BYOD containerization and other Bring Your Own Device (BYOD) concepts have become increasingly important to organizations. With that in mind, it’s no wonder that you’ll be tested on these concepts in many security certifications including the Security+ certification.
As an example, here’s a sample Security+ question we recently added to the online test banks.
Q. Your organization is planning to implement a BYOD policy. Which of the following security controls will help protect data using containerization?
A. Encrypt sensitive data
B. Storage segmentation
C. Full device encryption
D. Asset tracking
So, do you know which answer is correct (and why)? Do you know why the incorrect answers are incorrect? Check out the answer and explanation at the end of this post.
BYOD Concerns
It’s common today for employees to use their own devices (such as smartphones and tablets) to connect to an organization’s network. This results in several security concerns, with data security being close to the top.
As an example, imagine that Homer has a tablet that he uses for email, Internet research, and various other personal uses. If his company allows him to connect this tablet to the corporate network, it will make it easier for Homer to access company email and other company resources needed for his job. However, is Homer’s tablet protected from threats? Does it have antivirus malware installed? Does Homer keep it up to date with current patches? Who owns the data on the tablet?
These issues are typically addressed in an organization’s security policy, and enforced with various technical security controls.
Containerization
Containerization is one of the ways organizations use to protect their data, even when it is stored on a user’s private device. It uses secure storage areas to protect the data.
Think about your fridge. You can use containers to separate different types of food. For example, putting your strawberries in a different container than some leftovers, ensures that the strawberries stay fresh (and don’t start smelling like peas and carrots).
This works well in a fridge using plastic containers you can buy at just about any grocery store. However, you won’t find plastic containers in a mobile device.
BYOD Secure Segmentation
Containerization uses technical methods to store the data. This is often referred to as storage segmentation and it stores the data in a secure container. In this context, a secure container is typically an area on the device protected by both authentication and encryption.
If a thief steals the device and can get past the initial personal identification number (PIN), he can access basic apps on the device. However, data within the secure container is encrypted so it isn’t accessible. To access this data, the thief would need to provide additional credentials, such as an email address and password.
Note that this is similar to accessing credit card data when making a purchase from a smartphone or tablet. For example, after entering your PIN to access your tablet, you can run the apps. However, if you decide to make an in-app purchase, or purchase another app, you’re prompted to provide additional credentials before the purchase is approved.
Where is this data stored? It varies.
In some cases, the secure container is controlled by an application on the device. In other scenarios, the secure container is stored in the cloud. The key is that containerization provides secure segmentation of data.
Remember this
Data security is a significant concern related to BYOD policies. Containerization is one method that an organization can use to provide secure segmentation of an organization’s data via BYOD-approved mobile devices.
Q. Your organization is planning to implement a BYOD policy. Which of the following security controls will help protect data using containerization?
A. Encrypt sensitive data
B. Storage segmentation
C. Full device encryption
D. Asset tracking
B is correct. Storage segmentation is one way to protect company data on mobile devices. It isolates data (and sometimes applications) in a secure area of a user’s device. This segmented area is typically encrypted and requires authentication for access. Loss of company data is a critical concern and is typically addressed in Bring Your Own Device (BYOD) security policies. Another way to look at this question is “Which of the following is MOST commonly used for BYOD data containerization?”
A is incorrect. Encrypting sensitive data is the second-best choice. Containerization typically uses encryption, but encrypting data doesn’t necessarily protect all the company data in a secure container.
C is incorrect. It isn’t necessary to encrypt all data on the device. This would encrypt the user’s data too, which is beyond the goal of protecting company data in the question.
D is incorrect. Asset tracking is an important security control for company owned-devices, but is less important for user-owned devices. You would want to ensure you know which devices have been authorized, but doing so wouldn’t protect company data in secure containers.