BYOD Security Is a Balancing Act
By Larry Walsh
It’s obvious the bring-your-own-device trend isn’t just a passing fad; it’s an inevitable paradigm shift within the personal computing world. As devices become more sophisticated, their capabilities expand exponentially. But how can a CIO adopt a corporate BYOD strategy without clamping down on the innovation that makes tablets productivity powerhouses?
Gartner has a few ideas. In a recent report detailing the “hurdles” of BYOD adoption, over 70 percent of respondents say BYOD would come into play in 2013. This much enthusiasm, though, should not be met with a rush to deploy such a service. There are three critical hurdles CIOs must maneuver before a BYOD strategy is sustainable and secure. Gartner believes they are as follows:
Build a Baseline: Before deploying any BYOD solution, a CIO should create a minimal security requirement. It could be something simple, like requiring all devices to have a password, or something more advanced, like requiring all devices to run specific a specific OS version with known fixes. Mobile device management (MDM) software can be used to alert employees to these requirements and if security risks are detected.
However, Gartner warns against overreaching security measures. If policies limit user access to apps and services, the tablet will no longer be a productivity device. Finding a balance that allows users to use the device naturally without jumping through security hoops is the sweet spot.
Employ MDM and SWG: Most CIOs are familiar MDM, which allows IT administrators to manage the way users interact with corporate data and applications on the corporate network. But ensuring a high level of compliance and eliminating data leakage may require more than a software-based MDM strategy.
To implement BYOD with a good mix of freedom and security, secure Web gateways (SWGs) should be deployed. These appliances (or virtualized appliances) can provide white- and black-listing, content-aware containerization (so users don’t accidentally post private information on Twitter or Facebook) and unique tools to direct employees to an enterprise-approved app selection.
Educate Users: Free-range connectivity is pleasant, but at some level, users need to be educated on how their device should be used in the workplace. Likewise, an organization must educate the user on device controls once in use. Gartner notes there are legal ramifications to remotely wiping or disabling or a non-complaint device with personal data, even if it was not lost or stolen.
Building a relationship with employees on how organization polices play into their personal device usage is critical to ensuring litigious action is not taken in the event personal data is destroyed. One helpful way to navigate this issue is by presenting all users with a clear language agreement upon registering the device with an MDM platform.
Eliminate Risk: Gartner doesn’t mention it, but wary CIOs should know that BYOD risks can be mitigated by adopting a different approach to how devices are used. Cautious corporations may want to consider tablet usage on a purely VDI-basis. This may require more internal infrastructure, but for companies already using virtualization, it’s little extra work.
This solution can be safer, so long as corporate data is not allowed to pass between a virtual/remote desktop app and onto the device itself. When combined with a light layer of MDM and gateway protection, a CIO can eliminate many of the key risks easily.
The best BYOD policies will be the ones that build a dialogue about usage and needs. A CIO may want to offer all users requesting mobile devices an initial survey. This can shape a more complete BYOD strategy by understanding what users expect to do with their devices at work. Moreover, this information can help CIOs plot a course to future management strategies, which can better meet evolving workplace needs.