Report: Corporate mobile device policy must align security, job roles

In the debate between BYOD and company-issued devices, a new report compares mobile platforms and recommends devices based on users’ job roles.

Many companies are debating whether to allow employees to mix their work and personal lives on a single smartphone or tablet of their own choosing, or if they should insist only company-issued hardware be allowed to access corporate systems. A new report claims the answer to the BYOD (bring-your-own-device) debate depends on who the user is, and what their job role entails.

Not all mobile platforms are created equal, and although users may express a preference for one platform or another, there has to be an element of business decision making.

Rik Ferguson

The report, “Enterprise Readiness of Consumer Mobile Platforms” (.pdf), published earlier this week, recommends companies develop their corporate mobile device policy by aligning mobile device choices with users’ job roles. The findings are based on a study by two research companies, California-based Altimeter Group and London-based Bloor Research, in collaboration with security vendor Trend Micro Inc.

The report tabulated the features of the four leading smartphone operating systems – BlackBerry 7.0, Apple IOS5, Android 2.3 and Windows Phone 7.5 – and assessed them for security in an enterprise. The report also looked at how employees of different seniority might want to use a personal smartphone for business use. For example, it defined executive, manager, general knowledge worker, contractor and other job roles and their likely need for mobile device security features such as encryption, multifactor authentication and complex passwords.

By matching the features of the operating systems with functions different users might need, the report showed where it would be wise to allow BYOD, and where it could prove troublesome or insecure.

Unsurprisingly, the BlackBerry scored highest across the board of security functions, especially when used with the BlackBerry Enterprise Server which provides a closed, relatively secure environment. Apple came in close second in the security ratings, with Windows next in line, and Android in fourth place.

“Not all mobile platforms are created equal, and although users may express a preference for one platform or another, there has to be an element of business decision making. It can’t all be down to user preference,” said Rik Ferguson, director of security research and communication with Trend Micro, based in Buckinghamshire, and one of the report’s authors.

He said companies need to adopt BYOD in a controlled fashion, rather than trying to block it.

“Businesses should be saying ‘yes’ to BYOD because it does increase business flexibility, and users are happier when they don’t have to carry around two devices for work and home life,” Ferguson said. “But it’s not a good idea to say ‘yes’ to everything for everyone. With senior executives, for example, it may be a good idea to insist on BlackBerry, because you can secure the data on the device more effectively.”

Ferguson noted the researchers chose to assess Android 2.3 rather than later versions, because it is still the most widely deployed version of the Android operating system.

“We aren’t saying you can’t have Android in your environment, but be aware that there are things you can’t do on that platform,” Ferguson said. “There are challenges of patching or updating the Android operating system – so it needs to be confined to people with the lowest access to privileged information.”

Nigel Stanley, a security specialist at Bloor Research and one of the report’s authors, said the aim of the study was to provide an impartial analysis of each of the four platforms and to help companies with their BYOD decisions.

“The rationale behind the report was to provide objective information to match different job roles to their use of smartphones,” Stanley said. “The role-based information can be useful in helping companies create their security policies.”

Stanley said good policies have to be developed in conjunction with users. “BYOD has to be predicated on good governance and a good security policy that takes in all the issues that come into play,” he said. “The culture of the business can influence the policy hugely. Unless C-level execs are brought into this and can lead by example, you’re stuffed from day one.”

Read more on Application security and coding requirements

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.