Don't let the lack of a BYOD security policy stall your mobile device program. In the fourth part of this five-part webcast series on mobile device strategies, Craig Mathias, principal at wireless mobile advisory firm Farpoint Group, outlines the four cornerstones of a successful BYOD program:
- Quality of user experience
- Device flexibility
- Vendor independence
- Security policy
With successful BYOD implementations, I've seen a number of key characteristics. First is user transparency. Quality of experience is everything. If the solution is hard to use or places burdens on individuals, they are not going to be happy, they're not going to be productive and, worse, they may think of ways around all of this -- and that's very bad. We need to provide a high degree of flexibility, a wide variety of devices and access scenarios which include fixed access, not just wireless.
We also need to be able to support not just those devices brought in by employees, but also those that are owned by the enterprise. Of course, guest access enters in here, and we may even extend the model to specialized and vertical devices -- machine-to-machine pack applications, as well.
For ease of use and quality of experience, we also need to provide some kind of self-service -- onboarding, auto provisioning -- to make it very easy for users to get connected with minimal involvement from IT. And ideally you should be able to manage the entire implementation from a single console. There is some hope that indeed all of enterprise mobility management will eventually wind up on a single console, and I think we are moving in that direction now.
There is some hope that indeed all of enterprise mobility management will eventually wind up on a single console.
Finally, we don't want to get too bound up with individual vendors, so we want to make sure there's a high degree of vendor independence and solutions as well. As I mentioned, standards are not well developed yet. This is something of a drawback, but it is getting better all of the time, and we'll also see more consolidated functionality going forward.
The big argument against BYOD revolves around security. Now, we might think of MDM as being more in the integrity area. BYOD is more about security -- keeping information that is sensitive secure, according to the terms of our BYOD security policy that's in place.
For years, BYOD was disallowed simply because, well, we don't want sensitive information walking off on a device that we can't manage. This is back in the era when people thought that wiping a device was more than adequate. So, we have enterprise data on a nonenterprise device. It's really not a new problem, and what we suggested is this solution framework that you see here…. I personally like the government model. It's a good idea to clear people for certain levels of access, do background checks as required. As we know from the Edward Snowden affair, nothing is ever perfect in this area, but it's important to put in place the necessary policies, agreements, education and consciousness-raising that goes along with this -- the loose lips sink ships idea. Constantly remind people that the only thing the enterprise organization has of value is all of that information, and it needs to be guarded very carefully.
MDM capabilities are still important [and] making sure that we're managing configurations in concert with policies. Device wipe? Again, not quite so important. Instead, we should really move all of that into the domain of mobile application management and, ideally, it's mobile information management.
I think you'll find that this concept becomes very powerful over time. But from the perspective of BYOD and MDM, we're talking about policy and authentication. With respect to authentication, we very much recommend two-factor authentication -- something you have, plus something you know -- a token-based approach, and it should also be neutral authentication where both ends of the network prove to the other end exactly who they are.
A BYOD security policy checklist
Now, here at Farpoint Group, our security policy says that any sensitive information must be encrypted wherever in residence, and a VPN must be used when the information is transferred [and] anytime it's in transit. Your policy may vary, but hopefully that provides some guidelines just to the key checklist items for making BYOD work.
Consider a government type of security: a clearance level plus a need to know aspect, making sure that your BYOD capabilities are in concert with the remainder of your enterprise mobility management systems; make sure policies, agreements and education are in place. A lot of that is cultural. A lot if it does deal with consciousness-raising, but don't put that on the back burner. This is absolutely critical in terms of overall security.
More on managing mobile devices with Craig Mathias
Crafting a device-agnostic mobile device strategy
Standard elements of any MDM program
Then, with respect to security -- encryption, VPNs, authentication -- all of these mechanisms need to be very carefully thought through so that they are in concert with whatever policy you put in place. If you do this, BYOD security is really not an issue.
Now, I did mention security policy, and it suddenly occurred to me in putting this presentation together, that a lot of people don't have those in their organizations today. So, what a security policy says is what data is defined as sensitive. There might be several levels of that -- secret, top secret and so on -- plus who can have access and under what circumstances and what to do in the event of a breach.
Here we're talking about authentication of users and devices and the network integrity, IT infrastructure, device integrity and information integrity. What BYOD really adds to this is what kinds of sensitive data may be stored on a nonenterprise device. There may or may not be some additional management capabilities. We certainly recommend them in concert with your policies and [that they are] carefully enumerated in the agreements that you put in place and carefully reinforced in the training education and consciousness-raising that you do. But there will be a certain amount of management control visibility and monitoring that goes along with that.
What authentication encryption needs to be used? That'll be subject to your security policy for a nonenterprise-owned device and then when other capabilities, like malware, counter measures, antivirus, firewalls, things like that might also be required.
There's no one size fits all for a BYOD security policy. A lot will depend on who has access and what devices you support and what tools are available in your particular environment. But it's really not that hard. It can be made to work in any organization.