How to Protect Enterprise Data in BYOD Scenarios in Windows 10 and Windows 11
How to Protect Enterprise Data in BYOD Scenarios in Windows 10 and Windows 11
How do you protect corporate data when you don't own or manage the device that is used to access and store it? How do you deal with devices used by business partners, contractors, and visitors who have a legitimate need to collaborate with your teams and access your resources, but you cannot enforce device management policies or deploy agents onto them?
In this article, we will explore the risks and impact of personally owned or unmanaged devices on information security and the practical steps you can take to ensure the appropriate protection is applied. We will discuss the key considerations for device choice, ownership, and management. We will also look at the various options available to protect your sensitive data across all device types. We will discuss the following topics specifically:
Bring Your Own Device:
- What is BYOD?
- Choose Your Own Device
- Key considerations
- Identity and access management
- Device configuration
- Application management
- Information protection
And in case all these options are not enough to cover your requirements, we will review some of the alternative options available to provide secure collaboration and reduce risk.
Alternative options:
- Enable remote/virtual desktops (RDS/VDI)
- Enable virtual private networks
- Publish applications via proxy
- End user behavior analytics (EUBA)
- OneDrive for Business
- Work Folders
Bring Your Own Device
In this section, we will explore the use of devices that do not conform to standard company regulations, such as consumer-grade hardware, personally owned devices, and devices used to access company resources that are not managed by the IT department.
What is BYOD?
This term came about as part of the consumerization of IT, the desire to use the latest technologies to achieve an increase in mobility and productivity.
No longer controlled by the limited choice of devices provisioned by company IT departments, users found their own technology solutions to suit their specific work environment and tasks; if they can check their email on a phone or tablet while at home, why not while traveling or with customers?
As the market grew, the range and capabilities of devices increased, providing greater computing power at cheaper prices, combined with touchscreen capabilities and the simplicity of installing apps from an app store.
Not every company embraced this approach, and instead began to block their abilities by removing access to services such as email. Unfortunately, users can be very tech-savvy and creative, and they generally find a way around the imposed restrictions, such as emailing the content to their personal email accounts, or using cloud storage solutions such as Dropbox, to continue working on their personal devices.
While this began as a user-driven movement that IT came under pressure to support, it is now something that we can use for mutual benefit. If users are willing to use their own devices, and they are able to be self-sufficient in supporting them, then there should be less burden on the IT department.
Another important consideration is the use of Bring Your Own Device (BYOD) for external and third-party contractors or temporary staff. There are many situations where you need to collaborate with individuals and other companies, but do not want to issue them one of your devices in order to gain access to your systems and information.
Companies have the option to block BYOD, control it through Mobile device management (MDM) solutions, or offer their users a wider range of corporate-owned devices.
Choose Your Own Device
Realizing the potential benefits of using a wider range of devices with a lighter management approach, some companies have adopted the option of allowing users to choose their own device, based on minimum requirements, which are then managed using an MDM solution. The user is still expected to follow the acceptable use policy, but may also use the device for some personal use. This option provides a balance between end user mobility and information security, but does not relieve the burden of cost that BYOD can provide.
User Account Administration, one of the biggest risks to any IT system is when a user has local administrative access to their computer and can install software or make configuration changes that may weaken the security and integrity of the system, either intentionally, accidentally, or through malicious intent.
Instead of exerting effort to encourage people to adapt to the changes and adopt the technology, the IT professional is now able to work alongside their business counterparts to find innovative ways to use these new capabilities to achieve real results. This solves one of the biggest issues with any IT deployment, the engagement of the end user. Costs can also be reduced if the right policies are in place to manage the support and life cycle of devices.
BYOD and Choose Your Own Device (CYOD) devices come with some challenges that must be addressed in order to apply the appropriate controls to ensure the user remains productive while the company data is kept secure.
Key considerations
There are several key areas that require review and consideration in order to assess requirements and risk factors. The following sections will discuss the considerations of device choice, ownership, and management responsibility.
Device choice
In a managed environment, device choice may be restricted to a few standard options. This makes it simpler to deploy OS images, drivers, and compatibility of accessories, which lowers the total cost of ownership.
However, with BYOD, the user has a choice from hundreds of options, depending on personal preference and budget. It is recommended that a minimum standard be published, to ensure users know what types of devices they should look for, such as the operating system version, browser choice, and the ability to support security features such as BitLocker.
