Bring Your Own Device (BYOD) is now becoming the norm rather than the exception for many UK firms, addressing a modern approach to working practices by facilitating heightened flexibility. However, despite the benefits, data security is of course a key associated corporate concern, and CIOs in particular are right to be worried about this, especially given that corporate data now often exists alongside personal applications and data on smartphones and tablets.
Maintaining data control
The rise of BYOD has been driven, in part, by users demanding more choice while at the same time being unwilling to give up connectivity, especially to corporate email; from an organisational perspective, this fits with a growing trend that Citrix describes as “Don’t Own Stuff” (DOS) . With firms seeking to convert infrequent capital costs into predictable operational costs, more and more are also turning to the public cloud, as evidenced by the growth of Infrastructure-, Platform-, Software-, and Desktop-as-a-Service. This wider trend is allowing end users to connect their own devices, perhaps subsidised by the organisation.
One approach to giving users the ability to digest information from their mobiles, or perhaps do light editing on tablets, is to leverage desktop virtualisation with mobile access. In this scenario, administrators maintain control, ensuring that data doesn’t leave the data centre or public cloud unless administrators allow it. For example, if an end user needs to consult a sensitive spreadsheet once or twice per quarter, it makes sense to contain it within a virtual desktop; there is no need for it to be transferred to a mobile device.
However, even with this approach the device itself must still be protected. Organisations must understand what level of control they need, and just as importantly, what level of control they are allowed. For example, if the device is employee-owned, a full remote wipe in cases of lost devices may not be acceptable. In some parts of Europe, even enabling geo-tracking may be considered an invasion of employee privacy.
Understanding user needs is key to data security
At the very least, most organisations should look to deal with protecting devices from malicious applications in the event of loss or theft. The ability to enforce password policy, encryption, geo-location and to remotely wipe lost devices is fundamental. Software on the device that has the ability to assess the reputation of any running applications is also very important, as malicious applications can result in data loss.
An important part of assessing requirements is understanding end user needs. If this is not done, users may utilise shadow IT, such as unsanctioned applications including DropBox and Evernote. Approaching BYOD with an eye to only the requirements of corporate IT runs the risk of alienating end users, so it is important to remember that employees have many inexpensive or free applications and services right at their fingertips. Following the example of a sensitive spreadsheet, if an end user can not access it remotely using IT-sanctioned and controlled functionality, they may try instead to email it either to their web mail or use a file sharing application, both of which would be lacking in sufficient protection.
After assessing requirements, firms may be hesitant to procure and deploy yet another console. This is especially the case when organisations have straightforward requirements and do not necessarily need many of the features of a full Mobile Device Management (MDM) solution. Ideally, however, a business would have modules in place for managing security across traditional endpoints (laptops, desktops, servers), virtualised endpoints (servers or desktops running on any virtualisation platform), and mobile devices. Mobile devices are then secured and managed from the same console as is used for other endpoints.
In conclusion, BYOD does present a new dynamic and therefore new risks; however, there are many solutions available to help mitigate this risk. The most important steps to take are ensuring that end user requirements are fully understood and that these are closely combined with corporate requirements to clearly define BYOD goals and strategies from the outset.