Allowing employees to use their personal mobile devices for work-related tasks can provide plenty of advantages: less laptop lugging, easier connectivity and potentially better interfaces. It can also help a company’s bottom line if the company doesn’t have to pay for smartphones, tablets and data plans.
But there are risks with bring your own device (BYOD) practices, including security vulnerabilities, support costs and potential liability issues. Businesses that allow employees to bring devices to work should have a well-defined BYOD policy and mechanisms to enforce it.
Defining a BYOD policy
The first step in creating a BYOD policy is defining the scope of control the business expects to maintain over employee-owned devices. At one end of the spectrum, a business could treat devices as if they were corporate assets in return for allowing employees access to IT resources from their personal devices. The other extreme is to assume no control over the devices themselves and instead focus on access controls and limiting risks such as leaving corporate data on BYOD devices. The optimal BYOD policy may lie somewhere between these two poles.
BYOD policy should address acceptable use of corporate IT resources on mobile devices; minimal security controls on the device; the need for company-provided components, such as Secure Sockets Layer (SSL) certificates for device authentication; and the rights of the business to alter the device (e.g., to remotely wipe a lost or stolen device).
Acceptable-use policies could require the use of a virtual private network when accessing corporate systems and prohibit the storage of passwords to business applications. Security controls might also require the use of encryption for stored data, device password protection and registration of devices with a mobile device management (MDM) system. Employees should be informed of all aspects of the BYOD policy and agree to them.
Written policies and employee consent are not enough to protect a company’s information assets. Even well-intentioned employees can make mistakes, such as forgetting to set a device password or downloading confidential information over an unencrypted session. Mobile device policies should have an enforcement mechanism to ensure that they are applied consistently.
Enforcing a BYOD policy
Chances are that some of your company’s existing applications can enforce a BYOD policy. But before you try to use these apps, consider two key questions: “Are these applications sufficient to meet all enforcement requirements?” and “How difficult is it to manage mobile devices with these applications?” Consider the widely used ActiveSync.
ActiveSync provides for policy enforcement, but mobile device manufacturers have not always supported all ActiveSync enforcement mechanisms. Microsoft has established an ActiveSync logo program to encourage standard criteria for a minimum level of policy enforcement. Qualified devices must support automatic discovery, remote wipe, required password, minimum password length, timeout without user input and a maximum number of failed attempts among others. If enforcement mechanisms are sufficient and your employees are using supported devices, ActiveSync could address your BYOD policy needs.
Third-party MDM applications can support a wide array of BYOD policy enforcement operations including full lifecycle management, app inventory control, data protection, certificate distribution, device configuration and lockdown.
BYOD policy enforcement begins with provisioning. MDM apps can help ensure consistent configuration of devices, install applications and create accounts on self-service management portals. If your policies limit the apps that can be deployed on a BYOD device, use an MDM system that provides for unauthorized app detection.
Most MDM applications support remote wiping, but completely wiping a device is drastic and, in many cases, may not be necessary. MDM apps can selectively wipe data, allowing device administrators to delete corporate data while leaving personal data intact.
Your BYOD policy may require that all devices accessing corporate systems must be registered with your IT department and configured with an SSL certificate for authentication. MDMs that support certificate distribution can minimize management headaches for this operation.
MDM systems can further ease the burden by reporting on expired certificates, revoked certificates and other certificate management concerns.
Finally, look for MDM apps to provide device configuration and lockdown functions. For some users, for example, you may wish to lock down cameras, Bluetooth, GPS and Wi-Fi. If you specify an encryption policy, investigate an MDM that can enforce this policy on both fixed storage and Secure Digital cards.
A good BYOD policy has two characteristics: Policies are clearly defined, and they are enforced. A BYOD policy should address acceptable use, security controls and the rights of the business to alter the device. Existing enterprise applications, such as Microsoft Exchange ActiveSync and certificate management systems, may be sufficient for enforcing policies. If you require more control over devices and the ability to generate management reports about BYOD use, an MDM system may be a better option.
Smartphones and tablets in the enterprise
About the author
Dan Sullivan, M.S., is an author, systems architect and consultant with over 20 years of IT experience with engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence.