A secure BYOD policy at MasterCard? Priceless
- 16 May, 2012 06:44
More than a year into its bring-your-own-device program, MasterCard Worldwide continuously assesses the security technology and policies that allow 30 per cent of its employees worldwide to use their personal iPhones, iPads and Android devices at work.
"Security is a high priority for us," says Edgar Aguilar, group executive of infrastructure and operation services at the $US6.7 billion credit card company.
Employees can get work email on their devices and merge their personal and business contacts and calendars. "We are giving them access to their own information in a form factor they feel familiar with," Aguilar says. (The company issues BlackBerrys, which aren't part of the BYOD program.)
For participants in the BYOD program, MasterCard sets strict conditions of use.
Data stored on or transmitted to or from the device is encrypted. MasterCard also requires passwords to lock the smartphone or tablet or to get on the corporate network. "It's essentially a secure container," Aguilar says.
If the device is lost or stolen, MasterCard can wipe just the corporate information. "It's up to the users to make sure they protect their personal information."
Janco Associates, an IT management consulting firm, says CIOs should consider reaching further into the home life of employees. A BYOD policy template it recently published stipulates that any personal device that synchronizes with a sanctioned BYOD machine must use antivirus software "deemed necessary" by the IT group. Also important: IT must install mobile virtual private network software on the device, or at least approve of the package the employee uses.
About 2000 of MasterCard's 6700 employees worldwide have signed up for BYOD so far, and that number is growing, Aguilar says. "We keep hiring new employees around the world and we see more requests for BYOD."
Aguilar's next step was allowing access to the corporate intranet on personal devices, a feature he enabled early last year. Whatever new applications it deploys, MasterCard, which does business nearly every country, wants to do it globally, not favoring any one country over another, he says. That means knowing how wildly different data privacy rules affect the use of personal smartphones and tablets.
MasterCard can simply tweak its policies for laptops, for example. But the difficulty with personal devices is being able to prove that the company complies with privacy regulations in the event of audits or lawsuits. MasterCard wants to have archiving and usage logs in place and tested before opening other applications to the BYOD program, Aguilar says.
Janco advises IT departments to store records of mobile device activity in a number of ways: based on files, individual users and groups of users, IP address, and material downloaded, uploaded and previewed. At MasterCard, an in-house attorney has been involved in the BYOD rollout from the planning stages. "They provide advice throughout the process, not at the tail end."
Contact Senior Editor Kim S. Nash at email@example.com. Read her blog, Strategic CIO.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Enterprise Security: No Longer Business as Usual
- Top Words Used in Spear Phishing Attacks to Successfully Compromise Enterprise Networks and Steal Data
- Penrith City Council Case Study - Productivity Rises as High as the Mountains
- Building a Better Mousetrap in Anti-Malware
- Migrate from AIX with Confidence
Larry Page wants to see your medical records
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
Spiceworks' free management software gets integrated MDM
Best Practices for Migrating to SharePoint 2013
This white paper details a number of best practices for migrating to SharePoint 2013. These best practices also apply to migrations to most earlier versions of SharePoint. Download now.
Spear-Phishing Email: Most Favored APT Attack Bait
This research paper presents findings on APT-related spear phishing from February to September 2012. We analysed APT-related spear-phishing emails collected throughout this period to understand and mitigate attacks. The information we gathered not only allowed us to obtain specific details on spear phishing but also on targeted attacks. We found, for instance, that 91% of targeted attacks involve spear-phishing emails, reinforcing the belief that spear phishing is a primary means by which APT attackers infiltrate target networks.
Agentless Security for Virtual Environments
Virtualised datacentres, desktops, and cloud computing should be secured by the same strong protection technologies as physical machines. However, traditional agent-based solutions that are not architected for virtualisation can result in a number of significant operational security issues. Find out more about the first agentless security platform solution.