A three-dimensional approach to BYOD strategy deployment includes a focus on people, process and technology. Following on from the first part – which highlighted employees as the first line of defence and crucial to BYOD success – process and technology are equally important.
Process: There must be a clear understanding of the compliance and regulatory requirements the enterprise must meet and how those obligations could potentially be affected by the BYOD roll-out.
In addition, it is important to have specific BYOD-related security policy and controls for deployment, with processes to execute those controls such as over-the-air (OTA) traffic encryption. It is imperative the consequences of misuse and violation of BYOD are clearly highlighted in the policy and strongly communicated to employees to eliminate ambiguity in the organisation’s objectives for the deployment.
These regulations and processes must also be defined in the context of security and data privacy, especially catering for situations when employees leave the organisation – it is easy for sensitive data to exit the organisation’s boundaries, as staff take their personal devices with them.
Ultimately, based on the organisation’s risk appetite, the policy and processes must balance the need for control versus flexibility.
Technology: Part of the reason BYOD creates a huge security risk is the multiple networks, applications and end-points through which data is accessed, all of which must be properly managed. This requires an understanding of the organisation’s existing environment, technologies deployed and the mobile device operating systems that must be supported.
Today many advanced mobile device management tools are available. While they all offer similar functionalities, product selection must be driven by support requirements for the various mobile operating systems and devices; compatibility checking with respect to integration with the existing IT environment and data loss prevention tools; and digital rights management solutions if any.
It is advisable to undertake a proof-of-concept phase – it helps with checking feasibility and addressing any unforeseen issues in a controlled environment. After this, enterprise-wide roll-out is best undertaken in a staged manner. Such an approach helps rectify problems as they happen and pre-empt them from happening again.
Areas that must be carefully considered include:
- What devices and mobile operating systems must be supported?
- What are the security requirements at each level - devices, applications, data access and operating systems?
- What are the security risks of letting employees access corporate data through their personal devices? What is the organisation’s risk tolerance?
- How can mobile deployment be managed without risking sensitive data or intruding on employee’s rights to privacy on their personal devices?
- How can access be managed for native applications on employees’ personal devices with corporate mobile applications?
Such a deep dive into the role of people, process and technology is instrumental to a successful BYOD strategy. It is an investment that can greatly minimise security risks and optimise the opportunity to meet the business requirements.
Munish Gupta, CISSP, is a security architect in the cloud division of Infosys and Souvik Khamaru is a senior security architect in the cloud division of Infosys