David Abbou

Like any major change initiative, implementing a BYOD policy in a way that can run successfully is a project is a multi-faceted project with many bases to cover. In Part II, we explained the pros and cons of different approaches you can take towards securing your defined corporate data.

Once you’re able to determine these important components and the best way to secure them, you probably have a beautifully-worded BYOD policy – on paper. But just like a recipe for the most sumptuous meal, the thing isn’t going to cook itself. In fact, don’t be surprised if the BYOD program you feel will most benefit your company going forward will require some significant changes in your business processes. These new processes will be needed in order to make BYOD work for the various departments and roles that need it the most.

Here are the most important steps to take in order to put your BYOD plan into action:

Identify new business processes

What new processes must be implemented and communicated to your employees who will be using BYOD? Here are a few examples:

1. New employees: Create a brief and user-friendly BYOD manual. This manual should inform new hires on the BYOD registration processes required right away as well as educate them how to implement passcodes and other security measures for their device. The sooner your BYOD users are informed the better for everyone involved. It’s important this piece of communication is created in an easy-to-understand and succinct manner. Arming your new employees with a good grasp of how to implement some security best practices from the beginning can go a long way towards minimizing headaches down the road.

2. Departing Employees: It’s equally as important to set up a process that guarantees the appropriate enterprise mobility personnel are notified when an employee is departing. A consistent process needs to be documented so that user access to your corporate network resources can be disconnected, and if necessary the device wiped. This process will vary depending on which security infrastructure you’ve adopted and if the corporate apps and data are located on or off of employee devices.

3. User sign-on & authentication: This will also differ greatly depending on your industry and the number of applications users need to log into in order to be productive. Do you need to implement a single sign-on process to facilitate workflow and eliminate inefficiencies?

Determine access levels by role and by department

This goes back to defining your BYOD apps and data and how that allows you to achieve your mobility objectives. You can tier access levels by department for high, medium and low sensitivity data and use this as a guide for approving mobile access. For example, some sales roles may require access to CRM and ERP software, while other more senior roles will require access to more strategic and sensitive files. Identify who needs to approve access to these levels. Dissecting each department and mapping out workflows to define access levels is important in making sure the right people in your organization are empowered with the information they need to be productive.

Outline your budget needs

There are several areas of your BYOD program which will require space in the budget:

1. Device and/or data costs: Are you subsidizing employee-owned devices and/or data plans? If so, to what degree? Or are you providing corporate devices and footing the bill (COPE)? Capture the costs for supporting devices and/or data plans for all of your users.

2. Support for BYOD users: Who will be able to dedicate the time resources needed to support your BYOD users and administer access to corporate data? In many cases, creating a new position to handle this responsibility will be needed.

3. BYOD security vendor fees: Whether you are choosing to employ MDM, MAM, VMI or a combination of different security solutions, you’ll need to determine and outline the licensing costs for these vendors.

4. App licensing: Many enterprise and consumer apps require licenses in order to support a rollout across a network of users so it’s important to capture the costs involved.

5. Custom solutions: Different industries that require custom solution (i.e. single sign-on processes in healthcare) are available so once you’ve determined if your organization has industry-specific needs, it’s worth evaluating their potential value vs. cost.

Develop Project Plan and Timelines

Your Policy should collaborate in deciding on the steps or milestones that must be achieved in order to integrate BYOD practices into you your company processes. The scope, resource requirements, costs, communications and procurement requirements must all be identified, preferably on a Gantt chart or other project management document which captures all of the moving parts. This will allow your team to set realistic timelines for each piece of the initiative until the program is ready and up and running.

Illustrate the big picture to gain management approval

The more precisely you are able to communicate the policies, business needs and solutions that will help propel your organization into the new mobile era and help add value to the bottom line, the more likely your senior management will recognize the big picture and commit their support, budgetary and otherwise, to making your BYOD vision a reality. Once your project plan receives the green light, it’s time to go forward and make your organization ready to reap the full benefits of enterprise mobility.

David Abbou

In Part I of How to Build a BYOD Policy, we took you through the steps you can take to determine your BYOD policy and define your company’s BYOD objectives, your users, the apps and data they need to fulfill these objectives, and the security bases you need to cover form the foundation of a BYOD policy tailored for your business.

Now comes the challenging part – How to secure the apps and data required without compromising your business goals. Any policy which fails to strike this balance will effectively fail in realizing the true goal of BYOD.

