Mobility Security — 29 October 2013

secure byod

 

Moka5 - John Whaley

 

Moka5 CTO and founder, John Whaley, says:

To meet the growing expectations for BYOD while mitigating risk requires a combination of technology, policies and practices.   The six steps outlined below describe best practices for creating and implementing a secure BYOD/PC practice.

  1. Create a separate, secure enterprise workspace
  2. Establish clear policies and expectations
  3. Protect your network
  4. Enforce reasonable password policies
  5. Test the Remote Wipe capability
  6. Start with a pilot group

Create a Separate, Secure Enterprise Workspace

It’s virtually impossible for any enterprise IT organization to ensure the security of the various desktops, laptops, phones and tablets outside of their own control. The best approach, therefore, is to focus on protecting the applications and data, rather than the devices themselves. If you start with the assumption that the endpoint itself is insecure (and potentially compromised), how do you give people secure access?

The answer is to completely isolate corporate data and applications from the host device itself.  You can do this today using virtualization solutions that run business applications in a ‘secure container’ on the mobile device.  These technologies create a secure, encrypted digital workspace to run enterprise data and applications.  Using client-side desktop virtualization technologies, you can manage these containers centrally, while enabling local execution.  This has the added benefit of ensuring end-user productivity even when there is no or limited network connectivity.

While Mobile Device Management solutions focus on a subset of smart phone devices, desktop virtualization solutions can work across a wide range of devices, from phone and tablet to desktop and laptop. These secure container solutions have many benefits for BYOD/PC environments:

  • You can set and enforce policies on the secure container without affecting the user’s personal devices or applications.
  • If a device is lost or stolen, IT can remotely wipe the corporate container without touching personal applications or data.
  • For the user, containerized solutions offer a clear separation of personal and work data and applications thereby ensuring an acceptable level of privacy.
  • Data can be encrypted within the container, and container policies may be set to disallow printing, cutting and pasting, USB file transfers, or other common sources of data leakage.
  • Rather than managing multiple varied devices, the IT team only needs to manage the desktop images and applications.

Establish Clear Policies and Expectations

Any successful BYOD/PC program is a combination of policy, process and technology. Having identified your technology approach, you can create and share your BYOD/PC policies and set expectations appropriately.

Your policy should cover at least the following:

  • Device options:  What devices are permitted? What platforms are supported?
  • Participation: Who should join the program? Will it be restricted to certain types of employees and contractors? Are there access restrictions based on title or role?
  • Reimbursement: Who pays for the devices and/or for mobile data plans?  While corporate reimbursements have been common in the past, they are decreasing as personal mobile devices become more common.
  • Terms of usage: Make sure people understand what software they can run, the existence of remote wipe capabilities, the necessity to lock devices and encrypt data, and any monitoring and management capabilities the business may have. Many companies have employees sign a BYO agreement to demonstrate that they understand and agree to the policy’s terms terms.
  • Cancellation: Clarify what happens to any personal data within the corporate applications, and corporate data on the personal device, when someone leaves the company.
  • E-discovery/Forensics: If the data on the device will ever be subject to eDiscovery, describe what will have to happen – what is the company’s policy requesting physical access to personal devices?
  • Support:  Who will support the device? Can the users turn to IT if they’re using corporate apps on a personal device?  Make sure support policies are clearly outlined.

Protect Your Network

Segment and secure your network to match your BYOD/PC strategy.  Many companies maintain segregated networks for corporate and guest use. People using personal devices can be relegated to the guest network. For example, perhaps all of your employees should be able to access an SSL IMAP email server from their personal phones. (The data remains on the server.)

For any other application access, personal devices need a secure container on their devices. Require them to use VPN to access the corporate network and resources. Only accept connections from the devices running the secure containers, so any compromises on the host endpoint never reach your corporate networks.

Enforce Reasonable Password Policies

Authentication is another critical part of the BYOD/PC policy.  If you are using client-side desktop virtualization, you can enforce specific access policies on the container.

Any BYOD/PC solution should enable two-factor authentication for accessing corporate data – as a mobile or personal device is more likely to be compromised. Two-factor authentication processes require a second factor in addition to a password, when first logging into the container.

At the same time, if you make password policies too complex (16 characters, changing every two weeks), you will inevitably drive people to less secure behaviors – like writing down their passwords. On smart phones in particular, typing in long passwords can be a challenge. So make sure to balance security and productivity.

Test the Remote Wipe Capability

You want the ability to remove corporate data when a device is lost or stolen, or when an employee or contractor leaves the business.  However, most people are very reticent to give employers permission to wipe data from their devices. In some European countries, there are legal implications to remote wipe as well.

Many companies have employees sign agreements that they can wipe corporate data from personal devices before allowing people to use their personal devices.

The best strategy is to keep the enterprise data and apps firmly segregated within the employee’s device. In this way, any data you wipe was clearly stored in the enterprise space.

Be sure to test this remote wipe capability, so that both you and your employees have confidence that it does exactly what it is meant to do, and no more.

Start with a Pilot Group

When you’re ready to roll out your BYOD/PC initiative, test it with a limited group within the enterprise. Working with one group, you can sort out the various legal, application, security and user adoption issues that might come up, ensuring a smoother rollout to the larger population.

Consider using contractors or offshore developers as a test bed.  Contractors are not bound to the same HR, legal and policy constraints as your internal employees, and they expect to be able to use their own devices. From an HR and IT perspective, a BYOD/PC program can simplify and accelerate the process of on-boarding contractors. People can get to work quickly if they do not have to wait for an approved, provisioned corporate laptop.

Once you have run the pilot and worked out any issues, start rolling out BYOD/PC policies and technologies to other groups, addressing the unique user requirements for sales, marketing, HR, legal, finance, and other groups.

Related Resource:

Share

About Author

(0) Readers Comments

Comments are closed.

Visit Us On FacebookVisit Us On TwitterVisit Us On Linkedin