BYOD, Bring Your Own Device, the concept of businesses allowing their employees to use their own personal devices on the corporate networks. Whether companies like it or not, this wave is coming and IT and Security departments need to start preparing on how they are going to handle this.
There are many reasons why a company would consider a BYOD approach and some are already beginning to toy with the idea. The smaller the company the better chances are that BYOD will be in place or coming shortly.
It Starts With The iPhone
In my experience BYOD is starting with iPhones. It’s not for the reason you think. Personal iPhones are being allowed to touch corporate networks because Blackberrys are being phased out, primarily because of the high cost of hosting a Blackberry Enterprise Server. Companies are changing their tune and allowing iPhones to be used as the mobile email device. But iPhones and iPads are not yet ready for prime time corporate use, yet.
Cost Does Not Outweigh The Cost
The heading here is confusing. Cost does not outweigh the cost. There are many types of cost and companies riding the wave of BYOD mentality are not totally thinking through what exactly this means. Most companies are only looking at the cost savings in hardware and software. BYOD allows the company to not have to buy hardware for an employee, software to run on it, and the cost to support the device. But there comes a larget over all cost if BYOD is not looked at as more than a simple device replacement. If it’s done wrong, the cost of the consequences could exceed 100 new laptops.
Everything Needs To Be Restructured
BYOD is inherently dangerous in my opinion but this is coming and employees are going to be looking for it. At the current level of mobile OS technology and features the devices themselves are not quite ready for a BYOD use. BYOD means that the employees are going to use their devices for their own personal use as well which means companies need to make sure there is a clear cut dividing line between company data and personal data. iOS for example really cannot do this, even with in the apps, there still is no way to split a personal profile from a company profile. So how do you control this?
First, companies need to move back to a client-server approach where the devices are accessing server applications, working on data, but nothing ever gets placed on the devices. Second, new policies and procedures need to be created from what users can install and cannot install to how the devices should be used, such as do not text while driving. Third, the ability to forcibly wipe the device if and when it gets lost.
In order to protect the company data, which should be the first and foremost priority, the policies that will be applied in a BYOD environment will make it that the employees won’t want to have their devices manipulated or controlled by their IT departments.
Who Supports It?
If the employees are participating in a BYOD program, who supports the devices? Unless you lock down what types of devices and OS’ you allow, is it going to be expected that the company’s IT department is going to be called for device support or does that responsibility shift back to the employee since they own the device? How do you make sure that patches and updates are up to date? How to make sure they security best practices are being used?
IT departments have full control and authority over the company’s security setups, networks, and access controls. BYOD brings a new worry. A worry about each individual user’s home network and other networks they may connect to. A controlled device can have two factor authentication, VPN, certificates, and all the best practices in place to ensure security. A lot harder to do with a device the company does not own.
Employee Convenience Should Not Be A Priority
BYOD has more benefits for the user’s than the company that allows it. So what if the employee’s have more flexible options if the company does not have the proper protection’s for the data? The inability to protect data should stop thinking about BYOD in any institution. Expanding the accessibility of corporate networks when a majority of them are barely locked down properly for owned assets is a disaster waiting to happen. The industry, IT departments, and user’s are not at the maturity level (procedurally speaking) to attempt BYOD approaches. Things are too segmented and the devices OS themselves are not built or designed for that multi-use or have the proper security controls in place natively.
Really at the end of the day would a regular user want their iPad their 3 year old uses to watch Caillou episodes implemented with two factor, hard token, certificate authentication in place?
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.