BYOPC security is an obvious concern that can restrain program adoption. If you allow employees to bring their own PCs and mobile devices, you should consider mobile security best practices, such as authentication, policy enforcement, isolating data, encryption and virtual desktop use.
Be aware of what end users agree to when installing software. If an employee unwittingly allows an application developer to download his entire contact list and your company lets that same employee download sales contact information, then valuable business information may leak.
Employees may be more lax about security on their PCs, laptops and other devices than corporate policies demand. Once employees start using their personal laptops for business purposes, their personal authentication practices become a BYOPC security issue.
Not only must you define authentication requirements, but you should also enforce them. The means for doing this can vary from one platform to another. For example, when an employee connects to the corporate network with a personal laptop, the employee can be required to authenticate with a two-factor authentication, such as a secure token plus a password. The company can then enforce authentication policies by an access gateway to virtualized application and desktop services.
Encryption is a powerful tool for protecting confidentiality of data, but it can create problems. If a company requires employees to use full-disk encryption, then some applications may no longer function. Selective encryption may be a better option. Virtualized desktop options can help isolate sensitive data to a sandbox environment, which is removed once a user's session ends.
Isolating data is especially welcome when IT must remove corporate information from a PC, such as when an employee leaves the company. If isolated data is maintained only for the duration of a session, there is less risk of data remaining on an employee-owned PC.
Policies should be enforced automatically. When you evaluate enforcement applications, consider the functionality offered, including the ability to do the following:
- register devices;
- configure devices remotely;
- enforce password or authentication policies;
- manage secure sockets layer certificates for device authentication; and
- detect unregistered PCs on your network.
If you want to give workers access to enterprise applications but do not want to risk leaving sensitive information on their personal devices, consider the virtual desktop route. With a virtualized desktop environment, you may not need to register devices. Instead, you might allow any unmanaged device to access the network if it meets minimum standards. This approach allows you to use the same mobile device security policies and procedures with employee-owned PCs as with remote unmanaged devices employees use, such as PCs in a hotel business center.
About the author
Dan Sullivan, who holds a master's degree in computer science, is an author, systems architect and consultant with over 20 years of IT experience, with engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence.