When setting a Bring Your Own Device (BYOD) security policy,
the temptation is to set a blanket security policy to govern how all BYOD
users access your corporate network.
Unfortunately, this is an easy way out and can
cause harm BYOD user productivity. I recently spoke with David Applebaum,
senior vice president of marketing for Moka5,
a leading enterprise mobility management provider who has an interesting
perspective on the role of the user in BYOD security.
While you need a scorecard to keep track of all the BYOD
security philosophies and technology pivots taking place in the market, it
remains important that enterprises don’t lose a focus on their users when
setting BYOD security policies.
Know your BYOD device boundaries
“You have to set some very clear boundaries where certain
bits of data are just number one from an IT perspective off limits so you
cannot mess around with their music,” Applebaum said. “You cannot
mess around with their photos. You will not look into specific types of applications
that are clearly personal.”
He then advised setting a line of demarcation between what’s
personal and what’s corporate related. Email clients are a prime example of
what’s distinctly corporate. Applebaum
has a point with this advice, but I see drawing those lines as a cross-functional
team effort depending on the organization.
Employees going rogue and storing corporate data in personal Dropbox accounts is getting lots of attention in mobile security circles right now. Applebaum said, “Actually, in our estimation right now for
BYOD, one of the critical problems we see for data consistency and data
security is how do you handle third parties?”
Applebaum said it’s important to provide both a
level of insight and protection into third party cloud storage. Moka5 has an
upcoming product called LiveCloud, which is designed to extend the Moka5
container to third party cloud storage platforms. Addressing such data security
issues is behind more than one product pivot in the mobile security market
“Trying to mandate that you do not put corporate data into
Dropbox is largely futile especially because if you just look at interactions,” Applebaum said. He gave an example of an employee opening a document
using Pages on their iPad. The Pages application copies the document to iCloud
and sends corporate data outside your network.
Applebaum said to set clear guidelines
that promote a high level of self-policing amongst users. However, he also said
IT must remain vigilant. He related to me a simple document handling process
for BYOD users:
- Make edits or updates to a document.
- Email the edited document to recipient(s).
- Delete the document from the device.
“If you are using Box, Dropbox, or something like that and
you are going to be using it for work, then please carefully label it as such so
as IT if for any reason need access to it we know where it is and can get to it,”
Applebaum said. The labeling of personal versus cloud storage on BYOD devices
is obviously something that needs to be hashed out as part of a corporate-wide
BYOD policy and communicated as part of device onboarding and BYOD user
education. However, I second Applebaum’s
advice of being clear, precise, and document decisions and your BYOD users will
be just fine.
Set BYOD policies with an eye on the user
“Our assessment is if you do the first thing and be very
specific about how you want data handled and the expectations that you are
setting consistently in terms of how IT will deal with personally owned devices.
Then a written policy doesn’t necessarily have to be draconian if you look at
it from the perspective of clarity,” Applebaum said.
“So if you set your boundaries properly and again are consistent and clear. One of the areas we talk about is level,” Applebaum said. “So
again, you may have an employee who says, ‘Listen, okay, I’m not going to do any
work on this thing. I like my iPad, but it’s just for reading. I don’t believe
its going to be productive. I just want
to do email. All I’m going to use this for is email, and if there are any attachments
or anything like that, I’m just not going to deal with them and just use this strictly
“Then somebody who is
saying, ‘You know what, I’m getting rid of my laptop entirely and I am going
100 percent iPad.’ It becomes a very different situation, so you don’t treat the two
cases identically,” Applebaum said. “I think recognizing that and giving
the employee options which basically says ‘So listen, what are you going to do?’”
Applebaum advised setting careful segments of use types that
have different levels of intrusion and management as governed by IT and related
BYOD policies that are in place.
“You can be more flexible, but I think you absolutely have
to have a document that captures that information if for nothing else than
legal reasons,” Applebaum said. “You know at the end of the day, you fire an
employee, and you go through their things. They come back at you saying it’s
unfounded, and this is a violation of privacy. It can cause a lot more problems
than what you are trying to solve in the first place.”
“I think having a policy that again embodies the kinds of
values and the kinds of really the kind of compliance you are trying to
maintain there is absolutely no issue about that in my opinion,” Applebaum said.
Pull the blanket off BYOD security
Blanket BYOD security, while tempting, can sink a BYOD initiative by sapping user productivity. Applebaum offers prudent advice around basing
BYOD around user types and the issues of personal clouds and corporate data
because after all companies do need to define BYOD for their organization.
TechRepublic’s sister site, Tech Pro Research, offers a downloadable BYOD Policy for companies to use when defining BYOD usage at their organizations. The policy is free to all Tech Pro Research subscribers.