Providing employees “Anytime/Anywhere” access to business systems has quickly become the norm for companies large and small. The intent is to provide the capability for employees to work from home, provide access to systems while traveling, fulfil critical customer needs over weekends and holidays, or to log in using a personal tablet to give a presentation during the weekly meeting.
As these devices are typically employee-owned, supporting a “Bring Your Own Device” (BYOD) policy is becoming increasingly complex and difficult for IT.
Challenges with BYOD Policies
Any BYOD policy is a balancing act between security and ease-of-access. The security and control mechanisms of Mobile Device Management (MDM) software are a crucial factor in maintaining the balance between BYOD access and corporate data security. One challenge is the need to support a wide variety of devices in a dynamic mobile landscape.
Another is providing employees secure access to behind-the-firewall corporate resources. This access is typically provided via a Virtual Private Network (VPN), providing encrypted communications between the device and corporate assets.
IT must develop and implement policies and procedures with careful regard to balancing security necessities and usability challenges. Implemented policies and the resulting remediation is especially important if devices containing, or having access to, corporate resources are lost or stolen. Balancing Corporate Data Security Necessities with Effective Access
There are two main categories of applications within which users require meaningful access and secure interaction with corporate data. The first is a home-built or custom internal Line of Business (LOB) application. These internal applications may not have a mobile story, and also often have issues with secure data connectivity, but access is required nonetheless.
The second category includes purchased or hosted (Cloud) applications that typically have a mobile story and have been designed with secure connectivity in mind. But not all companies are prepared to store secure corporate data in the cloud.
In addition to access considerations, policies and procedures regarding local storage of corporate data must also be implemented. Further, mitigating the risks of uploading malware or viruses into corporate data repositories and preventing unauthorized access to corporate data requires comprehensive IT policies.
The policies should include rules for revocation and removal of corporate data access due to employee termination, device seizure or loss, and other not-so-specific scenarios. Backup of corporate data on endpoint (mobile) devices to avoid productivity loss must also be considered by IT. Three Key Considerations:
Evaluate Cloud-based service providers for commodity applications.
These include email, collaboration and communication tools, among others. Vendors providing these applications in the Cloud will have a built-in mobile implementation with varying levels of IT control/oversight. In addition, these applications will have been designed from the ground up with security considerations rarely found in home-built solutions.
Define internal audiences within your organization and assess their access requirements.
Not all audiences need full desktop access; external web access or web-relay access may be enough for a large part of your workforce. These requirements will guide the evaluation of vendors who provide virtual workspaces for appropriate audiences within your organization.
Vendors in this space typically employ commodity hardware and web-relay technologies to avoid complicated VPN implementations. Understanding the mechanics and limitations of a vendor’s solution is key to making a final decision. These vendors can support a wider variety of mobile devices than home-built solutions.
Deploy a mobile device policy with multi-factor authentication (MFA) to secure managed as well as unmanaged devices.
In addition to MFA, ensure that you have implemented a robust, high-availability (HA) VPN entry point to ensure anytime access. Be sure to enforce a time-out capability to limit the amount of time devices can be used when accessing corporate data without logging in again.
BYOD policies are subject to continuous review, balancing the need for anywhere/anytime access and addressing evolving security challenges. Implementing extensible and manageable BYOD policies will go a long way to address the demands for flexibility and innovation.
(About the author: Michael Coates is vice president and the head technical architect at N3, a global leader in sales execution and demand generation. N3 designs and executes large-scale, outsourced sales and marketing campaigns. Coates has more than 20 years of IT experience, including five years as a Microsoft Pragmatic Evangelist.)
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access