Security Think Tank: Governance should determine strategy for BYOD

With the growth of BYOD, what measures can IT take to ensure the security of enterprise data and does MDM really have a role?

The Information Security Forum (ISF) report Securing Consumer Devices specifically addresses the issue of securing enterprise data on consumer mobile devices and the role of mobile device management (MDM) systems.

The research shows that there are four main areas where organisations should focus their efforts: 

  1. Governance;
  2. Users;
  3. Devices and apps;
  4. Data.

Governance should determine the strategy and approach the organisation adopts, for example allow any device to connect, provide users with a corporate device. 

Based on that decision, the information security approach and controls required should be specified. 

No matter the approach, the ISF's work highlighted 10 common responses (in addition to user education):


  1. Consider specific risks;
  2. Aim for a consistent solution;
  3. Clearly separate business and personal use;
  4. Demonstrate auditability;
  5. Deploy encryption;
  6. Deploy malware protection software;
  7. Implement an acceptable use policy (AUP);
  8. Ensure you can offer support;
  9. Accept you cannot block devices;
  10. Be proactive.

Organisations are increasingly treating the device – no matter its ownership – as untrusted or dirty. There is an increasing realisation that you cannot secure the device and so efforts must be focused on protecting the data.

This may mean stopping certain types of information being transmitted to mobile devices with a role for data classification, MDM and context-aware networks; adopting a virtualised or Citrix-like approach where data resides on the server, not the device; or using sandboxing.

The increasing processing power of devices actually can help security, as the devices can run anti-malware or encryption software such as that used on PC (although battery life is still an issue).

MDM is a tool that can assist in security. Most modern MDM offer services (for example, encryption, OTA upgrades) which can be woven into a consistent, enterprise-wide security solution especially when using sandboxes or similar on the mobile endpoint.

Successful MDM deployments need to be integrated with the governance approach, to support the strategy and coupled to user awareness and training.
Adrian Davis is principal research analyst at the Information Security Forum (ISF)

Read more on Privacy and data protection