Creating the Perfect BYOD Environment
The current state of BYOD security may leave IT departments longing for the days of the locked-down company laptop. Today, however, there is an expectation that employees in certain positions should be available whenever they're out of the office. Rather than lug around a standard-issue laptop, managers, sales staff, and other employees need the ability to conduct business from their own devices and from any location.
The challenge in this environment is to maintain adequate security over company systems and data, without implementing overly restrictive policies that employees will resent. Furthermore, the C-Suite doesn't look favorably on overzealous IT managers who prevent on-the-go workers from operating at their best.
It's tempting to imagine the network entry point as the BYOD front line, however, the device itself presents a number of opportunities for a security breach. And don't forget about the incoming network, in particular, those anonymous public wifi hotspots (Yikes!). Long story short, this is going to be more complicated than we had hoped.
Creating a successful and safe BYOD environment can be easy enough to conceptualize if we break the requirements into two primary areas: Policies and MDM (Mobile Device Management).
Employees should be expected to maintain certain security practices on their own devices. Many employers require a signed document explaining that employees understand their responsibilities, AKA a BYOD policy. We begin with the simple requirement that devices need to be password or fingerprint protected, and locked when not in use. As basic as this requirement may be, it will still be highly objectionable to some, so be prepared to deflect the flack by supplying a list of reasons and examples of why this requirement must be followed.
Digging deeper into the policy quagmire, employees should also be required to install any security or antivirus software of the company's choosing. Despite the app store security screens, malicious apps do manage to end up on devices. Cybercriminals have discovered methods to push data mining and identity stealing code through the app store security checks, typically by downloading their payload after the app has been installed.
It should also be a requirement that lost or stolen devices are reported ASAP, so that IT admins can take appropriate actions to safeguard company data, such as wiping the company partition from the device. We'll dive into that subject some more in the MDM section.
The next policy requirement segues into the MDM aspect of BYOD security. For most organizations, it will be necessary to require that employees install mobile device management on any personal devices that access company systems. MDM makes it possible for a company to manage a portion of an employee's personal device while allowing their personal data and communications to remain private. It helps the medicine go down if you stress MDM's separation of work and private areas, specifically that the company does not get access to the personal areas on the phone or tablet.
Mobile Device Management (MDM)
Most MDM configurations secure a device by creating an encrypted partition on the device's storage while supplying a secure web browsing, email, and document sharing environment within that space. IT Admins retain the power to wipe this partition remotely if the device is lost or stolen. However, the personal partition remains intact and safe from company reach.
There are some major advantages to this separation of business and personal space. Earlier MDM implementations would prevent the installation of unauthorized apps anywhere on a device. Could you imagine denying an employee the right to install the latest incarnation of Candy Crush on their personal phone? Clearly, those early policies were not going to work.
Modern MDM software, such as VMware AirWatch, is far more robust. Certificates can establish trust from devices while employees authenticate using a single sign-on. Encryption can be maintained from the device to the data center without any further complexity to the end user. Apps can be containerized to prevent tampering with the device, while network traffic is tunneled and segmented on a per-app basis with network virtualization.
There were some early MDM growing pains regarding vendor neutrality. Companies were faced with the decision to require employees to only use a device of their choosing, or having to implement multiple management utilities. Thankfully, newer MDM solutions cut through the various vendor and OS complexities, allowing IT admins to support their entire device portfolio from a single application.
With a sound BYOD policy and the right device management utilities, it's now possible to give employees the freedom to conduct business on their own mobile gear while safeguarding company systems and sensitive data. The C-Suite is pleased and your name has been circulating. Congratulate yourself with a resume update and some talking points for that next compensation review!