Security Think Tank: BYOD security: policy, control, containment, and management

With the growth of BYOD, what security measures can IT take to ensure security of enterprise data – and does MDM have a role?

The IT department has been accustomed to providing security for the devices and tools that it selected, owned, deployed and controlled. 

With bring your own device (BYOD) practices, the goal of enterprise information security remains the same. 

Protecting enterprise data is the number one priority, but the legacy approach to information security needs to be updated.

There are the four main areas to address around BYOD and personal clouds in the workplace:

  • Policy: A security policy, whether mobile or other, communicates the effects of architectural decisions to the user; highlighting his or her rights and obligations. The policy serves the purpose of illustrating correct and acceptable use, and deterring misuse;
  • Control: Tools such as mobile device management (MDM) software enable corporate control over vital components of the device, translating the mobile policy into technical actions;
  • Containment: Containers, dual persona and application wrappers all provide application-level protection for sets of, or individual, applications;
  • Enterprise tools: Enterprises cannot stop consumerisation. However, they can compete with it by offering their workforce attractive and user-friendly tools (mobile applications) to deter the use of consumer applications for professional activities.

Let us look at an example: a mobile policy forbids users from storing corporate data on their personal cloud, while an MDM agent ensures this policy is followed via technical measures on the user's mobile device.

A Container on the device integrates with the enterprise infrastructure and stores all the documents that are downloaded from attachments or the knowledge management system in an encrypted state.

Finally, a secure enterprise cloud offers a superior user experience, allowing co-workers to store and exchange large files, and deters users from using public alternatives with unencrypted enterprise data.

Correctly balancing the four main ingredients of policy, control, containment, and management tools is paramount in this exercise.

To do so, one must consider the enterprise culture as well as existing tools and processes. No two enterprises are the same, so each one will reach a slightly different equilibrium.

With mobile devices and MDM, changes are happening very quickly compared to other technology markets. As a consequence, a tactical approach is needed to effectively implement mobile policy, control, containment, and management tools.

MDM suites are becoming aggregators of policy enforcement, containment and enterprise mobile application solutions.

On the device side, new models offer built-in enterprise security capabilities that can be leveraged by MDM tools — not only in terms of device management but also in terms of containment.

Gartner recommends acting tactically to protect data with current tools and on contemporary devices, with the objective of repeating the exercise periodically to accommodate change.

Dionisio Zumerle is a principal research analyst at Gartner

Read more on Endpoint security