Tablets

Alternatives to the BYOD free-for-all

Deb Shinder discusses some of the things you should consider before implementing BYOD in your organization.

Today's employees want freedom of choice, especially when it comes to mobile devices, but freedom and security are often at odds. Best security practices dictate that administrators have control over all devices that connect to the corporate network, and that becomes difficult or impossible when employees are bringing in whatever devices they want.

We know happier workers tend to be more productive, so we shouldn't dismiss users' desires out of hand. It's also true that the tablet or smartphone that works best for one person might not be the best choice for someone else. There are ways to give users some of that freedom to choose without incurring the security risks of allowing a free-for-all where everyone can connect whatever devices they want to your company network. Solutions range from maintaining ownership of work devices but allowing employees to pick the device/platform to creating an isolated network for connection of employee devices, and there are several other levels in between.

Maintain ownership

The company will always have the most control over devices that it buys and pays for. That's true in both the legal and psychological sense. When employees invest their own money in a device, they naturally feel "it's mine, so I should be able to do what I want with it." When the company pays, employees are more inclined to accept rules and restrictions.

However, workers are likely to be happier with their devices if they have some "say" in the matter of choosing the brand, model, and/or style. Many large companies already give workers a choice of laptops that the company will provide, and you can easily do the same with tablets and smartphones.

One caveat is to make sure you don't just offer a few different brands that are essentially clones of one another, such as the dozens of Android tablets that are the same size, have the same look, run the same version of the OS, and are differentiated only by the name on the front. It's tempting to do this because you have the illusion of choice while making it easy for IT to support these "different" models, but this isn't the way to make employees happy.

For example, you might not want to go as far as offering a full-sized iPad, a 7-inch Android, and a Windows RT convertible, since that requires IT personnel to learn to support three very different operating systems and hardware configurations (although it would be ideal from the employees' point of view). But at least offer different form factors -- a 10-inch slate, a 7-inch slate, a tablet that comes with an attached or detachable keyboard, and maybe one that supports pen input. That way, workers have real choices and can pick what works best with the way they work and their particular job tasks.

Meanwhile, the company owns the devices and can install management software, force encryption, require complex passwords, and so forth. The company can also replace or upgrade the devices as desired, and when an employee leaves, the company retains the device and can issue it to a new employee.

Allow limited personally-owned devices

Although providing company-owned devices and allowing only those devices to connect to the network is the most secure route, the reality is that in today's economy, cost is a consideration. Allowing employees to use their personally-owned devices for work is attractive from a budgetary standpoint. Not only does the company not have the initial capital outlay, but if an employee breaks or loses his/her device, replacement cost is on the employees' shoulders.

However, embracing BYOD doesn't mean you have to allow any and every device employees might buy to connect to the network. You can establish a policy regarding what brands and models are allowed, but be careful with this one; technology advances move quickly and new devices come on the market all the time. You can find your policy falling out of date rather quickly. It may be easier and more effective to limit devices based on operating system(s) and to restrict what apps can be installed.

If you do decide to limit devices by brand/model, first evaluate them based on your security requirements. Your policy can (and should) prohibit the use of rooted or jailbroken devices.

Policies are great, but how do you ensure that users are complying with them? Your IT staff can examine the personally-owned devices on a periodic basis to verify that they're in compliance, in addition to relying on management software systems.

BYOD policy considerations

In developing your BYOD policies, you should consider the following:

  • Require logon protection via a PIN or passphrase. If your workers deal with sensitive data, require complex passphrases, not just four-digit PINs.
  • Require that data stored on the device be encrypted.
  • Require employees who want to use their personally-owned devices undergo training to ensure they understand the policies and safe mobile practices and can recognize signs that their devices have been compromised.
  • Consider whether to establish a "white list" or a "black list" to control what apps are allowed on the devices. The first is more restrictive; only those apps on the list are allowed. The latter lists apps that are not allowed.
  • Require employees using their own mobile devices to follow the same security policies as those using corporate laptops and desktops. For example, if you don't allow use of peer-to-peer applications or free cloud storage and sharing services (such as Dropbox) on the corporate computers, they shouldn't be allowed on personally-owned mobile devices either.

Put it in writing

It goes without saying that your policies should be in writing and distributed to all participants. In addition to that, all employees who participate in the BYOD program should be required to sign a statement confirming that they received, read, and understand the policy. This can be done in conjunction with the training.

