The top takeaways from a BYOD roundtable on best practices for a BYOD policy were surprising if not contradictory. These include:
– Right now, it’s almost impossible to have a formal policy.
– You still need to have a BYOD policy.
– Users will do what they want – if they can – regardless of your BYOD policy.
– Privacy is a big user issue in BYOD policy implementation.
– Develop your own app may be a long-term company response to BYOD.
The Schwan case
The courts have thrown a spanner in the works. The problem is an August 12, 2014 California appeal court ruling (Cochran v. Schwan’s Home Service[1]) that states, “We hold that when employees must use their personal cell phones for work-related calls, Labor Code section 2802 requires the employer to reimburse them.”
Several participants commented that this ruling had forced them to suspend or delay any BYOD policy while their legal departments work out what it actually means. The general feeling is that if you allow staff to use their own devices, you will have to pay for any use that was required for business purposes. But what would happen if a member of staff has not been told to use his personal device but does so and then claims it was necessary to do his job properly?
Many companies are waiting to hear from Legal before doing anything else.
But you still need some form of a policy.
The problem is that whether you have a policy or not, staff will still use their personal devices.
How are you going to stop it? They’re going to do it anyway, regardless of any policies. The reality is that people don’t like carrying two separate devices, so even if you provide a company phone or laptop, people will still use their personal devices for company work.
Users do what they think best, regardless of policy.
Several participants have spouses in the health industry. One participant said,
My wife is a nurse. There is a no BYOD policy at the hospital. But all of the nurses communicate with each other via SMS because that’s the most efficient way to do their job.
Under the Schwan ruling in California, this would imply that if they could persuade a judge that the texts were necessary, they could insist on being reimbursed by the hospitals even without a formal BYOD policy. Another added,
My wife is a doctor. If there’s an emergency, she’s not going to let a BYOD policy stop her doing what she thinks necessary for the patient.
Some participants felt that this might be a compliance issue, although one felt it would be unlikely since no personal health information would be involved.
Privacy is a big user issue in BYOD policy situations.
The two biggest problems for security with personal devices are malware on the device and lost or stolen devices that contain company data. The most popular single solution is the use of a mobile device management (MDM) system that includes device compartmentalization and remote wipe.
One participant asked,
Do users accept having an MDM agent installed on their devices? Are they resistant; and if so, how do you overcome it?
There seem to be two main issues: concern over user privacy (including the company’s ability to geo-locate the member of staff) and concern over the company ability’s to perform remote wipes of data.
Featured Download: Social media access at work. Do your employees know the rules?
One participant suggested relating the concept of compartmentalizing data to the principles of VDI, which are in general fairly well understood. Another explained,
We have an agreement that users must read and sign, as well as a training program that they must go through, before they can use their own devices [currently just phones].
Mobile as a policy, rather than having a BYOD policy
There are signs that BYOD is merely a transition stage. The implication is that ‘mobile’ is so important to the modern way of business that it is better to migrate the business to a mobile platform than to attach mobile devices to the business.
Our vision is that mobile devices will be the platform on which we’ll build our applications – we’re going mobile rather than PC for future development.
Another participant confirmed a similar route:
It’s our vision to be device and even location agnostic. We’ve not made all the decisions yet, but that’s probably the intention. We’re building this strategic roadmap in line with moving further into the cloud.
The question then is, where do you stop?
Think of the cloud. It doesn’t care what you are using or where you are located. So we should perhaps concentrate on interfaces. The devices will become consumers of data rather than processors of data – the devices themselves will never actually store the data.
And that would go a long way towards providing a roadmap for solving the BYOD security issue once and for all.
– CISOs use multiple layers of security for their BYOD policies.
– A common combination is MDM and digital certificates to control access.
– User reimbursement (especially following the Schwan case) is complex.
– Education is the key to understanding, but it’s difficult.
– The problem of multiple mobile platforms is being tackled either by moving to browser-based apps or mandating a single platform.
Access
Most participants either use a Mobile Device Management (MDM) system or are evaluating one. Usually this is part of the BYOD policy, but in at least one instance, the BYOD policy has evolved in order to suit the MDM.
Furthermore, most organizations have separate guest and employee Wi-Fi networks. The guest networks are kept separate from the corporate network and are usually limited to internet access only. One participant commented,
Employees can use their own tablets and phones on the guest network, but we’ve limited the bandwidth to 1.5 Mbit/s, so they can’t do things like Netflix.
Employee networks use various methods to limit access to relevant parts of the network. The most common are APs, NAC, and digital certificates. One participant, from higher education, uses RADIUS realms and eduroam (which allows visitors to log-in to a local institution using the native credentials of their own institution).
We’ve got clinical realms and academic realms. The clinical realms require encryption to protect PHI. Enforcement comes via the MDM combined with NAC. It checks for encryption on the device. If it doesn’t exist, the user gets bumped off the network. If a user declines to encrypt his device, that user is limited to the guest network with no corporate access.
Compensation
Compensation, or user reimbursement, is now front and center following the California Schwan ruling, but it’s complicated. Several participants described it as a work in progress, one that is not really understood by the users.
User education and the wiping issue
One participant described her BYOD policy and was asked, “Does your user base understand the policy?” She responded,
I don’t think the users understand anything because you have to read and learn. Generally speaking, our society no longer does that very well.
This makes user education and understanding a difficult challenge even though to a degree “it depends upon the age and tech-savviness of the user.”
One participant commented on the effect of moving from ActiveSync’s total wipe to an MDM’s corporate segment-only wipe.
We’ve always had the ability to completely wipe the BYO device built into the corporate email policy. We had no complaints. But when we moved to an MDM approach and explained to the users that corporate and personal data would be kept separate, and that we would know the difference, we suddenly got resistance. There were many comments about a ‘Big Brother’ approach. We found the users don’t want the company they work for to know what is on their device. Some have chosen not to register with the MDM, either insisting on a company device or not having the access capability at all.
This is an example of education actually making things more difficult. But another participant found that reminding the users that all devices tend to get lost or stolen led to approval of the company ability – on their demand – to wipe their own data off a lost device.
Multiple platforms
One problem with having a BYOD policy is the sheer diversity of available platforms, with iOS, Android, Windows and BlackBerry being the most common. Some companies with a long-standing phone policy adopted BlackBerry when it was the leading device and are now finding they need to migrate to a newer platform. iOS seems to be the preferred ‘mandated’ platform.
Other companies are allowing users to choose their own platform and are then trying to cope with the multiplicity. One approach is to forget the device and embrace cloud technology.
Broadly speaking, it is our strategy to make every company application possible in this way. The net result is that the apps become available to all devices because we’re making them browser-based. It’s not a policy specifically for BYOD, but it certainly benefits it. It’s also our strategy to support the idea of using tablets everywhere. The aim is to be device-independent so that anyone can use the device of their choice, switch between devices, and work from any location on whatever platform they wish.
[1]
By Elden Nelson, Editor-in-Chief, Wisegate
About Wisegate
Wisegate is passionate about unlocking the potential of the collective expertise of IT’s top professionals. The company calls it next generation IT advisory. Through advanced matching and social technology, a trusted peer network and hands-on help, IT practitioners connect to share best practices and answer IT’s toughest questions, directly and without vendor influence. Wisegate curates these conversations into searchable content and formal reports as a service to its members and often the outside world. See a list of our public reports and other wisdom unveiled here.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.