Bring Your Own Device: Balancing Security and Convenience
The rise of digital convergence has brought significant changes to the IT environment in its wake. There are heavy budgetary pressures on IT to do more with less. All in the backdrop of increasingly virulent and sophisticated malware threats.
One potential solution has been for IT to relax its previous prohibition on users attaching their own equipment to the corporate network, particularly for remote users with smart devices – “Bring your Own Device” – or BYOD. This brings obvious immediate financial benefits but has serious security and operational effects.
Many companies have not formulated policies dealing with BYOD. To a great extent, they are flying by the seats of their pants, allowing IT to manage its effects.
The savvy IT Head will try to find a balance between the convenience of “Bring Your Own Device” and preserving the security of the corporate network.
There is no doubt that the use of mobile devices personally and in the workplace has brought greater convenience to the user. It has also helped the IT department with its budget, since users will often rather use the BYOD concept their own smart device, particularly on the road, than a company-supplied device.
However, using personal devices on a corporate network does have security and other implications, and it is often a difficult path to read balancing convenience and security.
There is a definite convenience to carrying one familiar personal smart device with access to company apps and data, but smart devices are a particular problem for support and security:
- Mobile devices attached to the desktop PC are small enough to be able to be carried in the pocket. Company information can be stolen.
- They can be used to bring malware onto the corporate network.
- An IT department can spend lots of time and effort trying to connect user’s non-mainstream devices or rectifying their poor performance.
- A user might connect a device that hosts apps with compromised integrity.
The convenience of using personal devices in a company context is a powerful motivator. It provides one single authoritative source of information, for example, contact lists. It’s only one device to carry and the user has an easy familiarity with its set-up.
A stolen, lost or misused device is a great security risk. Most smart devices have a process where it can be wiped or locked if it is lost. However, this requires that the device is connected and accessible via the mobile network.
Some balancing measures:
- Disable all the USB ports and Bluetooth on every desktop PC to stop inward and outward connections to flash drives and portable hard drives. It may also be prudent to disable CD/DVD-Rom Drives. A special “administrator” user profile could be used to restore access for local maintenance by the IT department.
- Limit connection to the corporate WiFi network to known devices only, or use an authenticated user and guest user environment. This prevents unauthorised smart devices connecting to the corporate systems via the WiFi AP or desktop PC.
- Make it company policy that only mainstream and known brand devices will be accepted as connections to the company WiFi network. In addition, make sure that the corporate network access policy specifically includes WiFi and remote access criteria.
- Put WiFi connection instructions on the company’s internal support site and charge for supporting non-authorised brands.
It is a feature of the current workplace that users need to connect anytime from anywhere. It is now common to find “road warriors” using personal devices to connect to corporate systems over public WiFi systems in hotels, restaurants or shopping malls.
A useful balancing technique to preserve the convenience of BYOD is to make it such that connection is enabled only through a VPN client on the personal device that supports an encrypted VPN connection to the corporate gateway.
One point that is sometimes forgotten is that password vaults are available for smart devices. Their use can allow someone with a stolen phone to gain access to corporate systems via the corporate VPN if the sign-on credentials are automatically entered. Either prohibit their use or have a second layer of authentication at the entry point to the corporate systems.
Briefly, then, what can the CIO do to balance convenience and security? The first thing to understand is that BYOD will happen anyway. The benefits of using a single device make sure that users will prefer to use their familiar phone, laptop or tablet.
If you have no policies in place, implement them in a staged fashion, and immediately make sure all remote access is over a remote encrypted VPN connection.
Finally, the security focus is nowadays about protecting data against attacks from anything and anywhere. Security solely based on user authentication is nearly gone and a variety of defensive measures are needed to balance the convenience of BYOD and security.