The idea behind BYOD is that users can use a personal device such as a tablet for both personal and business use. As you can imagine, the scenario of users bringing in their own devices to connect to a corporate network gives visions of malware and /or other nasties spreading through the corporate network. This has led to some people dubbing BYOD as "Bring your Own Disaster". As with many areas in IT, however, you can set some rules that should minimize the security risks of BYOD.
Many users now have devices that they are comfortable using. For example, some users may have a Mac Book Pro, a Linux notebook, an iPad, or a smartphone. BYOD can assist a company by achieving savings in outlay on IT items such as laptops or PCs. Staff can use their personal devices, and by so doing, can also be more productive. The growth in BYOD has been fuelled by the growth in tablet computers and smartphones. It is expected that these devices will represent the majority of all personal devices used by personnel.
BYOD does bring with it a host of security issues. Malware and eavesdropping (in the case of using public Wi-Fi) are two possible risks. What we will do in this post is to take a look at some of the preliminary steps required for implementing BYOD. Ideally, a policy document on BYOD should be created, and all staff members should be able to access the policy document.
What devices are supported?
A good starting point for BYOD is: what sort of devices should be able to access the corporate network. Following on from this, what sort of operating systems should be supported on the corporate network, and potentially what version(s). The supported devices will in some respects be driven by what applications are required. A Windows 7 application, for instance, may have no equivalent on an iPad. If it is a critical application, then personnel won't be able to use an iPad on the corporate network until the application is ported to iOS.
What levels of access are permitted?
Some users may be allowed different access depending on their job function. As an example, sales people may use tablets more than standard laptops/PCs. Support staff may use laptops or tablets when on the road.
What this may mean is that support staff will have intrinsically different requirements for access compared to say, sales. Support staff may (for example) require access to in-house knowledge bases, or to other databases. Sales personnel may only require intranet, email and messaging access.
What corporate applications are required?
The next aspect is what applications need to be installed on the user's device. Depending on the user groups, some users may have access to differing levels of data. As mentioned above, support staff would generally need to access support databases, whereas other staff may only need access to email and the corporate intranet.
In addition to deciding what corporate applications are required, you may need to decide what sort of antivirus protection can be installed on a device. Other applications that may need to be installed are email clients, messaging, and Virtual Private Network software (for staff that are likely to be working remotely).
Using a VPN for remote access
In particular, using a device on public Wi-Fi networks is probably the biggest headache. This is where a VPN solution is required. A VPN will require authentication, and will encrypt data. For this reason, a VPN client must be amongst the list of software solutions installed on a user device. There are a number available; the ones I have used are the Cisco VPN client and its successor, AnyConnect.
There is an area that is overlooked many times on tablets and on smartphones: set a security code. This is possibly the most important part of BYOD, particularly for personnel that are likely to be using public Wi-Fi networks. Theft of a device that has no passcode may still not let a casual user in, but having a passcode should be the primary level of defence.
In summing up, your BYOD policy needs to cover:
- What types of devices are permitted access, such as Android, iPad, MacBook, Wintel, and what version of the operating system is required.
- Secondly, decide which access level your different groups of users require.
- Third, decide what applications are required for a user.
- Fourth, and most important, a VPN is required for personnel likely to be using public Wi-Fi networks.
- Finally, educate users about the importance of setting passwords and passcodes. These guidelines should go some way to maintaining the security of corporate data.
Scott Reeves has worked for Hewlett Packard on HP-UX servers and SANs, and has worked in similar areas in the past at IBM. Currently he works as an independent IT consultant, specializing in Wi-Fi networks and SANs.