The trend for individuals to bring their own device to work is increasing, but enabling BYOD has been much easier than understanding and managing its security implications.
In many instances, increasingly tech-savvy users are simply configuring their own remote and email access outside corporate IT security guidelines and potentially storing sensitive corporate information on them. This introduces issues where users might bring their own device into the office and then connect it to the corporate network using a wired or a wireless connection.
I believe we need to find practical ways to support consumer technology at work while maintaining control of sensitive information. BYOD requires a security policy which is enforceable, realistic, acceptable to users and doesn’t violate personal privacy laws. It needs to ensure there is no ambiguity and that all users are clear what is and is not allowed. Once all employees have been informed, the policy should be rigorously enforced.
Whoever is responsible for company IT should also encourage users to come to them for advice on using their device so that they don’t send information outside the organisation in an uncontrolled fashion.
The core principle is to minimise the amount of data transferred to or held on the device. There are three steps organisations can take:
1.) Virtualise applications and stream them to the device.
2.) Allow access but implement a corporate policy to prevent the user downloading sensitive organisational data. If the organisation wants to allow data to be downloaded, it becomes the user’s responsibility if they lose the device, and they need to be made aware of the consequences and their responsibilities.
3.) Take advantage of the remote wipe capability that most devices have, using encryption to secure sensitive data, and ensure that the organisation’s BYOD policy mandates implementing Mobile Device Management (MDM) capability on the device.
Virtualisation can be enacted in three ways. Option one is to run a hosted or virtual corporate desktop which the user can access through their device using software such as Quest, Citrix or VMware. All the device needs is the appropriate client software. This solution is largely device-independent, so it will work with everything from a user’s own laptop and all major tablet types to a Windows, Android or Apple phone. It does need appropriate back-end systems and network connectivity to deliver the desktop or application, which means that the user cannot work on corporate applications unless they are connected to the network. It can also be set up so the user can only access the desktop from known IP addresses. Of course, ensuring that the device is reasonably secure and protected by some form of security software is important.
A second option, particularly for laptops, is to install client hypervisors and virtual desktop check-in/check-out software on the device, such as MokaFive, Citrix Xenclient or VMware View offline. Windows 8 HyperV can also work in a similar fashion. This is a higher impact solution as the IT team needs to configure the user device and install the client hypervisor to accept the virtual desktop. It works by creating separate, bootable desktops on the same device and partitioning the hard drive into business and personal areas. As this can be run locally, it’s a good solution if the user needs to work offline. When they go back online it checks back into the server (using a VMware/Citrix solution) or synchronises (using MokaFive/Quest). It’s particularly good with laptops but won’t work with all devices as you cannot run a full corporate desktop on devices such as an iPad. It also creates more work for the IT team, who have to configure the device and install the client hypervisor to accept the virtual desktop.
The third option is to repackage applications to be accessed through a portal (similar to iTunes). It requires either application streaming or the creation of lightweight clients (apps) which can run on a smartphone or tablet, devices which have just enough intelligence to run basic functions while most of the processing is carried out by the web-based back-end. This becomes more difficult if the user wants to run ‘large’ applications such as SAP or Microsoft Office. This is where most people believe desktops are heading, with a web portal used to display available applications to the user accessible from a wide range of devices and operating systems.
BYOD is clearly here to stay, so each organisation needs to find a way to develop a policy that both maintains data security and satisfies users. The list of considerations will differ for each organisation, but it is always essential to ensure that corporate policy is made first before looking for technical solutions.
By Richard Blanford, Managing Director, Fordway
Bio: Richard founded Fordway in 1991 and has built it into one of the UK’s most respected IT infrastructure change providers. An ex-technician, his 20+ years’ experience enable him to prioritise business-critical problems and offer constructive, vendor independent advice.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.