If there is one thing business executives love, it’s control. Control enables them to plan effectively and manage risks. Crucially, control also provides executives and IT departments with a means of protecting the enterprise against security threats.
It is no wonder then that many businesses are cautious about Bring Your Own Device (BYOD). Surely, the argument goes, allowing employees to use their own devices at work relinquishes too much control and leaves the door open to security threats? It is an understandable position but, as we shall see, an incorrect one. Indeed, in many cases a reluctance to embrace BYOD means businesses are missing out on considerable benefits, including huge productivity and cost gains.
Businesses remain cautious
The extent of business caution towards BYOD was revealed in recent Oracle research which polled security decision makers[1]. The research revealed businesses are trying to resist BYOD: 44 percent dislike BYOD or only allow it in exceptional circumstances, while a further 29 percent restrict usage to senior employees only. Less than 10 percent of businesses surveyed fully embrace BYOD.
In today’s world, this is no longer acceptable. BYOD is not something that will simply go away. Employees are already bringing their own devices into the workplace regardless of whether businesses want them to or not. Trying to stop BYOD will not return control to the business. In fact it will have the opposite effect.
Free Cyber Security Training! Join the revolution, today!
If businesses try to resist BYOD, staff will continue moving data around on unapproved devices which can get lost, fall into the wrong hands, or simply degrade the integrity of a company’s governance and data protection obligations. Prohibition will result in employees using their own devices without the permission of IT and without their oversight. From an enterprise security perspective, this is unacceptable.
If businesses really want to have better control of their IT and better protect their data, the answer lies in encouraging BYOD and putting in place a secure framework for it. By bringing the practice out into the open and enabling it, the IT department can see what is truly happening within the business and take appropriate steps to protect it. You can, after all, only protect a business if you are aware of all potential threats.
Getting to grips with BYOD
There is a perception that allowing employees to bring their own devices into the workplace will create a kind of technological ‘Wild West’ in which IT wastes time and money integrating a wide variety of devices and ensuring they are all secure. In fact, a well thought-out BYOD strategy can allow businesses to seamlessly extend existing enterprise security measures to cover their employees’ devices.
Some businesses have already addressed BYOD through a COPE strategy (Corporate-Owned, Personally Enabled). COPE businesses allow employees to select the devices and applications they use for work purposes, in collaboration with the IT department. This allows IT to effectively manage and secure devices. As a halfway house between the traditional IT-driven procurement model and the free and open BYOD model, many businesses may find COPE a useful way of finding their feet in our new mobile age. However, it is still important that usability is preserved in the face of security measures. If a device becomes impractical through excessive password requests, for example, employees will more than likely stop using them.
When it comes to full BYOD, IT departments need not only enable it and monitor which devices are being used to access the corporate network,;they also need to put in place robust security measures (again – ones that do not impact on the end-user experience). The user experience is important from a productivity perspective but takes on additional significance here as the device belongs to the employee. (The performance of their personal services and apps needs to be unaffected by security measures.)
Finally there is a legal imperative for businesses. If in a BYOD environment the business inadvertently accesses employees’ personal data, they run the risk of being sued by those employees. In the BYOD business, therefore, security is as much about putting in place controls to protect employees’ privacy as it is about securing enterprise data.
Security for a mobile age
Businesses can of course build custom apps to overcome these challenges, but there are a number of ‘off-the-shelf’ approaches that should also be considered. One such is containerization. Containerization allows all work applications to be walled-off from the personal areas of the phone. Businesses have complete control over what goes on within the walls of the business container, and they can apply all necessary security policies. Moreover, as work applications are separated from personal applications, businesses need not worry that they might accidently gain access to personal data.
Containerization complements mobile application management (MAM), another security innovation that will help businesses embrace BYOD. MAM developed out of mobile device management (MDM) as a way to enforce control around enterprise applications. Unlike traditional VPNs (which can be risky as they provide network access for every app on the device), security controls include application-based encryption, authentication, and app tunnelling. Crucially, MAM security measures are not focused on the device but on what is being accessed by the device within the secure confines of the container. This allows businesses to secure their mission critical systems and data regardless of whether the employee is using a personal or work device.
This is not to say that mobile device management won’t still have a role to play. For example, MDM might be required to remotely disable a phone’s camera in certain circumstances, but for most use cases, MAM will provide just the sort of user-friendly security required for BYOD or COPE strategies. Where MDM is deployed, moreover, it can be done so in a light-handed way that does not compromise user experience.
Also essential will be the latest generation of identity and access management technologies. This approach focuses less on the device and more on the person, putting identity at the heart of security. An identity-based model that incorporates secure application delivery, MAM, ‘MDM-light,’ and containerization delivers complete flexibility to the business and enables successful COPE and BYOD strategies.
Mobile security in a changed world
The business world has changed. IT is no longer the sole gatekeeper of technology, and employees are using the devices and software they want to use. This is a huge potential windfall for businesses that must not be overlooked.
People work better on devices they understand and choose for their personal lives, which equates to greater productivity for the business. Depending on the BYOD model employed, meanwhile, organizations can dramatically reduce costs associated with hardware investments.
For all this benefit, businesses must ensure there are no barriers being put in the way of the employee in the name of security. The good news is that modern approaches to security mean they no longer need to. Today’s enterprises are able to give their employees complete freedom over the devices they use without relinquishing control of their IT estate or compromising on security.
[1] Chief Security Officers, Chief Information Security Officers or other personnel responsible for information security at 700 businesses across Europe – The Oracle European BYOD Index Report (April 2014)
By Alan Hartwell, Vice President Security & Identity Solutions, EMEA, Oracle
Bio: Alan Hartwell is responsible for growing Oracle’s Security and Identity Management business across the EMEA region. He joined Oracle’s Financial Services area of the business in 1998 before moving to the Internet Solutions Group. Following this, Alan became the Oracle Database 9i Solutions Sales Leader for the UK and then progressed to the roles of Vice President of Marketing for the UK, Ireland and South Africa and Vice President of Sales, Engineered Solutions, Exadata, Exalogic.
Previous experience also includes being Vice President for Consulting UK, Ireland & South Africa, where Alan was responsible for developing the Oracle Consulting Business, focusing on using innovation as the key driver to find new markets and new ways of doing business with both existing and new customers. Prior to joining Oracle, Alan headed up several pre-sales and project management groups in the IT sector, and also worked in the Financial Services sector with various banking organisations such as Lloyds TSB and Abbey National.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.