Supporting a bring your own device (BYOD) programme is relatively simple, says the head of IT infrastructure and...
support services at the Geneva-based World Meteorological Organisation.
BYOD is not a bad thing; it is great for information security professionals, Vlatka Toukalek told Computer Weekly. "It means that you can finally have happy users," she said.
According to Toukalek, there are not many real issues with BYOD, although extra caution is necessary in highly-regulated sectors such as financial services.
The key is to build a really good sandbox, she said. This means ensuring that all connections to corporate systems are through a virtual private network (VPN) and virtual desktop environment.
The WMO has enabled SSL-based VPN connections to web-based systems for the past three years, adding access to legacy systems through virtual desktops on mobile devices six months ago.
"User-owned devices that connect through a VPN is better than corporate-owned devices without VPN," said Toukalek.
She also believes that if users own the devices, they are more likely to be aware of the risks and be more cautious in their behaviour.
The lack of mobile device management tools is one of the reasons cited by some companies for not allowing employees to bring their own devices to work, but this is changing, said Toukalek.
Suppliers are providing a growing number of tools such as Cisco's Identity Services Engine (ISE) to remove the barriers and give organisations the control they need, she said.
Toukalek believes it is important for businesses to be able to keep corporate data and activities separate from personal data and use of mobile devices.
Mobile access to legacy systems through a virtual desktop, she said, also provides an additional layer of control.
Just because laptops are corporate-owned, she said, does not necessarily mean the business is in control and will be able to detect if anything is amiss each time the devices reconnect to the corporate network.
Finally, it is important for businesses to have policies in place to ensure they have a way of dealing with things if they go wrong.
"But policies are only any good if they are simple and easy to enforce," said Toukalek. For this reason, businesses should put the necessary controls in place and write the policies to suit, she said.
Toukalek will be joined by Chris Swan of UBS, John Stubley of the Cabinet Office and, Nick McQuire of IDC in a panel discussion about BYOD at Infosec Europe 2012, 24 – 26 April in London.
The panel will discuss the key factors to consider when devising a BYO policy at 12h30 on Wednesday 25 April in the keynote theatre.