Manage Learn to apply best practices and optimize your operations.

Bring your own device policy: Six questions to ask security providers

Security managers increasingly combine existing tools to implement an overall BYOD security posture. Key security features can make the job easier.

As personal devices, clouds and social networks become more pervasive; it is harder to defend the enterprise perimeter...

with yesterday’s firewall and IPS technologies. One benefit of implementing a bring your own device policy is that there are a variety of ways to enforce better security.

Depending on the BYOD method you choose, you can have vastly different security profiles and policies to manage however. Part of the problem is that protecting enterprise data involves some combination of securing the physical device, the user login process, the applications that reside on the device, and the network access that is granted to the device when it enters your premises. That’s a lot of ground to cover, and sometimes it takes more than just one security product.

Some security managers rely on existing products, such as single sign-on tools, mobile device management, network access controls and application firewalls to implement an overall BYOD security posture. So to help you navigate these various tools, we have put together a series of six questions you should ask security vendors. These questions hit on the major security-specific features to help you figure out the right collection of policies to protect your users’ mobile devices:

  1. Is all traffic encrypted between mobile devices and your corporate network? Some security apps use SSL connections, and some provide their own encryption methods. Other tools don't encrypt any data that is sent over the Internet at all. This functionality also varies by device type: many Android devices don't have device-level encryption. And some BYOD tools do a better job of managing the encryption certificates than others, too.
  2. Are files that are viewed on the mobile device ever stored on the device itself? With some mobile devices, once a remote session ends, all traces of the document are removed from the tablet's and storage. With others,there can be some residue, or the file itself could be accessed by an app that you have already downloaded to your device.
  3. Does a document remain under the control of the app, so you can prevent it from being exported outside the app? Some technologies use containers or application wrappers to separate enterprise data and files from other mobile apps. The stricter the control you have, the more secure your files will be.
  4. Can you remotely wipe all traces of the document or history from the employee-owned device, or disable the device entirely if it’s lost or stolen? One often-touted feature of many network security tools is the ability to remotely wipe a phone if it is compromised, or at least terminate any Internet access from the device. But how this is implemented, and what level of IT involvement is needed (such as a panic call into your help desk) to turn off a device differs among the various tools.
  5. Can you disable employee-owned device peripherals through policies? Some products can turn off broadband data connections and force Wi-Fi to save on cellular data usage, or disable a camera or Bluetooth radio under certain circumstances or for particular applications.
  6. Does the BYOD or a single-sign on product integrate with two factor authentication tools? Some tools support third-party multifactor authentication for increased security. For instance, AirWatch Enterprise Mobility Management works with F-Secure's authentication product. Others, such as IBM's Endpoint Manager, offer no second factor support.

David Strom is a freelance writer and professional speaker based in St. Louis. He is former editor in chief of, Network Computing magazine and Read more from Strom at

Next Steps

More on the costs and ROI of BYOD policies

This was last published in May 2015

Dig Deeper on BYOD and mobile device security best practices