This article can also be found in the Premium Editorial Download "Information Security magazine: Seven Outstanding Security Pros in 2012."
Download it now to read this article plus other related content.
With a rising need to be more productive, efficient and fast, there is recognition among business leaders that a more mobile workforce is becoming a true necessity. Enabling a mobile workforce is, however, an expensive proposition. Usage costs and the cost to purchase and maintain mobile devices, applications and backend services such as security have curtailed many businesses from offering employees a corporate-issued smartphone or tablet offering.
At the same time, there’s been a dramatic shift in consumer behavior with the introduction of smart devices like the iPhone, iPad and Android-based devices. More and more users are adopting and willingly using these non-sanctioned smart devices in their workplace to access corporate resources, a behavior that has indirectly benefited the businesses in many ways. As business leaders recognize the value of personally owned devices in the workplace, they are putting increasing pressure on IT to allow the use of these devices to access internal corporate resources.
This major shift in business behavior is challenging IT organizations in new ways. IT organizations are no longer in sole control of the end-user tools that they traditionally have dictated.
The first question to ask is, “Are we ready to embrace the trend of bring your own device (BYOD)?” The answer definitely should be “yes.” Many forward-thinking companies have already embraced the BYOD trend and are realizing the next significant increase in end-user productivity. BYOD is not a short-term movement; it is here to stay whether you have a BYOD policy in place or not.
Global Principal Security Architect, Roche Pharma
Genentech, a Member of the Roche Group
As enterprise security architect at Genentech and Roche, Krishnan leads the development and implementation of a three- to five-year security roadmap for a global organization with more than 90 locations and 110,000 users.
Recently led a security audit remediation effort that transformed the security framework at Roche. New functionality includes application whitelisting software, behavior-based malware protection for Web and email, and strong authentication for remote access.
Published whitepapers on enterprise Web access management, cloud security and mobility, and choice computing.
As a quick status check, if you scan your network, you are going to find non-corporate-owned devices connecting to your network already. In a nutshell, we should embrace the expanding business movement to BYOD instead of staying away or fighting the growing business demands driving it. Consider these organizational benefits of a BYOD strategy:
- Increased productivity of the end user to do his or her job from anywhere and at any time.
- Guaranteed employee satisfaction by allowing end users the choice to use their own most-loved, personal device.
- Single device solution that eliminates the need for the end user to carry multiple devices—one for personal use and one for business use.
- Cost savings: No need to buy and issue a new device to end users.
Obviously, the next big question is how do we harness the benefits of the BYOD movement, yet mitigate IT challenges and the organizational risks linked with BYOD? Organizations face significant IT challenges, which are essential to evaluate the pros and cons prior to allowing the use of BYOD. These challenges can be vetted and addressed thoroughly via clear policies and business processes as described below:
- Device ownership: Develop a term-of-use consent form for employees to agree and abide to prior to gaining access to corporate systems and data.
- Device management standards: Manage the device using a centralized device management tool and enforce security controls such as password lock and application usage restrictions.
- Securing the data: Deploy tools and enforcing controls to secure the corporate data stored on the device.
- Data segmentation: Separate personal data from corporate data on the devices.
- IT support: IT support and additional training for supporting the personal devices and managing increased service desk calls.
- Communication: Develop and communicate BYOD policy, procedures and support through security awareness training for end users.
- Data plan: Monitor the cost of data plan usage and lack of control to determine the cost for personal use versus corporate use.
When embracing BYOD, organizations also need to be aware of the risks that are introduced with this policy. Key risks to evaluate are:
- Application control: Uncontrolled and unsecured applications that could be installed on the device by the user.
- Potential data loss: This requires eliminating or reducing exposure of sensitive and critical data.
- Local labor laws/issues: Local and/or country labor laws that prevent users from working for more than normal working hours. Employment agreements need to be updated to manage possible Fair Labor Standard Act-related risk.
- Potential privacy issue: Tools employed by IT to manage the device could monitor and track the location of the device, which may introduce a privacy issue in certain countries for the organization.
- Regulatory requirements: Businesses that operate in specific industries like health care or finance fall under strict regulatory compliance mandates. SOX, HIPAA, GLBA, PCI DSS and other compliance frameworks outline which data must be protected and provide basic guidelines for how that data should be protected. Ensure regulatory compliance within BYOD policies.
- Lost and stolen devices: End-user training for immediate reporting of loss or theft of a personal device with business access.
- Data recovery: Clear delineation of who owns the data stored on the device and how to recover or wipe the data when an end user leaves the organization.
Embracing BYOD technology is just one of the many issues that IT must manage, but it may not be the biggest challenge. Legal ownership of data stored on a personal device may be an even bigger challenge for organizations to overcome. Defining the appropriate policies with the expectation that the criteria will be different for different business units and types of personnel is essential to managing organizational security. Creating the appropriate balance between benefits/risks within your organization will be critical to implementing a successful BYOD strategy.
Information Security's 2012 Security 7 winners:
This was first published in October 2012