What companies must know about Bring Your Own Device to work
By Don Jackson
Corporate IT is undergoing one of the most significant changes in years, and I couldn’t be more delighted about it. It’s called consumerisation, and it means I can go shopping for my own tech gear with the promise of using it to be more productive in my workplace. I can choose the type of device I buy, my service provider and the operating platform I want, the provider of my personal choice, the platform I prefer, the form factor that fits me and my life, and the features that enable me to work smarter and play harder. Employees, managers and corporate executives want to be able to use their own devices for work. The BYOD (bring your own device) movement allows employees to conduct work from almost anywhere, and is so popular among workers that companies promote their BYOD programs in corporate recruiting. Some companies have preferred cellular network providers that offer discounts to employees participating in mobile workforce programs, including BYOD.
Before making a decision to support any mobile device, IT managers must also accurately assess the security and interoperability implications of allowing the devices to connect to the network. For example, they would want to know whether the phone supports the VPN specifications required for a secure connection.
Even with these considerations, adoption of BYOD is almost unavoidable these days as workers clamor to use their own devices. But before supporting any company plan, organizations need to know what’s happening in their IT environments such as what network services are available, how they are being accessed and who is accessing them. Organisations need people to help create and oversee rules, policies and procedures for mobile to officially support BYOD programs. Otherwise, the corporate IT environment could be quietly invaded. A host of mobile devices plugged into USB ports could download company email over unprotected networks and could download items on the device, such as malware, infected files or personal documents, onto the company network.
IT and security managers are being mandated to support the integration of personally owned devices. But it can be costly to manage and support so many different, and sometimes unique, configurations. IT teams could be required to become familiar with entirely new platforms for information processing and to keep pace with rapidly changing platforms.
Organisations should consider security before implementing any BYOD program to prevent security problems. IT Managers will need to know the ways in which employees will need to connect to the network, such as by corporate wireless or over cell phone networks, and managers should have a system in place to track who connects to the corporate network and when they do so.
To keep the benefits of BYOD from being eclipsed by support costs, many organisations look to partner with mobile device management service providers because it’s usually less expensive. Companies that specialise in monitoring mobile devices 24/7 should have the knowledge and employees to work with the countless types of old and new devices and operating systems, and can probably offer better pricing than hiring enough experts in-house to do the work. With a compound annual growth rate of around 20 percent for BYOD initiatives, business opportunities abound for service providers and competition is fierce. Practically all offerings cover basic IT security such as password policy enforcement and remote device wiping. Most providers have solutions that accommodate multiple platforms and address all major requirements for device provisioning and configuration. Many providers also offer services around managing telecom expenses and offer auditing capabilities, as well as security, to protect corporate information assets from abuse and hacking. Some service providers also offer cross-platform enterprise application environments that isolate custom business applications from personal-use apps and protect corporate information whether on the device or in the cloud.
Analysts expect to see significant consolidation among companies that manage your mobile devices and companies that provide security. Security managers will need to vet the providers to ensure that their services meet internal security policies and requirements. IT managers responsible for selecting a mobility service provider should be confident that strong encryption is implemented correctly and find their answers to the following key questions.
- Can authentication requirements be met using available features, or will availability of some enterprise information be limited?
- Is data and code isolation from personal-use domains adequate, or do compensating controls and third-party technology need to be deployed?
- Can network access control (NAC) and endpoint protection prevent unauthorized connection to corporation-owned assets, or will devices be limited to guest access or Internet-only VLANs?
- Is VPN functionality available to protect communications?
Security managers should also consider how they intend to ensure that mobile devices get patched regularly. Patching to eliminate vulnerabilities is often an issue, as service providers and device owners all rely on manufacturers, OS developers, and makers of third-party applications to supply patches. However, patches for Security flaws in the operating system are rarely created.
In environments where requirements for data handling and protection are exceptionally stringent, IT managers may want to forbid the use of mobile platforms that are not compatible with company requirements. Users will still be able to choose several satisfactory mobile devices that are supported by the company. Users are generally asked to concede some control over their device or to hand over its configuration to corporate IT or the organisation’s service provider partners. That allows users to enjoy the added convenience of a single, handy device for managing multiple aspects of their daily lives, including access to company information. Users have found that allowing their employers to manage their devices has little to no effect in the ways in which they use their devices for personal activities. Many BYOD participants welcome the added security and the benefit of not having to conduct device management chores themselves, such as updating applications and managing user credentials.
I’m an admitted tech geek and a security professional, so I splurged on my top choice for a mobile device to handle my personal business. My employer’s BYOD program supports my mobile phone. I enjoy flaunting the latest fashionable handheld technology and using it to conveniently and efficiently dispatch requests from co-workers, manage customer relationships, and rearrange my schedule around the next conference I’ll attend without putting anything or anyone at additional risk and without putting my personal life on hold.
Don Jackson, CISSP, is a Senior Security Researcher with the Counter Threat Unit (CTUTM) Research Team at Dell SecureWorks