What’s the secret to a secure BYOD rollout?
David Lingenfelter explores three key security strategies IT managers should execute to implement BYOD successfully
Today, in an “I want the next iPhone” driven world, there’s no sense in an IT manager pretending BYOD isn’t happening or saying, “We don’t let our employees do that.” The truth is, they’re doing it already and will continue to bring non-compliant devices into the network with or without the IT department’s permission.
A recent CIO survey by Gartner determined that 80 percent of employees will be eligible to use their own equipment with staff data on board by 2016. This raises the inevitable question: How do IT departments support employee demand to use personal devices in a secure environment that protects corporate and personal data?
With the rapid proliferation of mobile devices showing no signs of slowing any time soon, here are three key security strategies IT managers should consider to create a secure and productive BYOD environment.
Creating Mobility policies & over-the-air (OTA) device configuration
Policy creation is the most important aspect of BYOD outside of technology when a business commences roll-out. Though there are some best practices, each organisation will have its own unique set of challenges and opportunities. Some hard questions you need to answer include, will we allow all devices or ones that meet a minimum IT criteria? Will we provide employees with a stipend? Will we allow them to buy them to choose their device of choice and pay the data plan but have them pay for the device?
Will we disallow any specific types of applications like data sharing apps or explicit material apps and music? Who will be responsible for supporting the device? The technology should always back up the policy. One thing an IT department’s BYOD strategy shouldn’t do is bring more users to the help desk. Users should not have to bring their device into the office for assistance. This defeats the whole purpose of BYOD, which should empower users with responsibility for their devices. One solution is that all devices are configured over-the air to maximise efficiency for both IT and employees.
For initial device enrolment, users have to “opt-in” to an acceptable usage agreement. Once this is completed OTA delivery of all settings the employee needs to access email contacts, corporate documents and content should automatically take place. At this point, from a security perspective, IT departments should also create policies to restrict access to certain business applications and generate warnings when a user goes over their data usage for the month.
Separate corporate from personal data
Not surprisingly, many employees prefer to access corporate resources using their own tablet or smartphone device because it is already an integral part of their everyday lives. This serves the employee well but the IT department may well find it difficult to enforce the best policies among users, who generally are not concerned with corporate or regulatory compliance issues in their personal use. Unlike creating a mobile policy, this is the most important step which technology plays the leading role.
For BYOD policies to be agreeable to IT and end users, personal information must be separated from business critical applications. When an employee decides to use the latest iPhone for work related activities, such as the finance department editing a payments document, there is a good chance his company relies on built-in features and additional software tools to secure and manage the data on the device. In this case, sensitive information must be protected by IT, especially if an employee decides to leave the organisation. In contrast, recreational activity such as sharing photos with friends via Facebook should be untouched by corporate IT.
Not only will users appreciate the freedom of this approach, but so will IT, whose life will be infinitely easier as a result. With this approach, IT can selectively wipe corporate data when an employee leaves. Alternatively, if an employee loses the device, the entire device can be wiped. However, only a true MDM solution can provide an IT manager with the choice. This balances corporate governance with personal privacy.
Launch day support for new devices and Operating Systems
Lastly, companies need to have a way to enable or disable new devices and OS features immediately upon their availability. Any lag in the IT department’s ability to support the latest technology will increase risk and cause gaps in security, not to mention productivity. For example, the last two major releases from Apple, iOS 5 &iOS 6 brought about an interesting situation for IT staff.
When iOS 5 was released, it caused great concern as users gained the ability to leverage iCloud resulting in many concerns about corporate data leakage into Apple’s cloud storage. Only companies that implemented an MDM solution that provided immediate OS feature updates had the tools to block or allow iCloud. Unfortunately, many organisations were stuck waiting for their vendor to release a support update leaving their data at risk. What good is technology if it is not automatically kept up to date with the mobile world? It would be like having an out-dated virus definition files on your PC.
Moving forward, there can be no denying that BYOD is an emerging best practice for giving employees the freedom to work on their own devices while relieving management and support burdens on IT. For the IT manager to experience the full benefits of BYOD, well written security policies and a robust management platform will need to be implemented during the early stages of the rollout process.
David Lingenfelter is information security officer at Fiberlink