Understanding the risks of BYOD and Exchange

Bring Your Own Device (BYOD) is the current trend of literally bringing your own devices to work. This may include a smartphone, tablet or laptop.

Often the mere thought of BYOD can make an enterprise security officer nervous. How nervous? Data breach kind of nervous. Before we join the chorus of security officers and auditors crying out for the ubiquitous deployment of forced mobile management conditional network access, and more, let’s have a closer look at BYOD and Exchange.

Mobile device access to Exchange is not new. Exchange mobile protocols are designed to be secure out of the box, yet many of us have lived through the frustration of educating a customer about the self-signed certificates used to bootstrap an Exchange deployment. In fact, Exchange 2007 is known for being the version of Exchange that caused vast slews of ITPro’s to learn about various types of certificates, and the order of the names appearing on them. Point in case, Exchange mobile protocols are secured by design.

Moving on from the protocol stack and onto the physical access method. We’re not going to spend a lot of time on this point, except to point out, that BYOD tend to use wireless access methods of varying degrees of security. If this layer of physical security is breached, then the attacker is still required to break the encrypted protocol tunnel between the device and Exchange. This is no different to monitoring traffic on a physical Ethernet switch, the result is still encrypted garbage.

Our next point of examination is storage. If the BYOD device is a laptop, the data store tends to be the offline cache file created by Outlook, i.e the OST file. This file is encrypted and useless without the user authenticating onto the device using the correct mail profile. Other devices, including tablets and mobile phones implementing the Active Sync protocol implement similar storage mechanisms, secured by the user authenticating onto the device such as a Pin Lock and then the email account in question.

Exchange 2010 Features a number of remote management tools, including the ability to wipe devices remotely, however remote wipe is just the tip of the management iceberg.

Active sync management policies and the built-in management features allow an organization to structure mobile security granularly, such that different users receive different security policies.

Mobile device management tools augment the security which we’ve discussed so far, by adding a layer of auditability, remote management, tracking and wiping amongst other features, which can help mitigate the risk of data loss, if the device is lost or stolen and the users passwords (device and Exchange) are known.

I’d like to argue that BYOD is often no less secure than the average corporate laptop, due to the security features built into Exchange  and the devices themselves. Exchange is designed to be implemented securely, and features mobile management features in the platform. While those features may not be enough to fill every compliance or security requirement under the sun, they are a massive part of ensuring that BYOD security fears, may be overrated.