user
Vulnerability Management Regular vulnerability scanning and patching (e.g., Nessus, Qualys) OS and software updates are user-managed
Application Whitelisting (AppLocker or WDAC) Restricts applications to approved lists for security Not available on Windows Home
Group Policy & Centralized Management (GPO, Intune, SCCM) Enforces security policies and settings across devices Local settings only, no centralized control
Active Directory (AD) or Azure AD Integration Centralized authentication and identity management Local Admin user accounts, no domain integration
SIEM (Security Information and Event Management) Aggregates logs for threat detection (e.g., Splunk, Sentinel) No centralized log collection
Network Access Control (NAC) Restricts device access based on compliance (e.g., Cisco ISE) No enforcement of device security posture
Role-Based Access Control (RBAC) & Least Privilege Users have limited permissions based on job role Typically admin rights by default for the user

I hope you know where I'm going with this, but in short, it's dishonest to the information we're responsible for if we can, with a straight face, suggest that a system outside of the agreed controls provides meaningful security, because if it really did, we wouldn't waste money on the theatre of those perceived controls.

So, from a recent conversation with my boy Paul Musgrave, and some timely prompts from Twitter... actually, info-sec/cyber-sec Twitter conversations around BYOD go like this: 'You can't secure BYOD, why are you doing it?!'—unbeknownst to them that security isn't the authority; enablement is. That's the end of it, no recourse, just... give up, I guess?

This post is about accepting that in some organizations, BYOD is here to stay, especially if you're risk-tolerant and compliance is vague. As much as you may not like it as a professional, knowing how detrimental that is to information security health, accept that; you've got this.

The question is, knowing that, what can you do? I think guidance and recommendations are also half-hearted,

  • Invite the organization to offer unmanaged EDR to users and their devices
  • Invite the organization to offer unassociated password managers to users and their devices
  • Invite the organization to offer upgrade keys to Windows 10/11 o users and their devices
  • Invite the organization to offer YubiKeys to users and their devices

With those areas covered, you'll have some level of comfort that information available to those accounts on unmanaged computers has some conforming level of comfort, EDR, pick a good one, password manager allows for more adoption, not just at work, Windows Pro upgrades allows for Bitlocker, Yubi keys allows for phishing resistant defenses, that's better right ?

What other parts of enterprise security can you introduce into the home without having that parental eye on their actions, yet feel safer knowing that they've got some additional defense when they've left the enterprise (see cool picture above)

Those bullet points above are just the idea; you might have a smaller list, bigger list, or whatnot, but the principle is they're working on those systems and your security is not. Do something about that, rather than maybe waiting for something bad to happen so you can bust out your favorite 'I told you so'... I mean, I like doing that; it's often cathartic, but... inner voice, we're the help that no one wants.

A follow-up component might be to have a presence on various platforms so that security is available on these platforms, reminding staff using personal devices for work tasks and personal tasks—being present and also being approachable. Do you want the home computers to be secure? What if they're working on BYOD and they have an infection? Not the business's computer, but it's certainly an information conduit... and when you boil it all down, the computers are only there for the information, right?

So, what are we doing?

BuT iT CoStS MoNeY!

Are we sure it's not saving you money?

For what it's worth, I'd rather an environment wasn't Pro-BYOD, If you visualize the journey of data, information and access, it gets awful as soon as you loose a grip on your data's sovereignty, something even governments find hard to take seriously, but the crux of this post was really to remind people to exhaust what they can get from situations, get creative, push terms for those acceptances, other than time-frames that won't mean anything. telling people not to use their home devices but those same people still being able to authenticate against Microsoft services from anywhere in the world isn't the same as ensuring controls are in place to never let that happen, that's the reason why policy without control is theatre for almost everyone.

Read next

The Internet Facing Velocity Problem
It's probably faster to find a flaw in all IPv4 Assets with Open-source attack and exploit validation tools than it is for someone internal to hunt down the owners, maintainers and appropriate people for remedial actions - The Internet Facing Velocity Problem
Read more