The IT world is a succession of dualities and oppositions: PC and Mac, Android and IOS, BlackBerries and personal devices…BlackBerries have ruled the business world for ages as it was THE technological piece geeks wanted as a smart phone. With the market penetration of personal smart phones like the Samsung, iPhone, Nexus and such, employees want to use their own devices in the office. Office rules mandate BlackBerry usage for email, therefore employees have to make a choice; to use their BlackBerry only or to carry their personal device in addition to their BlackBerry. Thus, the BYOD (Bring Your Own Device) issue emerges.
The use of BlackBerries offer the IT department piece of mind. RIM offers good security, message encryption and good compatibility with infrastructures. However, managing BlackBerries comes with a cost – first, for the devices themselves, then for the BlackBerry servers and licensing fees. With employees increasingly wanting to use their own devices, IT departments are faced with the appealing option to cut down on the cost of devices despite the potential security issues and multiplatform support.
For enterprises who don’t handle confidential information, allowing any personal device to access Microsoft Outlook is simple and BYOD is the preferred and easiest management method.
On the other hand, enterprises who handle confidential information risk information leakage when adopting BYOD. Multiple solutions exist to sandbox or take control of devices. Here are a few points to consider:
- Can the enterprise’s information be segregated (sandboxed) from personal data?
- Can the devices be wiped remotely if lost or stolen?
- Can security settings be enforced on the device (password length, for instance)?
- Are policies and a code of ethics existent to manage the usage of personal devices in the workplace?
- Is the device’s data encrypted?
- Is self provisioning of the service expected to reduce helpdesk requests?
- Is the personal device’s usage monitored and are employees informed of it?
- Are users aware that their personal communications may be monitored?
- Are web navigation filters used to restrict Internet access?
- Is remote access to the enterprise’s network (VPN) considered?
- Are jailbroken or rooted devices permitted on the network?
These are all simple questions with large impacts on the deployment of a BYOD service and also on employees’ buy in. Some may prefer using a BlackBerry as they do not want the company to have wiping rights on their personal device or have their device auto-locked after a few minutes of inactivity.
Once all these questions are answered and the information security department has the proper policies set up, selecting a BYOD product becomes a simple issue of meeting the procurement team’s requirements. Their biggest challenge is to meet both the enterprise’s security needs and preferred mobility features. All depending on the sensitivity of the corporate data; they may opt for more security and restrictions or lean towards more usability and leniency.
Remember to plan carefully, apply policies and controls, verify effectiveness and reporting, improve service and understand the BYOD.
By Philip Veilleux, Information Security Advisor