By Michelle Head, Security Team Technical Consultant
Bring Your Own Device (BYOD) – (def.) the recent trend of employees bringing personally-owned mobile devices (phones, tablets, laptops) to their place of work, and using those devices to access organizational resources.
Unless you’ve been living under a rock (and I’m not judging you if you have), you’ve heard of BYOD. If you are reading this post, BYOD has probably affected your organization and you’re trying to figure out the best way to deal with it. BYOD isn’t exactly new – employees have been accessing company resources from personal laptops for years, and usually there are already policies in place to handle this. But those smartphones and tablets that make our lives a little easier are also making us scramble to balance security with enablement: our users want a good experience, and we have to find a way to provide it securely and seamlessly.
At our BYOD seminar in June, we talked about where our customers are on the BYOD spectrum, which spans from “no personal devices allowed at all” to “I can conduct all of my personal and business needs from my iPad, wherever I am.” Most are somewhere in between. In the federal space (and in some highly regulated industries), many still keep their policy at “corporate devices only”, sometimes with a side of “no wireless allowed on campus.” They do this not because they love tormenting their employees, but because they don’t feel that the security is sufficient to protect sensitive information.
But it doesn’t have to be that way.
Within the federal government, different agencies will have different comfort zones when it comes to BYOD. And they are handling it in different ways:
- The National Security Agency doesn’t allow any personal mobile devices.
- The GSA Federal Systems Integration and Management Center allows access to email, calendar, and some web applications. This is a common first step on the BYOD road. Adoption has been slow because employees are leery of having their devices wiped. The use of selective wipe can mitigate this, but employees may want a demo first for reassurance.
- The Department of Homeland Security is planning to use virtual desktops for smartphones and tablets. VDI allows employees to access Windows-based applications in a secure manner, regardless of the device type. This is often a next step on the BYOD spectrum beyond email and calendar access.
Using best practices of granular network access control, mobile device management (including application and content management), and secure remote access, most government agencies can provide the means for their employees to be productive on their mobile devices. Securely.
It’s not just security that concerns administrators. It’s also policy, policy, policy. There are many things to consider. For example:
- Who owns the device? Are we distributing them ourselves? Or giving the employees an allowance to go buy their own? Or just letting them bring in what they already have? Perhaps a mix of some of the above.
- Who supports the device? (This may determine whether you limit BYOD to only specific devices).
- Are we allowed to do a full device wipe, including personal data? Under what circumstances?
To help federal agencies develop those policies, the White House administration has created the Digital Services Advisory Group. One of its tasks is to provide government-wide guidance and best practices for BYOD within 3 months of its inception. These will be based on successful pilots from those federal agencies that already took the plunge. Even those that elect not to allow personal devices should pay attention. Just because you don’t allow them doesn’t mean someone isn’t going to try it anyway.
You don’t need to wait until the official guidelines come out to get started. Best practices are already established by organizations that began to address BYOD early. It’s likely that Digital Services Advisory Group will reaffirm what we already know. So take action. Start with a BYOD assessment to determine what solutions are necessary, depending on how much access you want to allow. Then move forward. BYOD isn’t going away, and the sooner you address it, the better.