BYOD security: It’s about company culture, not just devices
By Chong Fook Hing March 24, 2015
- A true BYOD strategy is based on two foundations
- These are the right company culture and an enterprise-wide take on security
ASK businesses to name their biggest concern around Bring Your Own Device (BYOD) and the answer is clear: Security.
Indeed, a recent Oracle survey of senior security decision makers saw 38% citing device security as one of the top worries they have when it comes to BYOD.
This focus on device security may stem from the fact that many large businesses still have deep roots in old ways of running enterprise IT. Such organisations are used to IT having complete control over the devices that their employees use.
As security is also mandated and controlled by IT, businesses can therefore have a reasonable expectation that their sensitive data is secure.
For such organisations, BYOD can be a daunting prospect. The idea of allowing employees to use their personal devices at work is revolutionary and as with any revolutionary idea, it will take some time to become accepted fully.
The issue is that some businesses are using concerns over device security as an excuse for not investigating seriously what BYOD could do for their businesses. All too often devices, and device security, are being used as a scapegoat for regressive and counterproductive IT policies.
To do nothing is not an option
The major flaw with this position is that employees are already using their own devices at work, regardless of what their businesses’ official policies on BYOD are.
Indeed as mobile devices become ever more powerful and the ‘Gen-Y’ demographic comes into the workplace, an increasing number of people are going to use their devices at work.
Businesses therefore have a clear choice to make: Address the security challenge of BYOD now and start enjoying the benefits it brings; or keep delaying it until such a time when it may be too late.
For those businesses that chose the former path, the key to success lies in one fundamental characteristic of BYOD security: It is about much more than simply locking down the device.
Device-centric approaches to security (such as mobile device management) can only ever solve the problems businesses have today – they do not provide a scalable, flexible way of securing the enterprise for the new world of mobility we are entering.
Instead, a true BYOD strategy is based on two foundations: The right company culture within the enterprise and a robust, enterprise-wide take on security that is capable of securing the enterprise today and well into the future.
A question of trust
When it comes to company culture, BYOD will only flourish in companies where trust is absolute.
Business executives need to be able to have complete confidence in their IT department and the technology framework they have in place to secure employee devices.
Employees, meanwhile, need to rest assured that their device cannot compromise the enterprise and that, conversely, their own private data cannot be viewed by anyone in the business.
This is a two-way street of course.
In business, trust is never given freely – it is always earned. In the case of BYOD, it clearly must be earned through a robust security framework.
The good news for businesses is that BYOD security does not need to be a leap into the unknown and nor does it need to involve investing in new, unproven niche security ‘solutions’. Instead it can be built on that stalwart of enterprise security: Identity management.
Bringing enterprise security to the device
Identity management allows organisations to simplify identity lifecycle management (i.e. who can access what part of the network and for how long) and secure access from any device for all enterprise resources – both within and beyond the firewall.
The key words here are ‘any device’ – in essence, identity management allows organisations to easily extend the enterprise security layer to wherever the employee needs it to be extended.
At a stroke, businesses will be able to trust BYOD devices every bit as much as corporate-owned ones due to the fact that the same robust authentication, sign-on and authorisation processes are used.
There is a little more to this of course. If businesses and employees are to truly trust the use of personal devices in the workplace there needs to be a strict separation between personal and private data.
This is where mobile device management (MDM) reaches the limits of its usefulness. MDM is great for securing information and hardware on a device, but it lacks finesse, securing everything and anything that happens to be on the device.
In the case of BYOD, this poses some problems. What, for example, happens when employees lose their device, or leave the company?
With MDM everything on the device – including their personal data – would be wiped.
It is the nuclear option. This means that employees can never really commit to BYOD. They cannot trust in the security solution in so far as it imperils the data that arguably means most to them: Their own.
Locking down applications
Due to this, mobile application management (MAM) is fast gaining currency.
MAM delivers a secure container for application security and control that separates, protects, and wipes corporate applications and data.
Crucially it secures corporate data only: The employees’ personal data and applications are completely separate and unaffected by what goes on inside the enterprise container.
This means that they can trust in the fact that none of their data will be wiped by the business and that the business cannot accidently see what they are doing with the device in their private lives.
In short, MAM provides the peace of mind that employees want to be able to use their own devices at work. They know the company data is secure and they know that their data is separate.
Our message to businesses is that BYOD is an unstoppable force. Employees are going to use their devices at work regardless of whether you want them to or not.
The key to securing the enterprise in this new world is to embrace a more holistic attitude to security that focuses on applications and identity. With this approach, businesses can rest assured they are protected regardless of the device used.
Chong Fook Hing is sales director for Oracle Fusion Middleware at Oracle Corporation Malaysia.
Security as a business enabler, not a bottleneck
Beware ‘street BYOD,’ say Gartner analysts
Gen-Y has no time for corporate BYOD policies: Fortinet survey
BYOD: Corporate security and global users’ privacy rights
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.