BYOD policy: How to balance security with the user experience

For BYOD to work well in your organization, you need robust mobile security that preserves the user experience. Nubo Software has just the solution.


Bring Your Own Device (BYOD) is pushing the envelope when it comes to control over IT policies. On the user side, you have the freedom to connect to your work environment through a mobile device, which often results in productivity gains. On the corporate side, security concerns are a significant issue. Mobile devices that contain sensitive company data are connecting to numerous unsecured networks; plus, the devices can be lost or left behind in one moment of inattention.

SEE: Tech Pro Research's BYOD Policy

Israel Lifshitz, founder and CEO of Nubo Software, said in a recent telephone interview that IT needs to think carefully about BYOD policies before implementing them, seeking to balance security with ever-greater user choice and freedom. Nubo Software provides a remote enterprise workspace solution for mobile devices.

Noteworthy is his firm's work in separating the personal from the professional in BYOD. Nubo's cloud-based product does not permit users to download company data. In essence, the mobile device acts as a display, and a client can block user access from a device at any time.

Lifshitz sees three big trends in enterprise BYOD over the next several years: more enterprise-grade mobile apps, better security features on mobile devices and operating systems, and more user freedom and choice.

TechRepublic: If you met an executive who was skeptical about BYOD, who did not believe that the benefits outweigh the risks, what would you say?

Israel Lifshitz: Good question. If you are in charge of security, you might even lose your job in the case of a security breach. But it is hard to avoid, because everyone wants to have BYOD and use it more. Apart from security, you might see all of the possibilities, because now all of those users are using mobile for their work. What users want is to have the same experience as they do with personal apps. The businesses can understand that people could be much more productive.

So what has happened is companies more and more are adopting BYOD, and IT and security professionals need to keep up with the pace to make sure that as the company goes to BYOD, it can remain safe. But it is very hard for a CIO to say no we are not implementing that, when they see the user's productivity.

TechRepublic: What do you think will be the biggest trends in enterprise BYOD over the next two to three years?

Israel Lifshitz: One trend is apps. Currently, if you look around you won't see many business apps, especially enterprise apps. You will see the standard apps, such as email, contacts, and calendar. And you are starting to see semi-business apps, or apps that allow you to do some very simple work tasks.

I think we will see more complicated enterprise apps, like CRM and ERP, because now companies realize that they want to be more productive, and are deciding they want to invest more in mobile apps. This will cause other problems with BYOD, because it will be much more complicated to secure the data. ERP and CRM data is much more sensitive than email.

The second trend is more of a relief for security, even for a security vendor like us -- that is, manufacturers are starting to take security more seriously, and they are adding more security features to mobile devices. It is interesting, because I think mobile operating systems are more secure than desktop operating systems, both Android and iOS.

And I hope that in the future we will find what they call the "Holy Grail" of security features, which is the ability to run enterprise apps on an uncompromised device. If you have a compromised device, where someone has changed the operating system, it is really a problem for enterprise apps. The enterprise apps vendors and manufacturers need to make sure that devices cannot be compromised.

Something that I think is already happening, a third trend, is that IT understands that they cannot force users to have specific devices. So basically, the trend is less IT control and more end user freedom. Soon you will see things like enterprise app stores, where a user can decide between different kinds of apps. Basically, IT will have some control, but less and less, so it is about how we can maintain good security with less control. But when there are security compromises, IT will still be responsible for them.

TechRepublic: What are the biggest threats from enterprise use of BYOD?

Israel Lifshitz: The main concern about BYOD is security, but still I don't see comprehensive security models and analysis. I think many IT people do not know the threats well, especially in order to prioritize them, which tools they need, and which actions they need to take.

IT's concern with BYOD is that suddenly their data is in thousands of devices that are not company-owned. They are employee-owned, and they are using it everywhere with different networks. So the problem for them is their company data.

The problem goes down into two main components that you need to protect.

The first component is the device itself. I think the device is the weakest link in BYOD, because there are thousands of devices, and it is very hard to protect the data in them. You can't easily follow everyone. An employee can forget the device in a restaurant or at an airport. That becomes a problem for the company because now there is company data in unknown hands.

The other component is the network. For example, before BYOD, most of the devices were workstations that connected to one network. Now your device is connected to many untrusted networks, and we don't know how many fake networks there are. The data is going through such networks, and you need to understand how to protect the data.

TechRepublic: What is the best way to balance BYOD security with the user experience?

Israel Lifshitz: BYOD started from user experience -- this is the reason why it was implemented. And then IT comes and tries to understand all the security problems, they add many policies, and the users just stop using BYOD. In that case IT puts a lot of money and resources into something that no one ends up using.

To balance BYOD, you need to think very carefully about each policy. For example, if IT decides to have a policy where they disable the camera in the device (which they technically can do very easily), then no user will want it, because nobody wants to have a mobile device without a camera. I also don't see any reason why IT needs to disable cameras.

Also, take a password policy, for example. If the enterprise password on the device is too complicated, then they will not use it. You can imagine needing to answer a phone call on such a device. But if the password is only for business apps, then it is much easier.

So I think it is necessary to carefully plan BYOD policies, and create ones that protect you, but do not limit the users too much.

IT needs to understand that the rules have changed. In the old IT, they decided everything for the users -- which device to buy, which apps to use -- and now it is much more about the freedom of users. IT needs to preserve that. A user should have more than one choice for business apps.

Another thing is if you separate the business and the personal it is much easier, you have an environment for each: In the personal environment you can have maximum user choice, and in the business environment you have more IT control over policies.

I think this relates to our product from Nubo because it does not permit data on the device. If you don't leave any data on the device, it is much easier. You don't need to manage the devices, you don't need to enforce policies on the devices. The user can have the device 100% for personal use. And then you have the work environment that sits on the server.

Also see

Disclaimer: TechRepublic and Tech Pro Research are CBS Interactive properties.