Security Think Tank: Embrace BYOD, but be wary of the risks

With BYOD and the growth of the personal cloud being used at work, what security measures can IT take to ensure security of enterprise data and does MDM really have a role in security?

The bring your own device (BYOD) movement has shaken traditional security controls to the core.

It is becoming increasingly more technically and legally difficult, if not impossible, to fully control ownership and secure the integrity of user devices that are accessing company data. While consumerisation is driving this forward, security is being left behind.

In traditional mode, where employees only used a workstation in company offices, or hardened laptops on the road, company data was confined to walled gardens. But typical security controls are no longer applicable.

While many mobile devices feature added capabilities for enterprise mobile device management (MDM) software to manage some aspects of the security, the trust model is inherently broken.

Regardless of how good the MDM solution is, it is a fact that data is processed, either directly or indirectly via terminal sessions, on untrusted devices.

Companies should recognise this and make decisions about what data should and should not be processed on these devices. A simple information security classification policy with three levels is advised:

  1. Data that must not be processed or accessed on BYOD devices – this is typically secret data.
  2. Data that may be accessed only via terminal sessions, such as VMware View, Citrix vApp – the device must be managed by enterprise MDM software.
  3. Data that may be processed and stored on BYOD devices, and in this case requires encryption supported by the mobile device operating system – the device should be managed by enterprise MDM software.

This needs support in the form of strict usage policies, an update of awareness training and material, especially the do’s and don’ts of accessing company data with personal devices.

In summary, embrace BYOD by understanding the technical limitations – and the will of employees.

Vladimir Jirasek is director of research for the UK chapter Cloud Security Alliance (CSA) and managing director of Jirasek Consulting Services.


Read more on Endpoint security