The bring your own device (BYOD) movement has shaken traditional security controls to the core.
It is becoming increasingly more technically and legally difficult, if not impossible, to fully control ownership and secure the integrity of user devices that are accessing company data. While consumerisation is driving this forward, security is being left behind.
In traditional mode, where employees only used a workstation in company offices, or hardened laptops on the road, company data was confined to walled gardens. But typical security controls are no longer applicable.
While many mobile devices feature added capabilities for enterprise mobile device management (MDM) software to manage some aspects of the security, the trust model is inherently broken.
Regardless of how good the MDM solution is, it is a fact that data is processed, either directly or indirectly via terminal sessions, on untrusted devices.
Read more on BYOD and MDM from the Security Think Tank
- Governance should determine strategy for BYOD
- BYOD security: policy, control, containment, and management
- MDM is no BYOD silver bullet
- BYOD – key tenets and best practices
- BYOD means the map is no longer the territory
- BYOD – a challenge and an opportunity
- MDM just one way to lower the risk of BYOD
- Management is key to secure BYOD
- Cloud, BYOD and security – lock your doors
Companies should recognise this and make decisions about what data should and should not be processed on these devices. A simple information security classification policy with three levels is advised:
- Data that must not be processed or accessed on BYOD devices – this is typically secret data.
- Data that may be accessed only via terminal sessions, such as VMware View, Citrix vApp – the device must be managed by enterprise MDM software.
- Data that may be processed and stored on BYOD devices, and in this case requires encryption supported by the mobile device operating system – the device should be managed by enterprise MDM software.
This needs support in the form of strict usage policies, an update of awareness training and material, especially the do’s and don’ts of accessing company data with personal devices.
In summary, embrace BYOD by understanding the technical limitations – and the will of employees.
Vladimir Jirasek is director of research for the UK chapter Cloud Security Alliance (CSA) and managing director of Jirasek Consulting Services.