What you need to know before integrating employee devices on your network
Bring Your Own Device (BYOD) is the current hot trend. (And has been for a while, really.) There are many perceived advantages for a company that allows employees to bring their own devices to work and have access to your company resources, but is BYOD right for you? Can you make mistakes when developing your BYOD policies? Can you really let any device connect to your resources?
Lets look at a few top issues that you should be aware of.
What devices should your BYOD policy include?
BYOD used to mean Bring Your Own (Smartphone or Tablet) Device. The BYOD movement started through the failure of BlackBerry to keep up with Apple and Google as they began to dominate and revolutionize the mobile landscape with more capable devices that had much faster CPUs, more memory, larger screens, and desktop web browsing capabilities.
BYOD has now morphed into Bring Your Own (Smartphone, Tablet, or Laptop) Device. But what devices do you want your BYOD policy to include? Do you want to limit it to smartphones and tablets, or do you want to include laptops?
Which smartphones and tablets should you allow?
Today the market is awash with smartphone and tablet choices from Apple, Google, Nokia, Microsoft, Samsung, HTC, Motorola, LG, and even Amazon — to name but a few manufacturers. If you adopt a BYOD policy that includes smartphones and tablets, can you really allow your employees to bring in any device they want, and expect that the device is secure enough?
The answer is no, not all mobile devices can be secured to the same level. (Nor should you ever assume an employee's home device is safe.)
Apple leads in the enterprise because it has built strong and flexible APIs since 2010 (starting with iOS 4.0) that allow Mobile Device Management (MDM) vendors to tightly secure, control, restrict, and monitor iOS devices. Those controls have improved greatly with iOS 7. Google's Android mobile operating system is not as popular in enterprise because Android does not provide many built-in controls and is perceived as insecure — even though that isn't really the case.
Vendors like Samsung have made radical additions to Android to try and make it more secure. For example, some Samsung devices support Samsung Approved For The Enterprise (SAFE) and Samsung Knox that allow similar kinds of controls as what is found in iOS. Windows Phone and Windows RT tablets presently lack the kind of secure compartimentalization that is available on iOS and Samsung devices.
So as you think about which devices you should allow, you need to consider how each can be secured. You can either limit the device choice to iOS and a limited selection of Android and Windows Phone/Windows RT devices, or you could use a method of device security called Containerization that we discuss in its own section below.
Will you allow laptops?
If you allow your employees to bring their personal laptops, which ones will you allow, and how will you ensure that they are secure? Some MDM vendors do offer laptop management, but you may choose to use virtual machines instead. Virtual machines allow you to create a "company secure build" of Windows, and have that virtual machine run on personal Windows, Mac OSX, and Linux laptops.
Mobile Device Management (MDM) or Containerization?
The traditional method of securing smartphone and tablet devices is to use MDM. This allows the IT staff to have full control over the entire mobile device if they decide to, or only control the company data and apps.
Your employees may not appreciate that you have full control over their mobile devices, even if you have chosen not to exercise that that power. Your employees may prefer that you only have control over part of their device, leaving their personal data alone.
Containerization (also known as Dual Persona) is the solution for two issues. The first issue is that of providing that same security policy across all Smartphones and Tablets no matter what operating system they are running. The second issue is that of personal and company separation.
By keeping your company email, contacts, calendar, and apps in a separate, secure, encrypted container on the Smartphone and/or Tablet, you have no way of having visibility into their personal device, apps, and data. You are limited to controlling only the container. Dual Persona is increasingly becoming the go-to choice for BYOD since it provides peace of mind, and truly separates personal and company data.
Bring Your Own App (BYOA)
BYOA is a movement that leverages the popularity of containerization, but to the app level. The idea is that you take your company's apps and wrap them in a secure container, and push them to your employees' personal devices. You only have control over the app in the container, and not entire parts of the device. The app is secured in its container, and may have access to data behind your firewall via a secure connection from the container.
This truly separates corporate and personal data at the app level.
Monthly voice and data costs
When you allow your employees to use their own devices, you should consider whether you want to compensate them in some way. Do you want to take the approach that since they would be paying for voice and data anyway, that you do not need to provide a monthly stipend. Some employees may argue that they pay for the voice minutes and data usage based on their personal use, and do not have unlimited data plans. In this situation, they could argue that their voice and data usage will increase when they start accessing company resources.
You need to decide whether to offer a monthly voice and/or data stipend, and how much to offer.
If employees need to travel internationally for work, how will you handle international voice and data rates?
When you adopt a BYOD policy, you will need to decide whether you want to provide support for your employees, and how much support. Your employees may be bringing devices running multiple mobile operating systems (and in the case of Android, many variants of that operating system).
What type of support will you be offering through your help desk? How will you effectively train your support staff to deal with the device diversity, and will you need to hire more people to provide that support?
How do your current laptop security policies translate to mobile?
Most companies already have well established security policies that they apply to company provided laptops. These include password policies, hard disk encryption, two factor authentication, limited web browsing, and blocking of eternal storage to name a few.
While your may want to simply use those same policies on smartphones and tablets that access your resources, it may not be practical to do so. Some policies that work on laptops, may not translate to mobile, and policies that do translate may be too invasive or limiting. Plan on using a subset of your current end-point polices for mobile.
Nobody ever said BYOD would be easy
As you can see, creating a BYOD policy encompasses many different areas, and there are many decisions to be made so that your BYOD policy does not fail. Making it too restrictive or intrusive could lead to rebellion by your employees. Making it too relaxed could lead to exposed company data or data leakage. Not accounting for all variable could actually lead to an increase in cost, instead of the decrease you were hoping for.
BYOD has benefits and detractions that you need to weigh when considering implementing it for your business. But done right and the benefits can far outweigh the costs.