Securing the enterprise in the era of BYOD

Profile picture for user ahartwell By Alan Hartwell December 9, 2014

Businesses want to have better control of their IT and better protect their data.
Trying to stop BYOD will not return control to the business.
The answer lies in encouraging a secure approach to BYOD.

It is no wonder that many businesses are cautious about Bring Your Own Device (BYOD). Many businesses believe that allowing employees to use their own devices at work relinquishes too much control and leaves the door open to security threats. It is an understandable position but, as we shall see, an incorrect one.

The extent of business caution towards BYOD was highlighted in recent Oracle research which polled security decision makers*. The research revealed businesses are trying to resist BYOD: 44% dislike BYOD or only allow it in exceptional circumstances, while a further 29 per cent restrict usage to senior employees only. Less than 10% of businesses surveyed fully embrace BYOD.

In today's world this is no longer acceptable. Employees are already bringing their own devices into the workplace regardless of whether businesses want them to or not. Trying to stop BYOD will not return control to the business. Rather, prohibition will result in employees using their own devices without the permission of IT and without their oversight.

If businesses want to have better control of their IT and better protect their data, the answer lies in encouraging a secure approach to BYOD. By bringing the practice out into the open, the IT department can see what is truly happening within the business and take appropriate steps to protect it.

There is a perception that allowing employees to bring their own devices into the workplace will create a technological 'Wild West' and IT will waste time and money integrating and securing a wide variety of devices. In fact, the right BYOD strategy can allow businesses to extend existing enterprise security measures to cover employee devices.

Coping strategies

Some businesses have already addressed BYOD through COPE strategies (Corporate-Owned, Personally Enabled), which allow employees to select the devices they use for work purposes, in collaboration with IT. This allows IT to effectively manage and secure devices. However, it is important that usability is preserved. If a device becomes impractical through excessive password requests, for example, employees will likely stop using them.

For BYOD, IT departments need not only enable it and monitor which devices are used to access the corporate network, they also need to put in place robust security measures (again, ones that do not impact on the end-user experience). The user experience is important from a productivity perspective, but takes on additional significance here as the device belongs to the employee. The performance of their personal services and apps needs to be unaffected by security measures.

Finally there is a legal imperative for businesses. If in a BYOD environment the business inadvertently accesses employees personal data, they run the risk of being sued by those employees. In the BYOD business, therefore, security is as much about putting in place controls to protect employees' privacy as it is about securing enterprise data.

To that end, there are several approaches that should be considered. One such is containerization. Containerization allows work applications to be walled-off from the personal areas of the phone. Businesses have complete control over what goes on within the walls of the business container and they can apply all necessary security policies. Moreover, as work applications are separated from personal applications, businesses need not worry that they might accidently gain access to personal data.

Then there is mobile application management (MAM), which developed out of mobile device management (MDM) as a way to enforce control around enterprise applications. Security controls include application-based encryption, authentication and app tunnelling. MAM security measures are not focused on the device, but on what is being accessed by the device within the secure confines of the container. This feature allows businesses to secure their mission critical systems and data regardless of whether the employee is using a personal or work device.

Mobile device management will also have a role to play. For example MDM might be required to remotely disable a phone's camera in certain circumstances – but for most use cases MAM will provide just the sort of user-friendly security required for BYOD or COPE strategies.

Also essential will be the latest generation of identity and access management technologies. This approach focuses less on the device and more on the person, putting identity at the heart of security. An identity-based model that incorporates secure application delivery, MAM,  'MDM-light' and containerization delivers complete flexibility to the business and enables successful COPE and BYOD strategies.

Today's enterprises are therefore in a position to give employees complete freedom over the devices they use without relinquishing control of their IT estate or compromising on security.

* Chief Security Officers, Chief Information Security Officers or other personnel responsible for information security at 700 businesses across Europe -  The Oracle European BYOD Index Report (April 2014)