Provide your users with a list of example devices that meet these standards to ensure compatibility with company systems, and explain the benefits of the various choices and why they might choose one device over another. It is also a good idea to publish a list of devices that are known to be incompatible and will cause the user problems if they try to use them for work.
Ownership
One of the key cost saving components in a BYOD strategy is the transfer of cost, and therefore ownership to the user. Some companies will choose to provide a set monetary value they will contribute toward the cost of the device based on a 2-3 year lifespan (and considering applicable tax laws).
This enables simpler budgeting for the IT department and removes the burden of depreciation and disposal at the end of life for the device. It also allows the user to choose a device within the budget or opt to pay extra for a higher spec device to suit their personal preferences as well as any accessories to improve productivity. Either way, the device is theirs to keep at the end of the 2-3 year lifespan.
This is the key difference between a personally owned BYOD device and a company sponsored BYOD device. A user may be entitled to expect that their personally owned BYOD device is within their full control, if they have paid for it, and therefore should not be managed by the company, whereas a company sponsored BYOD device does not fully belong to the user until the end of any agreed service period to cover the cost of the device (consider what happens if the user leaves the company within 12 months of receiving the allowance).
By contrast, CYOD devices are purchased and owned by the company. They may choose to allow the user to keep, or buy back, the device at the end of its life cycle, but otherwise it is handled the same way as any other company asset.
Management responsibility
While the user may choose the device to fit their personal requirements, they may purchase and even own it, but they may not expect to have to maintain the configuration and security management requirements. Some users may want or need local admin rights to customize the device to their requirements, while others may expect their IT support to be able to remotely manage and configure the device on their behalf. Understanding and agreeing to who is responsible for the management of the device is key to ensuring that the appropriate level of security is applied.
These considerations then define the appropriate level of trust for each device. For example, if the user has local administrative rights to the device, then they have the ability to modify the configuration, install software, and generally increase the risk profile. A user logging into this device would therefore have a lower level of trust than a device that is enrolled and managed by company policies, and has the user's local admin rights removed.
Protection options
There are multiple options available to provide appropriate security controls for BYOD scenarios. The best way to explain these options is to take a layered approach; you can then identify which combination of options is required for your specific business requirements, technical capabilities, and end user scenarios.
The following topics will be covered in this section, specifically those related to BYOD and CYOD scenarios:
- Identity and access management
- Device configuration
- Application management
- Information protection
Identity and access management
In a scenario where the device is joined to the company's AD domain and managed by Group Policy and Configuration Manager, identity and access management is generally controlled by AD. However, in a BYOD scenario, the device may spend more time off the network, and the end user may not want the restrictive policies that may be applied in such a way.
Ultimately, if a user's device is not joined to the AD domain, then they lose certain benefits, such as the ability to seamlessly sign on to applications based on a common identity. The user will be prompted to enter their company credentials each time they attempt to access resources, such as Office 365.
There are several options available to enable a single sign-on (SSO) experience and protecting credentials from misuse:
- Connect to work or school
- Microsoft Passport
- Windows Hello
- Credential Guard
Connect to work or school
When a user creates their first sign in account for a Windows 10 computer, they are given the choice of using a personal Microsoft account (such as @outlook.com), or using a local account (user ID and password only exist in Windows, stored on the local machine). Neither of these accounts will have access to company resources.
The simplest method to enable seamless sign on with their company credentials is to connect it to the user's existing logon. When a user logs on in this way, they may still be prompted to select their stored credentials when they connect to some company resources, but will receive fewer prompts for their password and other credentials thereafter.
To configure this option, the user can go into the Start menu and search for Access work or school:
Then, click on Connect and enter their company credentials when prompted:
The process will then register the device and link the user's logon credentials:
This option enables the device to be registered with Azure AD (workplace join) to become a recognized entity. This allows the device to be trusted as part of conditional access policies and multi-factor authentication.
Once the account is connected, the user can continue to use their personal login and gain access to company resources with a linked account.
If the device is also enrolled with the company MDM solution, then it can be set to automatically enroll the device with Azure AD (domain join). This enables the user to log in to Windows with their company credentials, instead of using their personal account. This is very similar to the user experience of a machine that would be joined to an on-premises AD domain, and enables a better SSO experience.
Microsoft Passport
To help protect user identities and user credentials, Microsoft Passport offers options such as biometrics or a PIN number to replace the use of a password. As part of strong two-factor authentication, these alternative credentials are protected by hardware or software and can be based on certificates or local keys.