For best security, you should include in the statement that the employee gives the company the right to erase all data and applications on the device, remotely or otherwise, at any time. This should be exercised in case of a security breach, loss of the device, or when the employee leaves the company, to protect any corporate data that might be stored on the device. Wiping data files only is not enough; after all, there may be applications (such as VPN apps) with settings that allow the device to connect to corporate resources.

Your policy and training, along with the statement, should also include a clarification of who owns what data on the devices. Users should understand that the company is not responsible for the loss of any personal data (music, photos, etc.) for any reason.

Mobile device management software

There are a number of mobile device management packages that can be used to enforce password policies, device restrictions, Wi-Fi and VPN configurations, inventory installed apps, monitor device status, and more.

Check out "10 BYOD mobile device management suites you need to know" on ZDNet for a list that will get you started comparing some of the different features and functionality.

Also read

TechRepublic and ZDNet delve deeper into this topic in a special report page: BYOD and the Consumerization of IT.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

4 comments
MikeBytes
MikeBytes

Sucks on ice is the nicest thing that can be said about BYOD. If I must pay for my own device it is mine, mine, mine, to quote Daffy Duck. It is absolute nonsense, or BS if you prefer, to force people into buying a tool that has their employer "monitoring", "overseeing" and or "regulating" . Probably most of you managers who came up with this stupid idea were not around when this was tried with laptops many years ago. Even with the voluntary consent of the owner security was a mess and cost companies lots of money to pay for credit monitoring because of lost or stolen computers. This is still happening!! Learn from past mistakes, suck it up business and buy your own tools.

dcolbert
dcolbert

This is frequently over-looked by BYOD policy-writers. If you're designing a BYOD policy that includes storage encryption policies (which it should), you need to make sure to inform your BYOD users that all information on that device is encrypted. You need to decide *why* you are encrypting. What are your goals. There are two reasons, and you can have one without the other, in one case, but in the other, it will probably be both reasons you are aiming for. Those reasons are: 1: To prevent unauthorized parties from getting physical access to the device and being able to access confidential or protected corporate data that resides there. 2: To prevent authorized users from moving confidential or protected corporate data from the phone onto other devices that are not controlled, monitored or authorized by corporate IT. Reason #1 should always apply, reason #2 may apply depending on your organization. In a BYOD environment, this introduces a challenge. Personal data is mixed in with corporate data on that internal storage - and end users are almost certainly using their devices for reasons that have nothing to do with workplace productivity. When your policy encrypts your users personal data, be it documents, media, or family photographs, employees and end-users need to be aware of the ramifications of that. In the case of a policy driven by consideration #1 above, employees just need to know that they need to manage their data themselves and move it through available means to a non-secured destination. That may be as simple as "upload all data that is on your BYOD platform to Dropbox," or "send all of your vacation pictures to Facebook." In the case of policy #2 - you'll have taken steps to block the ability of the device to transfer any kind of data from the BYOD solution to any physical or cloud device outside of the corporate network. That kind of policy is obviously going to have a significant impact on the bring *YOUR* own device appeal of BYOD. In both cases, part of the user agreement that should be signed by an employee before allowing their BYOD onto the corporate network should include a clear disclaimer that confronts those two issues - and someone should go over these aspects and make sure end users understand *before* the corporate BYOD policy is applied to their device. If you miss this, you're going to have *very* upset end users - most likely at the executive level, sooner or later.

dcolbert
dcolbert

It is employees who want to adopt touch-screen mobile devices for professional use that is the primary factor driving BYOD adoption at most workplaces today. The business can always reject BYOD integration - but that is likely to result in disgruntled employees too. The businesses are really in a "can't win" scenario here. So regardless of BYOD sucks or not, it is going to be an ongoing challenge for businesses going forward. You can't just be an ostrich about this and stick your head in the sand and hope it will go away. As an IT manager I didn't "come up with the idea," I responded to the trend.

deb
deb

And that's why I stress both the written sign-off and actual classroom-type or one-on-one training - to ensure that employers understand what compromises they have to make if they want to use their own devices. Many are not going to be happy about the "right to wipe" provision, either - but assuming nobody is forcing them to use their personally-owned devices for work (and if you are, that's a whole different issue), that's just one of the rules of the game and if you want to play, you have to accept it.

Editor's Picks