In Part I of How to Build a BYOD Policy, we took you through the steps you can take to determine your BYOD policy and define your company’s BYOD objectives, your users, the apps and data they need to fulfill these objectives, and the security bases you need to cover form the foundation of a BYOD policy tailored for your business.
Now comes the challenging part – How to secure the apps and data required without compromising your business goals. Any policy which fails to strike this balance will effectively fail in realizing the true goal of BYOD.
Once you identify the complexity and sensitivity of the data and apps that require mobile access, you need to determine which security approach can best satisfy all of your BYOD requirements. There are a variety of platforms in the market, but they can mainly be defined as solutions that manage data security on devices and those that manage it off of devices. Here are the pros and cons that accompany the paths you can take towards turning your BYOD policy into a reality:
1. Rely on your existing platforms
Think business-as-usual is an option for your company? Perhaps your research shows that your employees only need to access email, calendar and contacts to be productive away from the office. Most Microsoft Exchange platforms include built-in device management features for their email solution. Relying solely on this security might be an option to consider for some small or medium-sized businesses (SMBs). Some companies in this situation simply choose not to implement a BYOD-focused security solution and rely on those features instead for their security.
Pros: This approach requires both minimal licensing costs and configuration from your IT management.
Cons: The moment your organization wants to use workplace apps that contain more data, this approach becomes unsustainable. You will not be able to support enterprise or consumer apps which contain sensitive data. Another drawback to this minimalist approach is that your users will need to configure themselves and set up their own security. All organizations have employees that are less tech-savvy than others, and this opens up user-error scenarios that can be very problematic. We’ve seen how this movie has played out in the past, and it could end up giving your IT an ongoing headache.
2. Mobile Device Management (MDM)
All you need to know about how mainstream MDM has become is to do a Google search of BYOD solutions. This approach involves installing MDM agent/provisioning within the employee’s mobile device and securing these apps with encryption.
Pros: MDM has been the most popular route for organizations in recent years. If your organization is looking to secure relatively “light data” apps such as email, calendar and contacts, MDM has proven to deliver an adequate level of security and data control for IT management. IT is able to block rooted and jailbroken devices, for example, as well as perform remote wiping of the employee devices which have been hacked, lost or stolen. MDM also automatically configures apps for the user – removing at least part of the learning curve and reducing user authentication risks.
Cons: As MDM implementation within the organization has matured, there are concrete limitations that have become clearer, and they exist on both sides of the management-employee spectrum. For management, the nature of MDM being an on-device security solution requires constant application of patches and other security measures to combat attackers and security gaps. Because encryption keys are locate on the device, they are prone to being breached by outside intruders. Your corporate data is what’s at stake here. Because this data is stored within the employee device, MDM security is compelled to do a remote wipe of a lost/stolen or compromised device. This resonates negatively with employees, who fear that they will lose some or all of their personal files and lose their privacy. There are several studies including a recent one by Ovum which show that this issue alone detracts employees from following BYOD policies such as reporting their lost/stolen device right away.
Lately, MDM solutions have also offered Mobile Application Management (MAM) tools to help guard against mobile app security threats. However, these tools are less mature in the field, and not as recognized for providing sufficient security. MAM tools also face problematic challenges in deploying apps effectively across different devices, OSs and versions.
Another major issue you should consider when evaluating MDM as a solution is how robust your data needs are. If your defined BYOD data goes beyond email tools and requires access to apps which store a significant amount of sensitive client information (i.e. CRM and ERP software), then enforcing security on BYOD devices becomes much more difficult to maintain, and will add significant work resources and security burden on your IT.
Often referred to as “Mobile VDI”, VMI has been garnering a lot of attention over the past two years. This approach is unique from the other solutions in the market because, at its core, it involves managing all corporate apps and data away from devices and on a remote and secured cloud-based server. This philosophy involves running a mobile operating system compatible with all major OSs on a server and transferring apps and data onto devices as a display using as thin client.
Pros: The advantages of implementing VMI extend to both security management as well as BYOD employees. From a security perspective, it’s much easier to manage critical enterprise data from a secured datacenter than it is to apply patches and combat malicious apps that attack the myriad of different mobile device models. Consequently, your IT overhead will decrease significantly and free up resources for other projects which can aid your organization. No data on the device means that remote wiping becomes completely unnecessary. When an employee leaves the company or loses their device, IT can simply block access from the server to the affected device, removing employee fears and encouraging them to report lost or stolen devices right away. IT gains peace of mind knowing that there aren’t compromised devices in your network that have simply not been reported.
If your employees are demanding apps that help improve productivity, efficiency and collaboration when working remotely, they will want to work with apps that are made for a mobile interface, just like the consumer apps they’ve grown accustomed to. VMI’s mobile platform was developed for a mobile interface and is compatible with iOS and HTML5 apps as well.
Cons: Because data is located remotely, offline users who are unable to connect to a WiFi network or device data plan cannot access their mobile apps in these circumstances. This scenario usually presents itself when an employee is traveling by air, sea, or underground areas which don’t support online access. Getting feedback from your employees as to how important offline access is and how often this scenario is relevant will help you determine if VMI is right for you.
4. Niche Mobility Tools
These tools can be implemented in addition to the security approaches above, but are not capable of running independently as a stand-alone solution:
Multi-persona platforms: A Multi-persona platform is implemented at the OS level in the mobile device to create separate and secured user personas on a smartphone. Some manufacturers such as Samsung Knox and the latest version of Android Lollipop offer this feature. For Enterprise Mobility, a work persona is installed to manage all corporate apps and data. Each persona is isolated from the other and exchanging data between them is prohibited by policy standards that are determined in advance.
HTML5 platform: Although Android and iOS continue to the dominant OSs, some organizations have turned to HTML5-based apps. This alternative to native apps allows your organization to use browser-based apps without relying on proprietary platforms.
Turning policy into reality
You now have the information to write your BYOD policy and choose the right platform that meets your business needs. But how will you be able to make the necessary changes to align business processes with your vision for the future? In Part III of this series, we’ll explain how you can put your BYOD policy into practice and ensure your processes give you the platform to gain from mobility benefits securely.