Then the techies start to look under the covers on how it will all work and reality sets in that it’s not all that and a slice of bread. There are major risks and significant overhead management costs that will far exceed device hardware savings. Yet the upper management and decision makers don’t want to hear any of it. This is all realized before the security guys get their hands on it and really go to town on the danger of rushing BYOD.
BYOD cannot and should not be looked at as simple as employees using their already owned hardware. It’s not that simple. A 100% controlled business device is far easier to control than introducing thousands of unknowns accessing your critical business resources.
Security is the key to BYOD success. If it’s done right, in the right places, then the devices used becomes almost a non-issue. Use whatever you want, my security posture makes it that I don’t have to care about the thousands of devices. I only have to focus on the 30 business applications.
Enterprises need to look past BYOD and focus on the data being consumed and used. How a business does this is through three Mobile Management concepts, MDM, MAM and MCM.
Great, more acronymns…
MDM – Mobile Device Management
This is the foundation phase of BYOD. MDM allows the business to track the device to the user, remotely configure the device to push policies for lock codes, certificates, screen lock timeout, etc… The business can provision and deprovision the device, ensure minimal security is on the device, backup the device, restore it and in the ultimate emergency perform a complete wipe of the device.
MAM – Mobile Application Management
MAM is where you stop worrying so much about the device and focus on the application(s) being used. This of MAM as a virtualizer or wrapper to a mobile application. That wrapper can then be like an agent that controls what the application can do, you can go as far as use the GPS of the device control where the application can be ran (like your physical office location), without having to code or design the security into the application. Using a virtualized container that enforces a behavior allows you to have far more control around what data is or is not stored on the device. When it comes to BYOD it’s all about what data can be stored and taken away. This is no longer simple Internet facing websites.
MCM – Mobile Conent Management
Repositories of data. The enterprises’ own SkyDrive or Dropbox dumping ground, but most likely Sharepoint, where full blown encryption is applied, strong access controls to get to the data, live DLP system to detect real time what can be accessed, needs to be encrypted, determining the classification of the data before the user can get it. (This also requires you actually have some type of data classification criteria to begin with) If you really want to control the data and not worry about the device, implement a Digital Rights Management server and have all the devices check in with the DRM before the files can be decrypted to view. Then if a user leaves and you don’t wipe the data before hand it’s not that big of a deal because the files are basically useless with the military grade encryption on it since they can no longer talk with your DRM servers to be opened. Then the devices don’t matter.
Developing those three approaches in your enterprise alogn side your BYOD approach is the future. Cloud or remote access, who cares where the service is provided from, is the here and now. Right now there is drive to use a hard anchor to a singular device. I say anchor your efforts to the singular application’s security models and make the consuming devices less of a concern. When a business is building an Internet facing web application are they worrying about the configuration and lockdown of the millions of potential computers accessing the website? No. They are focusing on the application’s own security deisgn to protect it from those millions. BYOD and the applications consumed should be an evolved thought process from that. Especially if the application requires or has a capability to have data stored on a device not fully controlled by the enterprise.
Make the device themselves irrelevant to your security focus. Instead protect the applications and the data in the new upcoming Service Consumption World.
Thinking BYOD as a device and cell phone contract costs reduction is going to make a difference, wait until the offset costs set in over time and exceed it multiple times over.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.