Tactical Advice

The Secret to Safeguarding Data In a BYOD World

Businesses can still keep tabs on their data, even when they no longer own the endpoint.
The Secret to Safeguarding Data In a BYOD World

For years, companies insisted on institutional ownership and control of computing devices used by employees to access business information. Strict control of the endpoint was, after all, the easiest way to ensure the security of sensitive data.

But those days are rapidly drawing to a close with the consumerization of technology. Everyone from executives to line employees now carries significant computing power in their pockets and expects the ubiquitous access they enjoy for personal information to extend to their work life.

The era of BYOD computing poses new challenges for technology professionals charged with safeguarding information. They must identify new strategies to control sensitive information even when it is comingled with personal data on devices outside of corporate control.

At the same time, they must not be barriers to the innovation that drives organizations forward. Fortunately, a wide array of policy and technical controls are available to help meet these challenges.

Deploy and Enforce the Company's Mobile Security Policy

As with many security issues, the most important first step for securing mobile devices is to create a policy that legitimizes the security controls in place and explains the responsibilities of employees and IT staff. Some of the questions that should be addressed in a mobile device policy include:

  • What type(s) of mobile devices are permitted for use in the enterprise?
  • Are personally owned devices permitted on enterprise networks?
  • May employees process business information on personally owned devices? If so, is such processing limited to a certain level of sensitivity?
  • What security controls (encryption, pass-codes, anti-malware software, etc.) are required for mobile devices?
  • Who may approve the acquisition and use of mobile devices?
  • Who may make exceptions to the mobile device policy?

Providing employees with a policy that directly addresses these questions goes a long way toward clearing up the mobile device ambiguity that exists in many organizations. The “head in the sand” approach to mobile devices in the workplace that ignores these questions is simply no longer acceptable. In the absence of a formal policy, employees will find ways to gain convenient access to business information on their personally owned devices, completely outside the realm of enterprise control.

Policies are only effective, however, if they are consistently enforced. Bookshelves around the world are filled with binders containing IT policies that were well-intentioned but never enforced. This shelfware does nothing to enhance the security of an organization and could, in fact, have the deleterious effect of creating a legal liability to comply with an organizational policy that is impractical to achieve.

Mobile Device Management to the Rescue

One common solution to the problem of enforcing mobile device policies is the use of mobile device management (MDM) solutions. These products allow IT staff to consistently enforce security and business policies across a wide range of mobile devices.

The configuration of an MDM solution should be based upon the organization’s mobile device policy. Think of MDM as a technical control that allows staff to enforce the business rules in that policy. For example, MDM systems may be used to:

  • Limit the mobile devices permitted on an organization’s network;
  • Require the use of secure passcodes on mobile devices used to access business information;
  • Require that mobile devices allow remote wiping in the event of loss or theft, and provide the mechanism for allowing administrators, help-desk staff and end users to initiate those remote wipes when needed;
  • Limit the applications that may be installed on mobile devices;
  • Track the physical location of mobile devices;
  • Require the encryption of data stored on mobile devices and the use of encryption to protect data transmissions between mobile devices and the enterprise network;
  • Install security updates and other firmware patches on mobile devices over the air;
  • Provide a backup and recovery capability for mobile devices.

One word of caution: Some of the capabilities of mobile device management, particularly those covering tracking devices, might be perceived as “Big Brother” activities by employees. To assuage these concerns, the IT team must clearly communicate the capabilities of the devices and the circumstances under which they may be used.

Also, consider extending the use of MDM systems to all devices that access business information, regardless of whether they are owned by the organization or are part of a BYOD program. This further complicates the legal and privacy issues surrounding MDM. Before beginning such a program, consult an attorney and consider creating a formal BYOD agreement for employees that outlines the controls they must have to access business information.

Segregate Business Data from the Device

Another emerging approach to the BYOD management challenge is the use of technologies that allow the segregation of business information from personal information on mobile devices. These typically use some form of virtualization to provide both secure and insecure compartments on a mobile device, allowing users to freely switch back and forth between environments but preventing the transfer of data from one to the other.

On the application side, vendors who deal in application virtualization for the desktop are creating mobile variants of their products that allow smartphone and tablet users to access corporate information by interacting with servers in the enterprise data center. The data is displayed on the mobile device but never exposed to the mobile operating system or stored on the device itself. The most widely deployed example of this is the use of Citrix Receivers to access application virtualization solutions on iOS, Android and Windows mobile devices.

Vendors are also turning their attention to the creation of mobile environments that allow employees to switch back and forth between work and personal computing in a seamless fashion. AT&T’s recently released Toggle product for iOS and Android and VMware’s upcoming Horizon Mobile platform both promise to fill this marketplace need.

Mobile computing is here to stay. Users now expect the same convenient access to information they experience in their personal lives to extend to the work environment. This leaves IT organizations with the challenge of balancing this need for flexibility with the security requirements of the organization. The implementation and consistent enforcement of clear policies provides technologists with a solid path forward.

Sign up for our e-newsletter

About the Author

Mike Chapple

Mike Chapple is an IT professional and assistant professor of computer applications at the University of Notre Dame. He is a frequent contributor to BizTech magazine, SearchSecurity and About.com as well as the author of over a dozen books including the CISSP Study Guide, Information Security Illuminated and SQL Server 2008 for Dummies.

Security

Three Ways to Integrate Fire... |
Follow these tips to align the devices with log management and incident tracking systems.
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...
The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...