How to create a mobile device policy in the BYOD era
- 23 July, 2012 12:20
Bring-your-own device (BYOD) policies might placate workers who can't live without their iPhone but several steps, including employee agreements, are needed to ensure a potential security nightmare is avoided, according to one analyst.
Speaking at the recent Gartner Security and Risk Summit in Sydney, US analyst John Girard told the audience that when forming a policy, IT executives first needed to realise that BYOD may actually end up costing the company more.
“Charges are a big issue because we’re telling people to use their own equipment,” he said. “If you pass all the costs on to the user you have to accept that it changes service-level agreements.”
Girard provided the following tips for a successful BYOD policy.
Get employee agreements in writing
According to Girard, a signed piece of paper can help to avoid arguments between CIOs and other C-level executives. For example, if a C-level executive loses data on their mobile device and tries to blame it on the IT manager, the IT manager can show the executive a copy of the document they signed which shows they are responsible for their own backups.
“Your biggest problem is data exposure and compliance. If the user loses their device or it’s a shared device, at some point you have to provide accountability such as who had access [to data] and where was it shared,” he said.
“That’s the essence of fines, disclosure and operational difficulties that a lot of companies get into. We’ve seen some big fines come out but it can be extremely expensive to mitigate all the breach disclosures that go on after information has been lost.”
Mobile device certificates
If the company uses applications where data is stored on the mobile device, Girard suggested the use of certificates to invite people to get access to the virtual private network (VPN), email or Wi-Fi services.
“Certificates are an in-depth imbedded part of mobile application architecture and operating system architecture,” he said. “If you are using a mobile device management [MDM] tool, you get a very simple console that allows you to specify use patterns for people who are getting access by certificate,” he said.
According to Girard, MDM tools will cost the enterprise money but save IT executives time and effort.
For example, he cited a Symantec MDM product that includes a requirement for user authentication, rules on if users can store business data on the device and when that information has to be deleted.
“This leads to a dashboard which shows which of your users are following the policy and leads you to an exception report which indicates if anyone tries to jailbreak their device,” he said.
“If the device is jailbroken, the mobile management system will show what actions were taken such as no more access to email or the VPN while the device remains jailbroken.”
Latest mobile operating systems
In addition, IT executives needed to impose strict a BYOD policy with regards to older iOS and Android operating systems (OS) because of vulnerabilities.
For example, Girard said that the iPhone would need to be the 3GS model running iOS 5 or a newer version of the OS.
“If it’s an Android device you have to say Android 4 or later and ask for proof that the [Android] device has encryption. That is because Android certification does not require proof of encryption.”
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow CIO Australia on Twitter: @CIO_Australia
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
How to Switch From iPhone 5S to BlackBerry Z30 (and Why)
CIOs to Become In-House Brokers -- and That's a Good Thing
The future of computing
10 Hot Hadoop Startups to Watch
The future of computing
Transform IT, Transform the Enterprise
Existing IT operational models and an ageing infrastructure are CIOs back from their full potential. This paper reveals the three IT imperatives for a CIO-led transformation, and details how CIOs are adopting strategies to change IT and assert their organisations as business leaders and innovators.
Why you should be re-thinking your approach to data protection
Organisations of all shapes and sizes need a new approach to data protection that addresses the challenges of data growth, but IT budgets are not keeping pace with the escalating costs of supporting storage requirements. This whitepaper explores how securing and retrieving organisational data will need to be done more efficiently.
Top 20 Critical Security Controls - Compliance Guide
Simply being compliant is not enough to mitigate attacks and protect critical information. Organizations can reduce chances of compromise by shifting away from a compliance-driven approach. This guide provides the Top 20 Critical Security Controls (CSCs) developed by the SANS Institute to address the need for a risk-based approach to security.