Why Security Isn't A BYOD Showstopper

In a webinar on BYOD that I just did, a survey of the 500-plus participants showed that security is the way-out-in-front, lead concern of IT managers when it comes to implementing a bring-your-own-device program. More than 60% of those people voting reiterated what I hear every day. "Is it safe? Can we really trust users and their personal handsets with enterprise secrets?"

Security is, of course, the one part of IT where one can never be "done". Each week brings new concerns, new threats, and some previously unknown and unforeseeable challenge. Perhaps it's news of yet another IT breach, or, even worse, a discovery, not yet public, that something has gone terribly wrong and confidential information might be compromised. With security constantly under fire, then, aren't we just making things worse by allowing essentially any device on the corporate network? Aren't we just waving the proverbial red flag in front of the hacker community, daring them to do their worst once again?

Let me begin to answer that by saying that BYOD is, no matter what, going to become the norm in enterprise mobility during the next few years. Users want to carry only one handset, and it's their phone. The enterprise can save big bucks by eliminating the capital expense of unwanted (by users, anyway) handsets and sharing the operating expense of cellular service plans. Properly managed, then, BYOD looks like a win/win.

[ Read BYOD: How To Calculate Hidden Security Costs. ]

And proper management is the key. A number of vendors have announced BYOD solutions in recent days. Although each of these products addresses security, they are really at their cores about policy, and the enforcement thereof. So, then, is your security policy in place and up-to-date? How about your acceptable-use policy? Your agreements with your employees and contractors regarding the above and service-cost reimbursements? Have you updated your training? Training includes, by the way, basic consciousness-raising, along the lines of "loose lips sink ships".

As is always the case in IT, the place to start is with strategies and objectives; many questions need to be asked before any IT service goes live, let alone with BYOD. What information should be secured? Who should have access to it, and under what circumstances? What must be done in the event of a breach? How is confidential information tracked? What are the policies regarding authentication, file encryption, remote access, and VPNs?

All BYOD does is introduce a potential new vector; it doesn't redefine or even change the security problem very much. Got live USB ports on your PCs? Know how much a modern microSD card can hold? Still think BYOD is that big of a security threat?

We can learn a lot from the techniques employed in government-class security, which are based on the concepts of security clearance level (secret, top secret, etc.) and, more importantly, need to know. The former can be addressed through a careful and at least annual review of security policy and procedures, along with the tools applied. Need to know is addressed by carefully defining and controlling who belongs to what group of users, and what privileges are granted to any given group. See? BYOD doesn't really introduce much new here.

Indeed, a good BYOD solution is one coupled with mobile device management (MDM) and mobile application management (MAM) capabilities to make sure that mobile devices allowed on the corporate network are operationally secured and appropriately monitored, and that features such as device wipe are available when necessary (and, of course, that users are aware they might be applied).

I see BYOD evolving from Guest Access 2.0 to, ultimately, the enterprise network access control system of the future. The core functions in BYOD, which can include, depending upon enterprise philosophy and vendor implementation, all aspects of both security and integrity management, are common to both wired networks and enterprise-owned devices as well.

So perhaps we should view BYOD as less of a novelty or a threat, and more as an opportunity to improve security, cut costs, and, in the bargain, improve both user and operations-staff satisfaction across the board.

At this interactive Enterprise Mobility Virtual Event, experts and solution providers will offer detailed insight into how to bring some order to the mobile industry innovation chaos. When you register, you will gain access to live webcast presentations and virtual booths packed with free resources. It happens May 17.