BYOD: A Security Perspective

Leonel Navarro

When one thinks of BYOD, concepts like cloud, mobile, virtualization, policies, cost efficiencies, productivity, mobile device management, containerization, privacy, and even the well-known term “bring your own disaster” come to mind. Despite the growing popularity of the BYOD trend, not all organizations have a broad understanding of the term or a well-conceived plan for how to manage BYOD. This article will seek to offer organizations a practical way to think about BYOD risk, security and policy.

During a recent conversation with a CISO, he discussed how some organizations voluntarily implement BYOD without a holistic approach, leaving backdoors to policies and/or controls that may jeopardize secure systems. This conversation also made me think about how other organizations are involuntarily implementing BYOD initiatives, since many of their employees are using privately owned devices to download corporate emails.

Slide Show

Checking Email Anywhere, Anytime Is the New Norm for U.S. Work Force

Even though we know that employee productivity, satisfaction and mobility increases, the cost savings associated with reduced endpoint hardware procurement, and reduced operational support costs are motivating factors for BYOD deployments, the truth is that security should be put above all of this. The CISO and his/her organization should conduct due diligence to understand all of the challenges associated with BYOD initiatives. For instance, implementing a virtualized environment to enable mobility/BYOD without the proper policy in place does not make sense. This is because it will not “prevent” users from downloading files to their devices when there might also be a backdoor in your web/proxy policy that allows employees to access Gmail, Dropbox or any other of these Web-based applications. Moreover, one must define the business purpose of a BYOD implementation. The most common purposes are email, calendar, contact management, document creation/edit, and access to intranet, company built-in apps, and even enterprise app stores.

After that, it’s important to identify the composition of the audience from a profile and device perspective.  A good understanding will enable you to make the most of the BYOD initiative, while also helping you to identify the types of devices that would be used. For example, a presentation at a recent Gartner Summit showed that the most popular device in developed countries is iOS, while in emerging countries it is Android, and that by 2016, smartphones will be 78 percent of total global handset shipments. Such information is helpful when predicting what BYOD devices to plan for.


BYOD demands mobile app development for business purposes and beyond just customers. Thus, it’s essential to collaborate alongside the development team—to understand their mobile application development strategy and sync your BYOD policy. Creating an internal iOS application when your policy is limited to Android devices, for example, does not make much sense. These days, organizations should ensure their mobile enterprise application platforms are multi-platform and multi-channel-oriented.

Defining BYOD policy is also crucial. To help you craft a successful policy, I’ve created a checklist. If you define the following elements in your BYOD policy, you will be on the road to a secure, mobile-friendly work environment:

DEFINE:

  • Supported devices
  • Email account usage standards
  • Access and authentication mechanisms
  • Acceptable mobile usage education
  • Device wiping procedures
  • Stored data standard management
  • Malware protection procedures
  • Location tracking terms
  • Applications usage policy
  • Configuration details
  • Mobile device management/application procedures (i.e., mobile loss, procedures defined for when employees leave, regular checkups for all those devices connected to the network, etc.)

BYOD initiatives demand new security controls to minimize risk and additional IT resources to manage security initiatives. Yet, since the office of the future demands flexibility, mobility and convenience, it is obvious that BYOD is something that is here to stay. Thus, organizations should embrace it, evaluate it, and implement all required controls and resources necessary for success. Good luck!

Leonel Navarro is Practice Manager & Business leader for Softtek Information Security Practice. He is a certified project management professional (PMP) and a certified information systems security professional (CISSP). Navarro’s twelve years of experience in IT operations with teams based in Mexico, the United States, and China, combined with critical customer-facing positions he has held, enable him to perform the overall coordination of the Sales, Marketing, Product Management and Strategic Alliances strategy for Softtek’s Information Security Service offering while overseeing the delivery of those services with existing clients. Leo holds a Bachelor in Electrical Engineering & Computer Architecture from ITESM.

 



Add Comment      Leave a comment on this blog post
Jul 24, 2013 1:24 AM Adam Adam  says:
Security risks (lost devices, access to sensitive data) are definitely a part of BYOD. However, these risks can be reduced by keeping data and applications separate from personal devices. That means that there's no sensitive data exposed if an employee's device is lost or stolen. This can be achieved with solutions like Ericom AccessNow, an HTML5 RDP client that enables users to connect from most types of devices to any RDP hosts (such as VDI virtual desktops or Windows Remote Desktop Services) and run full Windows desktops or applications in a browser tab. There's nothing to install on the end user devices, as you only need an HTML5-compatible browser so using AccessNow also reduces IT support costs, since IT staff don't need to spend time installing software on so many different platforms. All they need to do is give employees a URL and login credentials. Download this free white paper for some additional ideas on securely managing the mobile workforce: http://www.ericom.com/WP-MobileAccessSecurity.asp?URL_ID=708 Please note that I work for Ericom Reply
Aug 11, 2013 7:37 AM shellybusby shellybusby  says:
In healthcare, not having a good BYOD policy can result in large HIPAA fines, so a good BYOD policy is very important but it is really the education of staff about the policy that will make it a success or failure. An good example is that our hospital put a BYOD policy in place to use Tigertext for HIPAA complient text messaging, but the doctors still used their unsecure regular SMS text messaging. Even though we had a good BYOD policy, it wasn't enough, we had to bring each doctor in to admin for training and explaining the HIPAA issues and how to use the app correctly. Now we have most of the doctors in compliance which has significently lowered the HIPAA risks and increased productivity for the doctors and the hospital. Here is an example of a BYOD policy similar to ours: http://www.hipaatext.com/wp-content/uploads/2013/03/BYOD-Policy-20130213.pdf Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 
Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making

SOA

SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data