Bring Your Own Device: The Risks And Benefits - Part 2
You can read Part 1 here.
Deciding on a BYOD Adoption Strategy
Different businesses will approach BYOD with different expectations across a spectrum of adoption scenarios. Every business needs a BYOD strategy, even if the intention is to deny all devices except IT approved and managed devices. Figure 2 shows a number of possible adoption scenarios into which most businesses fit.
Businesses within industries with high degrees of regulation, such as finance or secure government agencies, may need to take a restrictive approach with BYOD adoption to protect sensitive data. Devices may need to be tightly controlled and managed as in the traditional IT approach, which may still be valid in these instances.
For many companies, adoption will range from allowing a broader set of devices with restrictive access to applications to embracing BYOD in full, encouraging broad adoption of many or all device types and deploying security measures to enable access to a broad set of enterprise applications and data. In the broadest sense, some companies will adopt a “mobile first” strategy, whereby their own internal applications development will be prioritized on tablets and smartphones, seeking competitive advantage by leveraging the broadest set of productivity tools and devices.
Understanding where your business will fit now and in the future along the adoption spectrum is useful to prepare for security policies, entitlement, and overall strategy for the BYOD initiative.
Understanding Native, Browser, and Virtual Modes
Securing and preventing the loss of corporate data is a top concern when implementing BYOD. It is important to understand three possible application architectures and the trade-offs involved: native, browser, and virtual. These are shown in Figure 3.
In native mode, applications running on the device communicate directly with the application server in the host data center (or cloud). Data may be exchanged and stored directly on the BYOD device. Typically the application performance and user experience are closest to the specific device; in other words, a business application functions much like any other application on the device. All the productivity benefits and device behavior are preserved and applications can be tailored to provide enhanced experiences.
A browser approach is increasingly being adopted for application access due to the ease of portability across devices and operating systems. Essentially any device with a standard HTML browser capability can be used to access the application. The disadvantages are that much like native mode, data may be exchanged and stored directly on the BYOD device, leading to security challenges and concerns about data loss. In addition, there may be some sacrifice of user experience.
To contrast, in virtual mode applications exist on the application server in the data center (or cloud) and are represented through a VDI client on the device. Data is not stored locally on the BYOD device. Only display information is exchanged and rendered on the BYOD device. While this method provides maximum data security, user experience may be a compromise due to the translation from an application server to the form-factor and OS native to the BYOD device. Early adopters of this approach have provided somewhat negative feedback.
It is important to make decisions about which mode, native or virtual, will be relied on for the application architecture. Many companies may use a hybrid approach, using native mode for many standard business applications and virtual mode for a subset of applications with stricter confidentiality or sensitive data requirements.
Have an Encompassing End User Agreement
Although not part of the network architecture, one area that must be well thought out prior to any BYOD implementation is the end user agreement (EUA). Because of the mixing of personal and corporate data, and the potential of having employee-owned devices being used for work, it is critical to outline policies up front and be sure to communicate these to employees in advance.
IT organizations need to familiarize themselves with laws, including the Computer Fraud and Abuse Act, the Wiretap Act, and Communications Assistance for Law Enforcement Act (CALEA).
What will company policies be? Will communications be subject to monitoring? Will policies apply to both corporate and personal? Areas to be addressed include (but are not limited to):
- Text messaging
- Voice calling
- Internet browsing
- Instant messaging
- GPS and geo-location information
- Applications purchased/installed
- Stored photographs and videos
- Device “wiping”
As a simple example, many businesses regularly filter and monitor Internet access to ensure compliance with policies against accessing inappropriate Web sites at work. Most BYOD devices have direct internet access through public WiFi and/or 3G/4G mobile Internet access. It would be common to have a policy against browsing X-rated Web sites on a device connected through the corporate network. Will the same policy apply if the employee decides to browse sites on their employee-owned device, on personal time, through public Internet access?
As another example, it would be common to have policies against transmitting inappropriate E-mails containing very personal photos through E-mail or text messaging while using a corporate-owned device or corporate network. Will the same policies apply to personal E-mails or personal text messaging on an employee-owned device? Which communications will be monitored? Which will not?
There have been several legal challenges recently for cases involving an employer who remotely “wiped” an employee-owned device, including both the corporate and personal data it contained. Imagine the surprise as an employee when by using your new tablet to access the corporate network, you unknowingly agreed to let IT delete your favorite family photos. Other challenges exist around potentially illegal wiretap situations where employees are challenging that their text message conversations were being illegally monitored by their company who failed to notify them.
The key to avoiding legal liabilities is to notify, notify, and notify again. Make it clear to employees in a written policy that they must accept how the company will treat corporate and personal data and communications on the BYOD device. By agreeing to the EUA, make it clear what rights the employee is forfeiting to gain access to the network with an employee-owned device.
Have a Lost or Stolen Device Policy
Similar to the previous discussion about having a complete EUA in place, businesses should have a plan in place for how lost or stolen devices will be handled. What will be the process for notification by employees? What are the necessary steps to remove access to the corporate network? What steps can and will be taken to remotely remove local data stored on the device?
Different solutions offered in the market provide varying degrees of capabilities to reach out to a device remotely and destroy data or applications to insure they remain confidential. Consider the types of data that are likely to be stored on BYOD devices and integrate mitigation plans into the overall BYOD strategy before deployment.
For the vast majority of industries, BYOD has arrived. The number of industrial enterprises that forbid BYOD practices is decreasing due to pressure from employees, and increasing dynamics from a more connected and informed customer driven market. The ability to adapt and leverage technology to drive business imperatives and value throughout the entire value chain is critical. A sound BYOD strategy built around open IP based standards and technology is a key component to achieving this objective.