Creating a Bring-Your-Own-Technology (BYOT) Program
Twelve steps to follow when creating a BYOT program.
Bring your own device (BYOD) approaches, which are gaining popularity for a number of reasons, in some ways are IT departments' and CSOs' worst nightmares. Suddenly, the tightly controlled world in which management knows precisely what devices are in the field and how they are being used has been ripped asunder. Without great care and new approaches, the company can only guess - and worry.
Last week, Aruba announced the purchase of Avenda Systems. eWeek provides a great deal of information on the nature of the deal and how the acquisition will be integrated into Aruba. The bottom line is that Aruba will use the company to offer a number of strategies aimed at making security less dependent on intimate knowledge of what actually is being protected. The story offered opinions of Hitesh Sheth, Aruba's COO:
The BYOD trend will continue, with employees using their personal devices to access corporate resources, but it will also expand to include desktops and laptops, not just smartphones and tablets, Sheth said. He predicted that there will be a time when corporations will just give employees a stipend and have them use their personal computers to do their work, provided the machines meet "certain basic security policies."
That is quite a thought. The bottom line is that CSOs and IT departments will need to jump through technical and operational hoops in order to secure devices and data in such an open landscape.
The problem is pretty clear. But, unfortunately, the answers are not. Perhaps the problem on its face seems to be so overpowering that organizations just don't want to face it. an interview at Bank Info Security that there is a lot of work to do:, indicated in
BYOD - bring your own device - is rapidly increasing throughout the world, especially among younger employees, says Vander Wal,international president. But organizations have done little to ensure policies and procedures are in place to address security risks surrounding mobile devices that are used for a mix of personal interactions and business.
How will you deal with the irate user who had unique personal data on that device, until your team accidently (sic) remotely wiped it or sent a software update that blew away non-company content? Do you really want responsibility for unarchived irreplaceable family pictures, or bank records, or the office fantasy football pool, or whatever? Telling the user he should have had a backup won't get you far. It certainly won't win you the admiration and respect of your coworkers, and inevitably, somewhere, sometime, lost personal data will lose someone a lawsuit. Managing devices you don't own is a risk you shouldn't be willing to take.
Wittmann concludes that the biggest single task is to educate employees using their own devices and, through that education, get them on the organization's side. It won't be easy, however. The advent of the consumerization of IT and BYOD represent a complete turnaround in how IT and security staffs do their jobs.
It's a vast overstatement to say that nobody is thinking of these issues, of course. Wittmann is. So is Cisco. Stephen Song, Cisco's security business manager, blogged last week that both mobile device management (MDM) and virtualization are tools to confront the challenge. Noah Gamer at Simply Security responded that virtualization of mobile operating systems indeed is a good idea, but the technology is not quite there yet.
BYOD's impact on security is one of the most important issues IT and security staffs face going forward. The first step is that the folks who are in denial must be convinced that a proactive approach is the only way to ensure both the integrity of the devices and the happiness of employees.