Planning for Bring Your Own Device (BYOD) (Part 2)

by [Published on 12 March 2013 / Last Updated on 12 March 2013]

This article continues the discussion of BYOD policies by discussing some additional aspects of BYOD security planning.

If you would like to read the other parts in this article series please go to:

Introduction

In the first article in this series, I examined the questions of which network resources should be accessible from user’s personal devices and what types of devices should be allowed to access your network. Although these are important questions, they are far from being the only questions that should be considered. This article will examine more considerations for BYOD environments.

Where Will the Data Reside?

Whether you work for the Pentagon or for Bob’s Muffler Shop, one of the main issues that you will have to address with regard to users bringing their own devices is that of data leakage. Data leakage refers to the problem of sensitive data making it beyond the organization’s security boundaries and into the wild.

Entire books have been written on the subject of data leakage prevention. Needless to say, there is no such thing as a simple solution to prevent every form of data leakage. Data leakage prevention requires a multifaceted approach.

When you allow users to access corporate resources from their own personal devices outside of the perimeter firewall, data leakage prevention can become increasingly more complex. By far the best thing that you can do to prevent this from happening is to not allow users to store sensitive data on personal devices. Ideally, sensitive data should reside only on centralized servers or in the cloud – not on end-user devices. Data that is stored on individual devices is at risk of being exposed if the device is ever lost or stolen. Furthermore, data loss becomes a real possibility given the fact that users almost never make backups of their tablet or smart phones.

If your goal is to prevent users from storing sensitive data on personal devices then the best approach to allowing network access from personal devices might be to require mobile users to use virtual desktops. As discussed in the previous article, the nice thing about virtual desktops is that the end-users device acts only as a medium for displaying the Remote Desktop (and for transmitting input to the Remote Desktop). As such, you never have to worry about sensitive data being directly stored on a user’s personal device. Connecting mobile users to remote desktops also solves the problem of application access. Applications can run within the virtual desktop environment and will not have to be installed directly on the end-users device.

How Will Mobile Devices Be Secured?

Even if mobile devices do not contain any sensitive data, they will be used to access corporate data. This means that you absolutely must address the issue of mobile device security. I have already talked about security several times over the course of this article series. However, there is one particular aspect of mobile device security that I have yet to talk about.

Those who have worked in IT for a long period of time know all too well about the politics that often come into play with regard to things like network access. Perhaps nowhere do politics become more of an issue however, than when you start talking about security in a Bring Your Own Device Environment.

There are a number of different schools of thought surrounding Bring You work Own Device security. Debates around these schools of thought have been known to become quite heated. In my opinion, there is no such thing as a one-size-fits-all end-user device security policy. I think that each of the schools of thought have their place and that the various security methods are better suited to some organizations than others. So with that in mind, let’s talk about the politics of end-user device security.

In any organization, there are a few key facts that come into play with regard to BYOD. Those facts are:

  1. Your network contains sensitive data.
  2. The IT department has gone to great lengths to secure that data.
  3. Users want to access the data from outside of the organization on their own personal devices.
  4. It is the administrator’s responsibility to make sure that the data remains secure.

These four very basic facts are what lead to the various schools of thought on end-user device security. I have known people for example who have chosen not to allow any sort of external access to the resources on their network. At least one person that I know does not feel that external access can be properly secured, and he knows that he is the one who is responsible for making sure that data remains secure. For him the reasonable course of action was to simply disallow any external access.

Of course that mentality will not fly in every organization. Often times the users will demand (loudly) external access to data. If the administrator lacks the authority to prevent external data access, or if there is a legitimate business need for external access then the administrator must come up with a way of providing that access as securely as possible.

One of the problems that often manifests itself is that administrators who have worked in IT for a long time are conditioned to think in a certain way. The temptation for such administrators might be to try to secure mobile devices in the same way that a PC might be secured. Although the effectiveness of this approach is subject to debate, there are a number of different products available for enforcing mobile device security. Once again however, politics can rear its ugly head.

While preparing to write this article I spoke to a friend of mine who is a network administrator for a large company, and asked him how he handles security for end-user devices. He said that in his opinion the big problem was that you can never adequately secure a device that the company does not own. The organization lacks the authority to force the user to configure their device in a certain way or to use the device in a way that adheres to company standards. That being the case, his choice was to not allow Bring Your Own Device. Instead, the organization actually issues company owned devices to the end-users. Because the company owns the devices, the IT department has free reign to secure the devices as they see fit.

Another friend of mine works as a network administrator for a different company. She has wholeheartedly embraced the Bring Your Own Device trend. Even so, her policy is to allow users to work from personal devices so long as they sign a written agreement allowing the IT department to secure the devices as they see fit. Once users have signed this agreement, their devices are locked down using ActiveSync policies.

Conclusion

As you can see, the subject of securing an end-user device in a Bring Your Own Device environment can be touchy. Users are often reluctant to allow the IT department to exercise jurisdiction over their own personal devices. Even so, it is still usually possible to find a compromise that will allow end-users to be productive while still making sure that sensitive data remains adequately secured. In Part three of this series I will continue the discussion by talking about some more things that you might consider when preparing to allow Bring Your Own Device.

If you would like to read the other parts in this article series please go to:

 

Advertisement

Featured Links