In an effort to improve information security, UTMB is changing the way unmanaged devices access UTMB resources.
The Office of Information Security is asking employees and students to install Microsoft Intune onto personal devices like personal smart phones, laptops and tablets.
While participating in this security enhancement is voluntary, the choice will affect access. Personal devices not enrolled with Intune still will be able to access guest Wi-Fi. However, they will not be able to access UTMB resources such as Outlook, Teams, OneDrive , or UTMB-secured networks.
For people who may be hesitant about enrolling their devices, Chief Information Security Officer John Flores wants to be clear about what InTune does and doesn’t do.
“We can't see any applications on the phone besides the ones that we issue through our corporate app store,” Flores said. “Applications like Outlook and Word might eventually be issued through the corporate store, but personal applications like social media would not be. To date, no applications are issued through the corporate app store.”
In effect, Intune creates a bin for work-related applications on personal devices. It does not access personal contacts, photos, social media accounts or other information.
The only thing installed on the mobile device by Intune is a compliance profile that checks to see that security protocols on the device are compliant with UTMB security standards. For example, a phone with a four-digit pin is out of compliance. Security could then contact the user and make sure he or she changes the pin. Currently, security has no way to reach out to unmanaged devices. Their only option is to block a suspicious device.
“Intune can't make any changes to your phone, so all it's going to do is report the compliance status back to us and say this person's phone is jail broken or this person's phone does not have an appropriate pin,” Flores said.
Finding those weaknesses is the first step to improving security.
“Unmanaged devices are the greatest source of risk that we have here at UTMB,” Flores said. “We have pretty good processes and controls around everything else.”
The use of unmanaged devices in ransomware attacks is of particular concern. Ransomware attacks involve a bad actor compromising critical resources and asking for a ransom payment to cease the attack. Attackers employ an eight-step process to complete an attack that can cost millions of dollars.
Unmanaged devices often are used in the early steps of that process (attack chain). Cybercriminals use phishing emails, phone calls and other forms of social engineering to access the network and look for vulnerable assets.
Bad actors must gain this kind of access to begin reconnaissance and find vulnerabilities. If they can’t get this initial access, they cannot proceed with the next steps in the attack chain.
The new "Bring Your Own Device” policy has been mandated by the state, but Flores said the information security team here at UTMB sees it as an important tool for the institution.
“We're doing this because we want to protect the institution,” Flores said. “Every single user has a responsibility to the information security program to safeguard the information that they're entrusted with or the systems that they're interacting with.”
For more information, download the (FAQ) document: BYOD Frequently Asked Questions.pdf