A sandbox, to a child, is a walled area they can play in outdoors. To an adult it means a little more: the sandbox keeps all of the sand in one place while keeping dirt from the yard out. It also helps organize their toys and gives them a specific place to play. When play is done, it can be closed with a lid so the sand stays clean and the leaves, squirrels, and rain stays out.
The same concept can be applied to improve security on the ever-growing trend of BYOD (Bring Your Own Device) in the workplace. Instead of corporate laptops and Blackberries, a growing number of enterprises both large and small are allowing non-corporate assets like personal iPads, iPhones, Androids and laptops into the mix. Small businesses may adopt this method to replace the lack of an in-house IT department. Benefits may include increased productivity and decreased costs by working after-hours and offsite on projects. But BYOD also can open the sandbox lid to outside threats.
Mobile Application Management and Mobile Device Management
To understand how sandboxing is used, we must first explore two important components of BYOD in action: Mobile Application Management (MAM) and Mobile Device Management (MDM). MAM is the use of an enterprise’s software on an employee’s BYOD. This kind of software helps users with processes such as licensing, life cycle management, tracking usage, and system configuration. A big component of MAM is the ability for data to be completely and remotely wiped or removed from a user’s device. Alongside MAM, MDM focuses on securing the corporate network by monitoring and managing mobile devices used. For example, MDM would be adding or removing devices to the network while MAM would track the usage on the devices.
Securing Data via Sandboxing
Application sandboxing is a type of MAM. Sandboxing refers to application containerization; limiting the environments code can execute on devices. It is traditionally done at the application level using platforms like MaaS360 and MobileIron. Using this route, only part of the BYOD is set aside for corporate use while most of the device runs on the original OS. An alternative would be a single sandbox where all data is stored can be used with providers operating systems. This way, partitions are used to virtually sandbox the entire mobile device. Enterprises like VMWare have taken BYOD one step further by allowing BYOD users to run two different OS at the same time on the same device. One would be accessed for personal use while the other is strictly for corporate usage. Divide, first known as Enterproid, was acquired by Google after launching their divide technology, posted a video of how the process works here.
Keeping the Sand in the Box
Of course there are challenges and risks to an enterprise using BYOD and sandbox technology. One of the largest challenges is if the corporation is ever faced with a discovery request. With a responsibility to provide relevant documents, correspondence, data, etc, the company needs access to what is on all BYOD used by their employees. Data may be inadvertently overlooked or inaccessible opening an enterprise up to legal problems. New York litigator Glen Silverstein outlined best practices recently in BizTech Magazine:
Scope of participation: Determine if the policy applies to all employees. Employees who handle sensitive data may need to use only corporate devices.
Restricted use: Consider imposing limitations on personal device use, including a prohibition on either unapproved third-party applications or unsecure networks.
Range of devices: Identify what brands of devices and operating systems are permissible so support and security settings can be streamlined.
Employer access: Include language in the policy that requires employees to give signed consent allowing employer access to their device and data.
Compensation: Determine whether to offset a portion of the wireless service fee. This may increase your ability to access data on the employee device.
Education: Train employees on litigation holds, security concerns, privacy issues, and mobile device and data best practices.
Departing employees: Prepare a procedure for exiting employees to remove company data from their devices, which could include the loss of personal data.
Due to poor management and other factors, Dimensional Research estimates that average mobile security incidents cost an enterprise $100,000 and could easily excess $500,000.
Another challenge is clearly communicating the policies of BYOD usage, with or without sandbox technology. For example, after leaving his job, a New York man woke up the next morning to find his entire iPhone had been remotely wiped. He lost all personal contacts, emails, and photos in addition to all corporate data stored on his device. The employer and former employee are at odds as to whether or not there was advanced notice given or even a policy in place. Other corporations have a pro forma user agreement that must be clicked each time an employee accesses email or a company server. This tells them each time that remote wipes are part of the agreement.
If corporations have access to their information, where is the boundary when it comes to accessing employees’ personal data on their devices? According to MobileIron, “(we) asked more than 3,500 mobile workers about their expectations for privacy when using a mobile device for work. The study found that 61% of mobile workers trust their employers to keep their personal information private on their mobile devices.” Sandboxing works to keep personal and private data separate, and distinguishes who has access to what information. Legislation is not keeping pace with the current use of BYOD in the workplace. The evolution of the BYOD legal environment is something both corporate interests and privacy advocates are keeping a close watch on.
More and more companies, both large corporations and small businesses, are adopting BYOD policies allowing their employees to use personal devices (laptops, iPads, iPhones, etc) for work use. This may increase productivity and decrease costs, but secure corporate data and employee privacy, could be at risk. Sandboxing is a popular solution. It compartmentalizes data so it can only be executed in under certain instances and stays segregated from personal use. Conversely, personal data on the BYOD is not intermingling with corporate data and keeps corporate eyes out of employees’ private information.
CIPP Exam Preparation
In preparation for the Certification Information Privacy Professional/United States (CIPP/US) exam, a privacy professional should be comfortable with topics related to this post, including:
Enforcement of US Privacy and Security Laws (I.B.)
Information Management from a US Perspective (I.C.d.e.f.)