If you are in charge of managing BYOD environments with many diverse types of smartphones and tablets how do start writing a BYOD policy?
In most cases users are already using their own devices to access corporate data. How can you regain control of your IT infrastructure, protect your intellectual property, and don’t make users feel like you are imposing restrictions or roadblocks? The first step is to plan your enterprise BYOD policy. The following are three quick steps to start a BYOD policy.
1. Device Supportability: I get asked often, what devices should I support? I think you need to look at what access technologies and applications will you support. This will for the large part dictate what endpoints you will support. Some operating systems will not work in your environment. Some applications require specific operating systems and hardware manufacture devices. Most organizations start off supporting Apple’s iOS and Google Android 2.3 or later.
2. User authentication: User names and passwords are not enough to use an an authentication method. Devices must support 802.1x authentication into your wireless network. Furthermore, your access control technology should be able to identify user, location, device, and corporate asset – all at the same time so it may dynamically push an access policy to the user. Those access policies should follow users no matter when or how they are connected to the network. Lastly, remember it is not uncommon for SSL applications and websites to be attacked with man-in-the-middle type hacks. End-to-end encryption such as SSL VPNs should be a must for access to the network from any unsecured, open wireless network.
3. User Data: Corporate data is moving to the cloud. This makes it easier for BYOD policies because you only need the proper front-end application. If cloud applications do not exist, VDI type solutions can be leveraged to deliver the applications to the users. There is no perfect solution to address the concern of secure application delivery; however the biggest thing I point to my customers is that corporate data from applications should never reside on the device. Smartphones are easier to lose, and data at rest cannot be guaranteed to be protected.
Some corporations even sandbox email and PIM information so they do not reside on the device. Although this is a great security measure, most users will want to use their integrated and native applications wherever possible. Therefore, smartphone DLP solutions must be examined (discussed in the next section).
4. DLP and Virtualization: This is the bleeding edge of BYOD technologies. I advice many customers to first examine their traditional DLP and Virtualization technologies and ensure they are secure and deployed using best practices. Secondly, hypervisor and virtualized smartphones apps, DLP technology, and security protection software are making some interesting headlines. It will be prudent for large organizations to at least start getting educated on the options that are available and on the horizon for smart devices.
[...] Acceptable Use Policies: with the growing incidence of BYOD in organizations, policies should be clear about what corporate information can or cannot be accessed during an emergency and [...]