If your organization lets employees bring their own smartphones and tablets to work, policies and procedures must be in place to mitigate BYOD security risks by controlling data and network access.
The bring your own device (BYOD) movement brings issues around policy and authentication to the forefront for enterprises. Policies state which actions are and aren't acceptable, what must be done to protect the organization and its sensitive information and how problems should be addressed when they occur. There are two key policies: acceptable use and security.
Acceptable use policies are designed to protect the firm from guests' activities that might be illegal or otherwise unacceptable. The security policy is even more important. BYOD security policies can vary significantly in terms of content, but they should define "sensitive information" and govern who can access that information and under what circumstances. They should also explain how information is protected and what happens if -- and when -- a breach occurs.
For example, my company's security policy defines several levels of sensitive information and states that sensitive information must be encrypted at rest and in transit. Violation of this policy is an opportunity to join our outplacement program; that's how seriously we take security around here.
Authentication remains problematic in production environments where the old standby of a username and password is still the norm. I am a big fan of two-factor authentication, and BYOD actually introduces this possibility. Employees can use authorized mobile device as that second factor. This defined user/device pair enables users to access the services they need while giving IT more granular control over that access, such as day of week, time of day, specific physical location and the particular smartphone or tablet in use at that time.
It's important to pick tools that will specifically help enforce your policies and agreements to mitigate BYOD security risks. Mobile device management (MDM) focuses on device integrity and related functions, but managing mobile applications and data will ultimately have far greater utility than MDM alone in maintaining security on personally owned devices. Still, you'll always need certain elements of MDM, most notably virus/malware protection and configuration management.
Boosting BYOD security with encryption
The next big issue is the encryption of sensitive data on mobile devices. Not a week goes by, it seems, that we don't hear about the theft of a device containing sensitive information. Policy can help in this case, but tools for data encryption on any given device are often primitive or missing altogether. A better option would be specialized mobile information management systems that sandbox sensitive data and only allow authorized users and applications to access it.
As IT moves further toward more connected and collaborative options, it becomes much more likely that we'll be using cloud-based and similar apps in place of operating on cached data with local apps. The virtual private network becomes much more important in this case, but overall security is pushed back across the wireless link to fixed servers and storage -- where it should be. The most important advances in minimizing BYOD security risks may come from the new crop of identity access management tools that are becoming available.
In reality, BYOD is no more of a security risk than any other approach to mobility in IT. With the right policies, procedures, education, tools and management, it is easy to see how BYOD can comply with the security requirements of almost all organizations and continue its rapid expansion.