Once you identify the complexity and sensitivity of the data and apps that require mobile access, you need to determine which security approach can best satisfy all of your BYOD requirements. There are a variety of platforms in the market, but they can mainly be defined as solutions that manage data security on devices and those that manage it off of devices. Here are the pros and cons that accompany the paths you can take towards turning your BYOD policy into a reality:

1. Rely on your existing platforms

Think business-as-usual is an option for your company? Perhaps your research shows that your employees only need to access email, calendar and contacts to be productive away from the office. Most Microsoft Exchange platforms include built-in device management features for their email solution. Relying solely on this security might be an option to consider for some small or medium-sized businesses (SMBs). Some companies in this situation simply choose not to implement a BYOD-focused security solution and rely on those features instead for their security.

Pros: This approach requires both minimal licensing costs and configuration from your IT management.

Cons: The moment your organization wants to use workplace apps that contain more data, this approach becomes unsustainable. You will not be able to support enterprise or consumer apps which contain sensitive data. Another drawback to this minimalist approach is that your users will need to configure themselves and set up their own security. All organizations have employees that are less tech-savvy than others, and this opens up user-error scenarios that can be very problematic. We’ve seen how this movie has played out in the past, and it could end up giving your IT an ongoing headache.

2. Mobile Device Management (MDM)

All you need to know about how mainstream MDM has become is to do a Google search of BYOD solutions. This approach involves installing MDM agent/provisioning within the employee’s mobile device and securing these apps with encryption.

Pros: MDM has been the most popular route for organizations in recent years. If your organization is looking to secure relatively “light data” apps such as email, calendar and contacts, MDM has proven to deliver an adequate level of security and data control for IT management. IT is able to block rooted and jailbroken devices, for example, as well as perform remote wiping of the employee devices which have been hacked, lost or stolen. MDM also automatically configures apps for the user – removing at least part of the learning curve and reducing user authentication risks.

Cons: As MDM implementation within the organization has matured, there are concrete limitations that have become clearer, and they exist on both sides of the management-employee spectrum. For management, the nature of MDM being an on-device security solution requires constant application of patches and other security measures to combat attackers and security gaps. Because encryption keys are locate on the device, they are prone to being breached by outside intruders. Your corporate data is what’s at stake here. Because this data is stored within the employee device, MDM security is compelled to do a remote wipe of a lost/stolen or compromised device. This resonates negatively with employees, who fear that they will lose some or all of their personal files and lose their privacy. There are several studies including a recent one by Ovum which show that this issue alone detracts employees from following BYOD policies such as reporting their lost/stolen device right away.

Lately, MDM solutions have also offered Mobile Application Management (MAM) tools to help guard against mobile app security threats. However, these tools are less mature in the field, and not as recognized for providing sufficient security. MAM tools also face problematic challenges in deploying apps effectively across different devices, OSs and versions.

Another major issue you should consider when evaluating MDM as a solution is how robust your data needs are. If your defined BYOD data goes beyond email tools and requires access to apps which store a significant amount of sensitive client information (i.e. CRM and ERP software), then enforcing security on BYOD devices becomes much more difficult to maintain, and will add significant work resources and security burden on your IT.

3. Virtual Mobile Infrastructure

Often referred to as “Mobile VDI”, VMI has been garnering a lot of attention over the past two years. This approach is unique from the other solutions in the market because, at its core, it involves managing all corporate apps and data away from devices and on a remote and secured cloud-based server. This philosophy involves running a mobile operating system compatible with all major OSs on a server and transferring apps and data onto devices as a display using as thin client.

Pros: The advantages of implementing VMI extend to both security management as well as BYOD employees. From a security perspective, it’s much easier to manage critical enterprise data from a secured datacenter than it is to apply patches and combat malicious apps that attack the myriad of different mobile device models. Consequently, your IT overhead will decrease significantly and free up resources for other projects which can aid your organization. No data on the device means that remote wiping becomes completely unnecessary. When an employee leaves the company or loses their device, IT can simply block access from the server to the affected device, removing employee fears and encouraging them to report lost or stolen devices right away. IT gains peace of mind knowing that there aren’t compromised devices in your network that have simply not been reported.

If your employees are demanding apps that help improve productivity, efficiency and collaboration when working remotely, they will want to work with apps that are made for a mobile interface, just like the consumer apps they’ve grown accustomed to. VMI’s mobile platform was developed for a mobile interface and is compatible with iOS and HTML5 apps as well.

Cons: Because data is located remotely, offline users who are unable to connect to a WiFi network or device data plan cannot access their mobile apps in these circumstances. This scenario usually presents itself when an employee is traveling by air, sea, or underground areas which don’t support online access. Getting feedback from your employees as to how important offline access is and how often this scenario is relevant will help you determine if VMI is right for you.

