Security Think Tank: Embrace BYOD, but be wary of the risks


Security Think Tank: Embrace BYOD, but be wary of the risks

The bring your own device (BYOD) movement has shaken traditional security controls to the core.

It is becoming increasingly more technically and legally difficult, if not impossible, to fully control ownership and secure the integrity of user devices that are accessing company data. While consumerisation is driving this forward, security is being left behind.

In traditional mode, where employees only used a workstation in company offices, or hardened laptops on the road, company data was confined to walled gardens. But typical security controls are no longer applicable.

While many mobile devices feature added capabilities for enterprise mobile device management (MDM) software to manage some aspects of the security, the trust model is inherently broken.

Regardless of how good the MDM solution is, it is a fact that data is processed, either directly or indirectly via terminal sessions, on untrusted devices.

Companies should recognise this and make decisions about what data should and should not be processed on these devices. A simple information security classification policy with three levels is advised:

  1. Data that must not be processed or accessed on BYOD devices – this is typically secret data.
  2. Data that may be accessed only via terminal sessions, such as VMware View, Citrix vApp – the device must be managed by enterprise MDM software.
  3. Data that may be processed and stored on BYOD devices, and in this case requires encryption supported by the mobile device operating system – the device should be managed by enterprise MDM software.

This needs support in the form of strict usage policies, an update of awareness training and material, especially the do’s and don’ts of accessing company data with personal devices.

In summary, embrace BYOD by understanding the technical limitations – and the will of employees.

Vladimir Jirasek is director of research for the UK chapter Cloud Security Alliance (CSA) and managing director of Jirasek Consulting Services.


Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

This was first published in May 2013


COMMENTS powered by Disqus  //  Commenting policy