The Genie, The Bottle and BYOD

It’s safe to say the genie is out of the bottle. The rise of employees (and other credentialed users) using their own smartphones, tablets and other personal devices is rising and there’s little to nothing  IT can do about it…or is there?

In the past weeks I’ve written about BYOD and password management, but I want to approach the subject from a slightly different perspective. Administrating access management and identity management from the cloud is a cost-effective and nearly-instantaneous way to quickly create, manage and enforce a BYOD initiative. But in the end, it comes down to policy. There must be rules of engagement that allow your authorized users access to various applications, emails or proprietary data without compromising compliance, privacy issues or sensitive intellectual properties.

Very recently IBM implemented a wide-ranging BYOD initiative for more than 80,000 of their employees worldwide. They recognized a BYOD program “really is about supporting employees in the way they want to work,” However, there’s a fine line to ensure that there are enough safeguards to preserve integrity of the business.

Essentially they created strict guidelines that an employee must follow or they will lose the convenience of using their own device. What this does is shift the burden to the user to ensure certain security protocols are followed. One of the rules is that IBM reserves the right to “wipe the device” in the event a phone is lost, stolen or if the user leaves the company. But that does nothing to protect data while it is in the hands of users. These smartphones are just mini-computers. Most don’t realize they need to have some sort of malware protection AND some degree of access provisioning once they are authorized to reach the network.

One of the great benefits provided via security-as-a-service is the idea that you don’t have to recreate the wheel. That many of these best practice policies are pre-configured and all you need to is identify the user responsibilities and concentrate on enforcement.

It all boils down to this: Conduct an inventory of all the types of personally-owned devices employees want to use for work-related tasks. Take every possible step to apply as many of the same precautions to these personally-owned devices as you apply to corporate-owned devices.

One of the things you can control is passwords. You can dictate terms of access by ensuring strong (no birthdays or dog names!) passwords are used, that it expires every few months, and that it has a lockout and wipe protocol after so many failed attempts. You can also insist (and control) that if anyone wants to store, access or transit any data, that there devices must be encrypted. Again, there are great tools to make this happen (especially from the cloud), but the dictates have to come from above. These must be corporate policies agreed to by management and signed-off by any user looking for the convenience of using their own device. It might dissuade some users, but there needs to be a trade-off to prevent data loss, data leakage and any type of security breach.

I made mention earlier that the cloud itself can be a conduit towards a more seamless integration of BYOD. But beyond the cost savings and the rapid deployment, the question begs, does cloud-based security have the functionality to properly administrate a variety of endpoints? The answer is yes. It uses best-of-breed technologies to make sure that real time provisioning/deprovisioning, on- and off-boarding, and enforce rules based on an individual’s specific HR models are in effect and active. Moreso, a true cloud based program will not only provide Identity Management, but it loads the features of Access Management. This includes SaaS Single Sign-On, Web SSO, integration with any legacy application, fine grained entitlements and interoperable federation based on standards like SAML.  But as an IT professional, you know this. What you need appreciate is that security-as-a-service creates the centralizing bridge that allows you to combine the silos of data to more easily manage all users regardless of their endpoints. It also goes a long way in maintaining compliance, but that is a blog for another day.

If you haven’t already confronted the issue of BYOD, believe me, you will. To get ahead of the issue you need to receive upper management blessings, create proactive policies, and educate your users. Then they receive the benefits of the greater productivity and expediency and you sleep just a bit better at night knowing that someone’s iPhone hasn’t gone missing or that a sales administrative assistant can’t mistakenly corrupt any R&D testing data.

The genie won’t go back in the bottle, but you can at least learn a few magic words to keep it under control.

Kevin Nikkhoo
BYOD Genie!

Tags: , , , , , , , , , , , , ,