4. Niche Mobility Tools

These tools can be implemented in addition to the security approaches above, but are not capable of running independently as a stand-alone solution:

Multi-persona platforms: A Multi-persona platform is implemented at the OS level in the mobile device to create separate and secured user personas on a smartphone. Some manufacturers such as Samsung Knox and the latest version of Android Lollipop offer this feature. For Enterprise Mobility, a work persona is installed to manage all corporate apps and data. Each persona is isolated from the other and exchanging data between them is prohibited by policy standards that are determined in advance.

HTML5 platform: Although Android and iOS continue to the dominant OSs, some organizations have turned to HTML5-based apps. This alternative to native apps allows your organization to use browser-based apps without relying on proprietary platforms.

Turning policy into reality

You now have the information to write your BYOD policy and choose the right platform that meets your business needs. But how will you be able to make the necessary changes to align business processes with your vision for the future? In Part III of this series, we’ll explain how you can put your BYOD policy into practice and ensure your processes give you the platform to gain from mobility benefits securely.

Israel Lifshitz

Enterprise Mobility continued to make the headlines in 2014, with more innovative mobile devices and security threats and vulnerabilities than ever before. The fallout from many of these events offer valuable lessons learned, and how BYOD organizations adapt their priorities accordingly will have a huge impact on the industry going forward. Here are five of the most significant developments you can expect to see play out in 2015.

1. Rise of the Phablets

Look for Phablets to become a disruptive technology and dominant force as BYOD devices of choice. The larger display size they offer will make these devices an attractive all-in-one solution for many smartphone and tablet users. They’re not an entirely new phenomenon, but the expected surge of the iPhone 6 Plus will launch them into the spotlight like never before. The buzz created by this device will almost certainly transcend their increased share of the retail market and as a result, Phablets are set to make a big splash on BYOD as the devices that can almost do it all. Expect their influence to trigger a notable decline in BYOD usage of Tablets especially in 2015 and beyond. BYOD employees will shift from using tablets to Phablets as a solution to their mobile needs. App developers will need to adapt quickly so that their apps run optimally for this new form factor.

2. Is the honeymoon over for MDM?

Many security vendors have added MAM (Mobile Application Management) and MIM (Mobile Information Management) tools to their existing Mobile Device Management (MDM) solution of choice. Together, these services are being packaged as EMM (Enterprise Mobility Management) and being promoted as an all-inclusive mobile security solution. There’s no doubt that together these approaches address several security concerns – but collectively they still do not add up to the comprehensive enterprise mobility solution that enterprises require. EMM implementation on the ground is still at a relatively early phase, so BYOD companies and EMM providers are still very much in the “honeymoon stage” with these services. Just like a young and developing romance, the security flaws will eventually be uncovered as EMM implementation becomes more mature. Since MDM is still the anchor steering this approach the limits to their effectiveness will become apparent as employee feedback will start cycling back to organizations. For IT, the costs of managing all of these on-device security requirements will also become an issue.

3. Mobile Apps – Security will Take Center Stage

In 2014 I said that mobile apps would graduate beyond standard apps and that we would see organizations investing in more robust and data-rich enterprise apps like CRMs and ERPs in order to enable employees in being more productive. With more complex apps and data being adopted into BYOD, securing these apps will be paramount. Many security tools such as MDM and MAM will be trialed but they require a lot of IT customization such as App Wrapping and Containerization. It will be interesting to see how successful they will be and whether they will be continue to be selected over time.

4. Vertical BYOD Solutions will become Bigger

Look for more vendors to target specific industries and tailor their security solutions for those that need higher-level security and are dealing with difficult challenges as a result of BYOD implementation. Healthcare for example sees doctors often working outside of the hospital or clinic, yet they need access to mobile apps more than ever before. Ensuring Protected Health Information (PHI) on these apps is an absolute must with the compliance and liability issues required under HIPAA (Health Insurance Portability and Accountability Act). Banks and financial institutions also have a heightened need to secure extremely sensitive customer and corporate information while putting BYOD into practice. Then you have both public and private defense agencies for which cybersecurity threats and their accompanying challenges are unique, and those stakes have never been higher. Their security specifications require them to use their own customized devices and adopt more of a COPE (Corporate Owned Personally Enabled) policy. These industries represent niche opportunities for vendors who will roll out mobile offerings in increasing numbers.

5. Virtualization Technology will Make a Splash

As organizations gather analytics and weigh the advantages and disadvantages of different ways to manage BYOD, the big picture will slowly but surely come into focus. Increasing reliance on mobile devices means mobile-first security solutions will take precedence. While we’ve heard the importance of “following the data” often in 2014, more organizations will shift philosophies on the best way to achieve that, with more CIOs looking to manage data security away from personal devices entirely. Both on-device (Multi-Persona) and off-device virtualization such as VMI (Virtual Mobile Infrastructure) will become a larger part of the BYOD landscape as a result.