New mobile devices, including those running BlackBerry 10 and Samsung's Knox, were recently approved for employee use under the U.S. DoD mobile device strategy. If the Department of Defense approves a device, is it safe to expedite BYOD approval of those devices in an enterprise environment?
Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
You shouldn't look to the U.S. Department of Defense's approval of mobile devices as the basis of device approval for your bring your own device (BYOD) strategy. The Department of Defense approved these devices, but only after applying strict configuration guidelines. The configuration of these devices is just as crucial to a BYOD deployment as the configuration of PCs and servers in enterprise networks.
The DoD configuration may be applicable to your environment, but it sacrifices usability for security. For example, under the DoD's configuration, CEOs would not be able to use their iPhone on a public network or with their in-car Bluetooth. I doubt that this would be acceptable in an enterprise environment where usability tends to have more sway than security. The information security practitioner who implements such a configuration could even run into job security issues.
The DoD mobile device strategy is based on a risk management process. Any company looking to implement BYOD should start there as well. First, determine the information that should be protected on the applicable devices and analyze any potential risks to that information. Then, build a custom configuration and device management strategy by weighing these risks with the company's risk tolerance. Such steps help build a better balance between usability and security for a BYOD deployment.
This was first published in January 2014