Microsoft Passport can also be managed by Microsoft Intune. With enrolled devices, Intune can deploy certificates to authenticate users. Intune can also manage policy settings for PIN, biometrics, and Trusted Platform Module (TPM) requirements.
A good recommendation is for the user to create a highly complex password for their sign in account, and then configure a 6-8 digit PIN to make it easier to sign in, while still being very secure. If the device is not domain joined and not enrolled in an MDM solution, users can select their own options, such as Windows Hello (see next section) or a PIN to sign in to Windows. To configure these options, go to the Accounts menu and select Sign-in options:
The user can then set or change their PIN:
The next time they log in to Windows, they can choose their sign in method and select PIN. This will then become the default sign in option for all subsequent attempts:
Windows Hello
Windows Hello enables biometric support as part of the sign in process. The options available are based on the hardware installed on the device, and may include one or more of the following:
- Fingerprint reader
- Face recognition
- Iris reader
These conveniences enable users to create more complex passwords, knowing they will only use them on the rarest occasions. The ability to sign in using a finger swipe or smiling at the camera is reason enough to enable this feature. Only the user can configure Windows Hello, as it requires their unique biometric details to be captured as part of the setup process.
To configure the options, guide the user to go to the Accounts page and then to Sign-in options. If the device has compatible hardware, the user will see the options available for configuring Windows Hello:
A new feature now available is the ability to automatically lock when Windows detects when the user is away from the device. This is known as dynamic lock and has two configuration options:
- Bluetooth pairing with a phone: Once paired, if the user takes their phone away from their PC, the screen lock will activate soon after the phone is out of Bluetooth range
- Windows Hello companion app: This app is available in the Windows store for Windows phones only
Credential Guard
Credential Guard is one of the Windows 10 features that is only available in the Enterprise edition. This works by creating a small, highly specialized virtual machine known as Virtual Secure Mode (VSM), and uses it to isolate critical processes to ensure the integrity of authentication secrets. Enabling this functionality requires advanced configuration on both the device and the management solution, either AD Group Policy or an MDM solution.
Device Configuration
To ensure that a BYOD device meets the necessary security standards, you should ensure it is enrolled in AD, or the user enrolls in the MDM solution. These options will enable central configuration of the security required. Some cloud services, such as Azure AD, can then use conditional access policies to ensure access is only granted to specific services if the device is compliant and/or domain joined.
Device configuration requirements can vary from one company to another, but the fundamental configurations that should be enforced include:
- BitLocker full drive encryption: Ensuring no content stored on the local drive can be accessed without the appropriate key, which is stored in a Trusted Platform Module (TPM) chip
- Device Guard: Ensuring the hardware and software components are enabled to protect the system by only allowing trusted applications to run
- Secure local administration: Ensuring the user does not logon with local admin rights
- Secure authentication: Enable and enforce minimum requirements for the security of authentication, such as Microsoft Passport and Windows Hello
- Windows Defender: This or other virus and threat protection solution should be enabled, updated, and actively protecting the operating system, applications, and data
- Software patches: These must be applied very soon after they are made available, reducing the window of opportunity for any potential attack vectors
Application management
There are several options for deploying apps to Windows 10 devices; the most common method is to use Configuration Manager. However, for those devices that are not part of the company network (that is, they are not managed by AD), there is a need to find alternative methods. If the device is enrolled in an MDM solution, then this can be used to advertise, or force, the installation of company applications. However, if the device is not enrolled, users can still gain access to company apps in one of the following ways.
Provisioning packages
Depending on your application deployment solution, it may be possible to provide your users with software packages they can install on their BYOD device. These packages can be stored on a file share or cloud storage, or handed out via USB memory stick.
Windows Store for Business
This provides a flexible way to find, purchase, manage, and distribute free and paid apps to Windows 10 devices in volume. IT administrators can manage Windows Store apps and private line-of-business apps in one inventory, ensuring licenses are not wasted.
Mobile Application Management
A solution like Windows Intune can be used to create application control profiles. When the user installs the software and signs in using their corporate account, the Mobile Application Management (MAM) policy can enforce specific restrictions to ensure the application is used safely (such as enforcing a pin or local disk encryption). If the device is not compliant, the application cannot be used and any company data can be removed without impacting other applications and data on the device. All of this is possible without domain join or MDM enrollment.
Information protection
There are many options available to protect information stored on the BYOD device.
