Avoid using a one-size-fits-all BYOD security policy

Moka5's David Applebaum discusses how to manage BYOD security based on user types.


Photo: iStock/Mihai Simonia

When setting a Bring Your Own Device (BYOD) security policy, the temptation is to set a blanket security policy to govern how all BYOD users access your corporate network.

Unfortunately, this is an easy way out and can cause harm BYOD user productivity. I recently spoke with David Applebaum, senior vice president of marketing for Moka5, a leading enterprise mobility management provider who has an interesting perspective on the role of the user in BYOD security.

While you need a scorecard to keep track of all the BYOD security philosophies and technology pivots taking place in the market, it remains important that enterprises don’t lose a focus on their users when setting BYOD security policies.

Know your BYOD device boundaries

“You have to set some very clear boundaries where certain bits of data are just number one from an IT perspective off limits so you cannot mess around with their music,” Applebaum said. “You cannot mess around with their photos. You will not look into specific types of applications that are clearly personal.”

He then advised setting a line of demarcation between what’s personal and what’s corporate related. Email clients are a prime example of what’s distinctly corporate. Applebaum has a point with this advice, but I see drawing those lines as a cross-functional team effort depending on the organization.

Employees going rogue and storing corporate data in personal Dropbox accounts is getting lots of attention in mobile security circles right now. Applebaum said, “Actually, in our estimation right now for BYOD, one of the critical problems we see for data consistency and data security is how do you handle third parties?”

Applebaum said it's important to provide both a level of insight and protection into third party cloud storage. Moka5 has an upcoming product called LiveCloud, which is designed to extend the Moka5 container to third party cloud storage platforms. Addressing such data security issues is behind more than one product pivot in the mobile security market right now.

“Trying to mandate that you do not put corporate data into Dropbox is largely futile especially because if you just look at interactions,” Applebaum said. He gave an example of an employee opening a document using Pages on their iPad. The Pages application copies the document to iCloud and sends corporate data outside your network.

Applebaum said to set clear guidelines that promote a high level of self-policing amongst users. However, he also said IT must remain vigilant. He related to me a simple document handling process for BYOD users:

  1. Make edits or updates to a document.
  2. Email the edited document to recipient(s).
  3. Delete the document from the device.

“If you are using Box, Dropbox, or something like that and you are going to be using it for work, then please carefully label it as such so as IT if for any reason need access to it we know where it is and can get to it,” Applebaum said. The labeling of personal versus cloud storage on BYOD devices is obviously something that needs to be hashed out as part of a corporate-wide BYOD policy and communicated as part of device onboarding and BYOD user education.  However, I second Applebaum’s advice of being clear, precise, and document decisions and your BYOD users will be just fine.

Set BYOD policies with an eye on the user

“Our assessment is if you do the first thing and be very specific about how you want data handled and the expectations that you are setting consistently in terms of how IT will deal with personally owned devices. Then a written policy doesn’t necessarily have to be draconian if you look at it from the perspective of clarity,” Applebaum said.

“So if you set your boundaries properly and again are consistent and clear. One of the areas we talk about is level,” Applebaum said. “So again, you may have an employee who says, ‘Listen, okay, I’m not going to do any work on this thing. I like my iPad, but it’s just for reading. I don’t believe its going to be productive. I just want to do email. All I’m going to use this for is email, and if there are any attachments or anything like that, I’m just not going to deal with them and just use this strictly for email.'”

“Then somebody who is saying, ‘You know what, I’m getting rid of my laptop entirely and I am going 100 percent iPad.’ It becomes a very different situation, so you don’t treat the two cases identically,” Applebaum said. “I think recognizing that and giving the employee options which basically says ‘So listen, what are you going to do?’”

Applebaum advised setting careful segments of use types that have different levels of intrusion and management as governed by IT and related BYOD policies that are in place.

“You can be more flexible, but I think you absolutely have to have a document that captures that information if for nothing else than legal reasons,” Applebaum said. “You know at the end of the day, you fire an employee, and you go through their things. They come back at you saying it’s unfounded, and this is a violation of privacy. It can cause a lot more problems than what you are trying to solve in the first place.”

“I think having a policy that again embodies the kinds of values and the kinds of really the kind of compliance you are trying to maintain there is absolutely no issue about that in my opinion,” Applebaum said.

Pull the blanket off BYOD security

Blanket BYOD security, while tempting, can sink a BYOD initiative by sapping user productivity. Applebaum offers prudent advice around basing BYOD around user types and the issues of personal clouds and corporate data because after all companies do need to define BYOD for their organization.

TechRepublic's sister site, Tech Pro Research, offers a downloadable BYOD Policy for companies to use when defining BYOD usage at their organizations. The policy is free to all Tech Pro Research subscribers.