So you want to introduce a BYOD plan. Where do you start?
It's all about control
Like it or not, BYOD (bring your own device) is here to stay. Being able to get your emails on your personal iPad and such is all very well but it comes with both a cost and a risk.
Often the success or failure of a BYOD deployment is determined before the first machine is touched.
BYOD comes in two distinct flavours: "I want my email and calendar on my own device so I can be totally up to date” or "I earn my living using these devices." Each requires a differing approach.
An administrator alone cannot succeed with a BYOD deployment. To be successful it needs to be effectively managed by a project manager or sponsor who can deal with the issues that will inevitably arise before and during rollout.
A sponsor should also have the latitude to make decisions on behalf of management. If the company in question has one, a security officer should also be included in the planning as a BYOD rollout will most definitely touch his or her area of responsibility.
Everyone involved needs to understand not only the politics but also the logistics of implementing BYOD in a business environment.
The first thing an administrator needs to understand is that no company with more than a handful of employees is ever going to let them just add a business email or calendar account to their own iPads or download work-related information onto an uncontrolled device.
The company has to retain control of important and valuable data. It is not that companies necessarily distrust their employees, but if a device is lost it needs to be sure that no information will leak.
A demonstrable security policy is a must, especially in these litigious times. Remote wipe is a mandatory requirement for all BYOD devices, and any mobile device management (MDM) solution should provide this.
Full disk encryption with encrypted media is also essential. A company need lose sensitive data only once and it could be game over.
Starting small is highly recommended. Dealing with just a handful of users while creating and refining the processes and procedures for BYOD makes life easier. All the processes should be created in advance and tested with these early users.
The team that is piloting the BYOD plan should represent the typical range of users and devices in the company. Such a team will be able to gauge the amount of work involved in supporing a bigger volume of users, as well as the kind of issues they may run into.
Don't just go with the geeks, as this might lead to some weird expectations and metrics.
Laying down the rules
Perhaps the most important aspect of any BYOD installation is a solidly written policy governing when and where data is to be stored.
Information should not be stored on the local device unless it is encrypted using an approved encryption scheme – approved by the company, not just encryption standards. The scheme should also, however, meet the relevant standards.
Drawing up an acceptable use policy (AUP) is also highly recommended and the policy should be enforced, unlike many AUP policies which are seemingly ignored.
Surfing dubious sites raises the likelihood of the phone being compromised. An administrator – possibly with the assistance of the security team – needs to decide if, for example, access to playboy.com or The Pirate Bay is permissible on employees’ devices.
The policy should also address antivirus and malware and be up to date on patches. It should be signed by both the company and each employee.
That may be stating the obvious, but users are users, right?
It is important to set limits on what assistance users can ask for
One difficulty of BYOD is the unending list of different hardware it involves. It is important to set expectations and limits on what assistance users can ask for. A help desk policy should be created for this purpose.
The policy should cover what can be expected by the users and what is supported in terms of hardware and software. The company may wish to limit support to email and web applications. Does the company want to get involved in printing if a user has some printer that needs Wi-Fi support?
A clear usage policy leaves less room for users to grumble when their own device with a third-rate non-business application is not working.
Random application corruption or a half-dead phone or laptop owned by the user should not be the concern of the help desk and consume support cycles. The combined AUP and help desk policies will help reduce the scope for an argument over dodgy hardware or for unreasonable requests to "fix my totally broken device".
If it's broke don't fix it
Setting reasonable limits on the supported hardware is also wise. Jailbroken or otherwise non-standard devices should be rejected as a security cesspool that can only lead to problems. In fact, most MDM applications will refuse to install on any rooted device.
Once the process and procedures are in place, we can look at the technology that can provide a secure environment. Any good MDM solution has three core attributes: central management; the ability to separate user data from business data; and data loss prevention.
Centralised management features should include the core programs and tools such as FDE and remote wipe capability. Almost all MDM tools come with an application store and the automated push of applications and configurations to the device.
Separating user data from business data is also a critical function. When a user leaves a company's employ, the company wants to be sure that it can remove all the data held by the user's containerised "phone within a phone".
MDM also concerns itself with ensuring that company data held on a user's phone is never compromised or lost.
Most mobile device vendors do not provide an in-house MDM solution but rather a framework on which device management can be hung. This allows for a huge variety of management platforms that can cope with a diverse range of devices, including Android, iDevices and Windows-based devices.
One of the major solutions on the Android platform is Samsung Knox.
This is an enterprise-class MDM solution that goes beyond what a standard Android phone provides in terms of device security and management. It is an extensible security framework.
Like all MDM solutions, Knox works by creating what is in essence a containerised phone within a phone, a secure sandboxed environment, and enables full control of the containerised phone.
An approved app store can deliver a range of customised applications to the user.
Currently Knox is available only on a limited range of Samsung devices. This should change, however, as Samsung has developed the Samsung Enterprise Alliance Program (SEAP), a partner program that will help spread the Knox infrastructure beyond Samsung's borders. SEAP includes a range of partner levels.
Why was it left to Samsung to develop such a core part of the Android BYOD device strategy, rather than Google? One can only wonder. Within the next few releases of Android we should start to see Google begin to tackle this rather large overhead.
Build your own
The other big player on the block, Apple, has taken a slightly different approach to MDM.
Apple doesn't provide its own MDM solution but a framework on which other providers can build MDM solutions. However there is more virtual paperwork involved: you need to have a signed Apple SSL cert and enrol the devices into the Apple MDM management account.
Other MDM providers include AirWatch, MobileIron and the old favourite, BlackBerry. Each has different capabilities and pricing but all of them support the big three (or four if anyone still counts BlackBerry as a big device player)
Once users’ devices are secure and managed, you can begin to concern yourself with how to deliver the applications and user experience required.
Email and web browsing are quite straightforward and configured from the MDM server. Some companies provide their own in-house applications. Trying to work with the wide range of devices, however, can be tricky, consuming a lot of support and development cycles.
To get round this issue, a lot of larger devices can support a full virtual desktop experience. While to some this may sound a little extreme, it is gaining more widespread support.
The thinking behind it is that not everyone sits at a desk. Many remote users, such as surveyors or insurance underwriters, are out and about with tablet devices, and they can use VDI to access their suite of applications on one screen. Also it helps enhance security that no data ever leaves the data centre.
This approach may not fit all but it provides those users who use legacy applications that cannot be modified to run on the web with a way to do what they need to. The use of VDI combined with the mobility aspect of BYOD is proving a winning combination for people on the move.
BYOD brings an advantage to businesses and their employees when correctly thought out, planned and executed. Using centralised MDM tools with good security choices, it enables businesses to provide their employees with the right information on the devices they want.
There is a lot to be said for being able in effect to carry two devices in one, eliminating the hassle of carrying two devices, checking that you have them both and charging them both.
BYOD, done right, could provide the answer. ®
Sponsored: Becoming a Pragmatic Security Leader