The increasing adoption of Bring Your Own Device (BYOD) in all sectors of the market has the potential to cause conflict between corporate security and employees. On the one side, employees are keenly interested in using their own devices to access their work email or other data. On the other side, the enterprise is trying to ensure that all corporate data is secure.
It is an undeniable fact that mobile devices by their very nature are less secure than traditional computers or notebooks, and they are much more likely to be lost or stolen. Security is therefore a key element of any BYOD program. Balanced with that, however, is the fact that the mobile device, especially in BYOD, is not just for email or corporate data; it is also the user’s camera, social media device, music player, satellite navigation system, games console and much more. The challenge is to protect the corporate data without negatively impacting user experience to the degree that they no longer wish to partake in the BYOD program at all.
The following are some of the areas to consider when balancing these seemingly conflicting requirements:
Passcodes are the primary security measure and will typically be required on any device being used to access corporate email or data. Simple PIN-based passcodes usually aren’t sufficient, so we are going to have to live with the complex alphanumeric type until a better system becomes mainstream (most likely some form of reliable biometric). However, one concession that can be made is the “grace period” that is typically supported on all mobile devices. This is the period after the device locks during which it can be unlocked without requiring the passcode. A typical setting for this would be up to a maximum of 15 minutes.
The majority of devices now support some level of restricting native features of the device such as camera, app store and so on. While there are certainly valid use cases for “locking down” devices (for example, when they are used as a shared device or perhaps for one specific purpose, like a customer-facing app in retail), it is generally not the best practice to lock down or remove features from a device in the BYOD model. A better approach would be specific blacklisting of apps that are considered a risk to corporate security. If we use more advanced device management software, it may be possible to impose restrictions using geofencing techniques so that, for example, the camera may be disabled while within a secure work facility.
The use of containerization is certainly a strategy to consider, as it enables the personal data and the corporate data to be separated and secured to different levels. In certain industries strict rules apply in terms of encryption, audit tracking and so forth, and a secure email container may be the only option. The downside of this is that it may negatively impact the native device experience. The trend in the market, as demonstrated by the recent Samsung KNOX announcement for Android, is a dual persona on the device; this is containerization at a device level where email, apps and so on can be installed in a corporate secured area on the device while personal email, apps, data and the like are installed in the other persona of the device.
IBM is a recognized leader in providing managed mobility services, and as part of its Mobile Enterprise Services IBM can help you in defining your BYOD policies as well as managing your devices with flexible, subscription-based models.
How have corporate security policies impacted your use of your BYOD device? I’d love to hear your thoughts in the comments, or connect with me on Twitter @declan_mcnamara.