DOC RABE Media - Fotolia
Dealing with BYOD risks
BYOD is a double-edged sword, bringing increased productivity and cost-savings but increasing the risk of data breaches at the same time. Administrators need to somehow manage the enterprise data on BYOD devices -- whose owners generally put convenience ahead of security -- while at the same time avoiding interference with the user's personal data. Devices running Windows 8.1 can take advantage of various new security measures aimed at overcoming the problem of "your data, their device" and the thorny issue of administrators accessing BYOD devices.
A typical example of Microsoft's BYOD security effort is the improved DirectAccess feature. DirectAccess provides remote connectivity to users by automatically initiating and closing connections to access resources on an organization's intranet; this eliminates the need to fiddle with setting up VPN connections, a struggle for many users. This automatic secure connection also allows administrators to publish security updates and Group Policy settings to the remote devices even when the user is not logged on to the device, keeping devices compliant with configuration baselines and security policies.
Join, To Go
Organizations running Windows Server 2012 R2 can also allow users to connect their personal Windows 8.1 devices to organizational resources without requiring a full domain-join by using Server 2012 R2's self-service access tool, Workplace Join. Apple iOS devices are also supported and Android devices will be supported in the near future. By installing a certificate on the device, it allows users -- whether employees, suppliers or customers -- to register a non-corporate-managed device in Active Directory to gain secure single sign-on access. This authorizes permitted network applications and services that were previously available only from corporate-managed Active Directory domain-joined PCs.
Workplace Join can be used in conjunction with the Windows Intune device management service, which allows administrators to apply policies, deploy apps and ensure that the device is up to date while still allowing users to retain control of their devices. This combination avoids the problems of privacy invasion and increases the chances of it being accepted by BYOD users. (The Simple Certificate Enrollment Protocol (SCEP), which uses the Open Mobile Alliance Device Management protocol, is a device-management protocol. SCEP is now supported in Windows 8.1 so administrators can use mobile device management tools other than Windows Intune.)
Windows To Go, available with Windows 8.1 Enterprise, is another option for turning laptops and tablets with a USB port into managed devices without violating BYOD users' privacy by actively managing their devices. Users start their device from a fully manageable, corporate image installed on a bootable certified USB drive that keeps the device's operating system, applications and data both intact and inaccessible to anyone other than the user.
Windows 8.1 does more than make managing BYOD devices easier for both administrators and users. Other security features -- such as remote business data removal, improved malware resistance, and fingerprint-based and multi-factor authentication -- protect devices and data from unauthorized access and software threats. Automated device encryption is provided by TPM 2.0, and although it won't be a Windows 8.1 certification requirement until next year it is already appearing in various types of mobile devices.
A strong case
Microsoft knows that BYOD is here to stay and its software needs to offer both security and ease of use for administrators and users. The Windows 8.1 operating system ticks many of the security boxes necessary for it to become a serious option for those looking to follow a secure BYOD strategy. Enterprise network and security managers can make a strong case that by encouraging users to choose Windows 8.1 certified devices, they can offer provide those using personal devices with access to enterprise data and resources while minimizing the chance that malware or a data-theft incident involving a mobile device will wreak havoc on a protected internal network.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He has a passion for making IT security best practices easier to understand and achievable. His website http://www.hairyitdog.com offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices. He co-authored the book IIS Security and has written many technical articles for leading IT publications. Mike has also been a Microsoft Certified Database Manager and registered consultant with the CESG Listed Advisor Scheme (CLAS).
Learn more about what's new in Windows 8.1.
Gain further insight into managing BYOD security in the enterprise.