Security Think Tank: BYOD – key tenets and best practices

The consumerisation of IT is happening despite policies, rules and regulations, and organisations are learning fast that their employees are rebelling against a "managed" IT landscape and are instead demanding a "market" one, with freedom of expression.

The IT organisation is now charged with delivering this change – efficiently, effectively and as securely as possible. Mobile device management (MDM) is widely deployed on corporate-provided devices, but rarely on employee-owned consumer devices for reasons of cost.

According to The Corporate IT Forum’s Enterprise Everywhere Conference and Consumerisation of IT Summit reports, there are some key tenets and best practices emerging:

• Replicating traditional corporate IT levels of control in a consumerised world misses the point and is probably impractical.
• The quid pro quo for consumers in a new world of freedom is their responsibility to look after the organisation’s data.
• Privacy is a major factor in consumerisation – it means you have to effectively sandbox company data from private data.
• Controls should be applied to the data rather than the device.
• Provide guidance for app developers to control access to information on devices.

• Read more on BYOD and MDM from the Security Think Tank

  • Governance should determine strategy for BYOD
  • Embrace BYOD, but be wary of the risks
  • BYOD security: policy, control, containment, and management
  • MDM is no BYOD silver bullet
  • BYOD means the map is no longer the territory
  • BYOD – a challenge and an opportunity
  • MDM just one way to lower the risk of BYOD
  • Management is key to secure BYOD
  • Cloud, BYOD and security – lock your doors
  Set operational principles on the use of allowed cloud services.
• Keep policies and processes up to date – revising the IS policy every two years is inappropriate.
• Consider data sensitivity – look at apps, build a risk assessment and decide whether it sits within your risk or outside it.
• Employee agreements that address wiping personal and corporate data must be active, not passive, with signatures and human resource records.

Ollie Ross is head of research at The Corporate IT Forum.