Are you struggling with the abundance of information about BYOD when it comes to how to adequately secure your business data? Have you tried rolling out BYOD in your organisation only to have employee after employee complain about the poor user experience? It does not have to be this way. Your business can design and roll out a successful BYOD program that users love, whilst ensuring the security of your business data.
Many of the problems that create employee dissatisfaction, and lack of security around business data, stem from a misperception that Mobile Device Management (MDM), is the appropriate technology for BYOD. It is not. Full stop. Unfortunately for you and many others, the marketing and media hype surrounding MDM has told you it is the silver bullet, the panacea, to your BYOD woes. MDM has a role to play in enterprise mobility, but BYOD is not it.
If MDM is not the answer, then what, you might ask, is? Well, it’s hopefully more simple than you think. There are three principles you need to adhere to. Adhere to these three principles well, your employees will love you, and your Chief Information Security Officer will be happy too.
1. Protect your corporate data at rest and in transit. BYOD means employees are accessing, and potentially storing, corporate data, on their personally owned devices. To ensure your corporate data is secured, you need to ensure it is encrypted at all times. That means data must be encrypted whilst stored on a BYOD device, and it needs to be encrypted in transit, between the mobile device and your corporate systems. Two common ways for achieving this are application level encryption, and Virtual Private Networks (VPN).
2. Prevent business data leakage. Stopping your corporate data leaking to personal applications, includes those applications residing on the device and in the cloud that you don’t control or have secured. By separating corporate data from personal data, the business data can be controlled and prevented from being moved purposefully or inadvertently to non corporate applications. This includes preventing the ability to copy and paste from business applications to personal applications, as well as preventing the ability to use “open in” to open business data in a personal application – yet allowing this to work for business data being opened in a business application. The two best approaches for this capability today are containerisation, and virtualisation.
3. Enforce strongly authenticated access to business applications. Encrypting data, and preventing data leakage will only protect your data if adversaries cannot easily access the information by logging in. Many attacks happen today by way of social engineering, and the reliance on passwords had left many companies and individuals vulnerable (http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/). The best way to prevent these attacks from being successful today is via multi factor authentication.
To explain what multi factor authentication is in three sentences – there are 3 ‘factors’ that can be used for granting physical and/or virtual access to information and systems. These are 1. something you know (eg pin code or password), 2. something you have (eg RSA/Vasco token, ATM card, credit card), 3. something you are (eg voice recognition, iris/retina scan, fingerprint). So an example of multi factor authentication is withdrawing cash from an ATM – you use your ATM card (something you have), and enter your pin number (something you know) in order to withdraw cash.
So, to summarise the above, if you are looking at implementing a successful BYOD program, you will need to choose a technology, or technologies, that can encrypt your data at rest and in transit, prevent any corporate data being moved to any unsecured non-business application or system, and require multi factor authentication to access your business applications and data.
I am keen to hear your thoughts about this. Especially if your thinking is contrary to mine