Tuesday, 4 June 2013

The correct way to manage BYOD


In the IT community, there's a lot of consternation about the "bring your own device" (BYOD) phenomenon. The arguments start simply enough: IT doesn't like the loss of control, but the business units see it as a way to save money and/or enable their workers. It quickly becomes an argument about security, which is IT's way of exerting control and winning any argument. "Who knows what will happen to the data on a device someone brings in from home? And what if they lose it?" The same issues arise when companies issue employees mobile devices or computers on which they're allowed to install personal apps or use for personal purposes.

The real way to handle BYOD is to move to managed BYOD (MBYOD). That doesn't mean mobile device management (MDM), which is a basic, first-line defense, akin to locking your front door at home. In MBYOD, you start with securing your data at its source, then move on to securing it at rest and in transit between the device and your internal systems. Your goal is to manage the enterprise data without interfering with the personal data.

In other words, MBYOD means building a tiered system for access to your corporate ecosystem. You create your tiered system of access, then associate different devices with each level of access. The final piece is to publicize this system to everyone in the company.

The Holy Grail for mobile users is complete access to the corporate ecosystem. This means they can use their device to function as if they were working at a computer while sitting at their office desk. They have complete access to where their files are stored, they can move about the internal network, they can get their email, and they can access the intranet. This level of access is what you give to devices that have the best built-in information controls, managed by your information-savvy mobile management tool of choice. You know that if the device is lost or stolen that you can wipe all the corporate data from the device. Let's call this Tier 0.

You then have another tier where you might allow users to access on-premises resources but without any (or very little) data actually residing on the device. Users might be granted access to server-based computing, virtual desktop infrastructure (VDI), or one of the many server-based application-provisioning tools like Framehawk. You have some controls built into these devices, but it is very difficult to fully protect your data on them. Let's call this Tier 1.

The next layer is where you give only minimal access to users who have devices with few if any security controls. The only way to give users access to data at this level is to rely on a trusted app that can protect your data. This is where you see product  like Good Technology's Dynamics or NitroDesk's Touchdown where the client app has its own encrypted container for email and other corporate resources. The app controls the connection to the email service and encrypts the data on route to the device as well as on the device itself. Let's call this Tier 2.

The final tier is where you don't give any access at all to your users. Their devices lack all conceivable controls, and there are no apps that work reliably to help you secure your data on the device. This is Tier 3.

Now that you've defined the tiered access to your corporate ecosystem, you have to look at all the devices that are in the market and determine what tiers they reside in. The table below defines Tier 0 compatibility very specifically but gets more generic as it moves through the other tiers -- that's intentional, as you need to be very exacting as to what gets the most access, but not so much on devices that get less access.

Tier 0                Tier 1                                    Tier 2                        Tier 3

BlackBerry 10       Google Android 4.2             Google Android 4.x         Barnes & Noble Nook
                             from HTC and Motorola        from other vendors
Apple iOS 6                                                                                                     Amazon.com Kindle
                                                                             Microsoft Windows
Google Android 4.2                                               Phone 8                         Google Android 2.x through 3.x
from Samsung with
Samsung Knox                                                                          
                                                                                     
You can build as many tiers as you like, although the more you build, the harder it becomes to define what devices go where. The goal is to make this a very easy list to maintain. IT just needs to evaluate new devices as they come out and add them to the appropriate tier in the list.

Next comes the easy part. You have defined the different levels of ecosystem access, so now it's time to turn your BYOD program into a managed one. The way to do this is quite simply to publish this list of device tiers and make sure every user is aware of it. This has to be something that is accessible on the corporate intranet and hits every user's inbox.

Now the magic happens. Users who participate in your BYOD program will look at the list to determine what device they're going to buy based on what type of access they want. They know if they buy a Windows Phone 8 device, for example, they're going to have access only to email through a third-party client. If they want more access they want, they'll choose a device that better maps your information security neeeds, like an iPhone 5, a BlackBerry Z10, or a Galaxy S 4.

In this approach, neither IT nor the business unit is telling the user what device to buy. Instead, they are limiting what the users can do based on the device they choose. This approach turns any BYOD program into a self-managed BYOD program. Users have the guidance they need to make an informed choice, and the security team is happy because it has the tools in place to protect the company's data even on noncorporate devices.

No comments:

Post a Comment