BitLocker and device pin
Ensure all devices are protected with secure credentials and BitLocker drive encryption. Provide users with simple instructions on how to enable this feature on the local hard drives of their computers as well as any removable storage devices they may use to transfer larger files.
Windows Information Protection
The Windows Information Protection (WIP) solution is built into the Windows 10 Anniversary edition (1607) and provides isolation of company data from personal data. It allows the administrator to define a policy that specifies which applications are allowed and which are exempt. All applications marked as allowed will be able to securely store and share data on the local device, according to the policy settings. All applications marked as exempt can access company data without restrictions. All other applications will be blocked from accessing company data. The administrator can specify Microsoft Office apps, store apps, and Windows desktop apps. The administrator can choose to revoke access to company data on one or many devices enrolled with MDM, while leaving personal data in place.
Document classification and encryption
Document encryption is the safest way to protect documents that are distributed to devices outside of the full control of the IT department, such as USB sticks, email, Dropbox, and BYOD devices that are not MDM managed. Start by classifying the most sensitive content to ensure it is clearly identified and handled appropriately.
Data loss prevention
Mature productivity solutions, such as Microsoft Exchange and SharePoint, support built-in Data loss prevention (DLP) engines that can scan all content as it is transferred in and out of the system. With the appropriate classification and identification rules, content that is very sensitive can be restricted to prevent accidental sharing or malicious intent.
Alternative options
So far, we have discussed protecting company data on devices by managing the identity, device, and applications that are used as well as protecting the content itself in case it is shared via an unsecure platform. If these options do not provide enough protection and you are still concerned about the integrity and confidentiality of your company data, then you have a few other options to consider.
Enable remote/virtual desktops - RDS/VDI
This solution has been around for several years now and is the most popular option for allowing remote workers to gain access to internal resources. The solution can be configured to prevent the user downloading any documents, ensuring all data remains within the controlled perimeter. This option can be expensive to implement and complex to manage, and the user experience is not as good as having the native apps and data on the local device, but it is the most secure option for remote working.
Enable virtual private networks
If you manage and trust the device, you can configure a virtual private networks (VPN) or use DirectAccess to create a secure tunnel between the user's device and your company network. This ensures that information can not be intercepted across the network (such as in a public Wi-Fi hotspot); however, any data copied and stored on the device is still vulnerable to any local attacks against that device.
Publish applications via proxy
Another popular option to provide remote access to internal systems and data is to publish the internal system via proxy services. This service carries out the authentication and conditional access checks prior to granting access to the internal resource. This is a good alternative to a VPN as it does not require local configuration or software installation on the user's device; however, it does not encrypt the traffic, unless HTTPS is specified.
End user behavior analytics
By monitoring activities in the logs, we can discover anomalous and suspicious user behavior and assess the potential risk of certain activities, such as the geographic location of the user when they access the system: if it is not their usual location (such as Australia), then we can decide whether they should be blocked or at least prompted for an alternative authentication request (MFA). Microsoft offers this functionality as part of Office 365 E5 licenses (Advanced Security Manager) and the Enterprise Mobility & Security E5 suite (Microsoft Cloud App Security).
OneDrive for Business
This solution is a core part of the Office 365 platform and provides a cloud storage and sharing solution. There are several options available to ensure that data is protect. For example, allowing users to only synchronize their OneDrive folders on authorized devices, if the device is not domain joined or compliant (for example, enrolled with Intune MDM), then the user will only be able to gain access to the content via a browser. Controls can also be set to control the ability for the user to share their content from OneDrive to internal or external third-parties.
This screenshot shows the available sync configuration options within Office 365:
It is also possible to govern access based on device specifics, such as the ability to restrict access based on the IP address and support for modern authentication. If the mobile application management section is grayed out (as per the following image), then settings are being controlled by Microsoft Intune instead:
Work Folders
For those companies that are not ready to adopt a public cloud yet, you can deploy the Work Folders feature that is part of Windows Server 2012 R2 and later. This feature enables secure access to files and folders via the internet. Device support includes Windows (10, 8.1, and 7), Android, and iOS. Device policies can be configured to ensure devices meet specific requirements before they can connect to files. All data can be encrypted on the device too, even if BitLocker has not been enabled.
Summary
In this Article, we covered the key considerations for deciding which types of devices can be used by your users, along with the risks and benefits of each option. Whether you decide to enforce MDM to manage external devices or you choose to opt for an MAM-only option, there are plenty of choices for securing access to resources and preventing the unauthorized distribution of sensitive data, while enabling collaboration between internal and external teams.