Bring Your Own Device (BYOD)
Introduction
Bring Your Own Device (BYOD) has become one of the most talked about terms in IT. The consumerisation of IT along with the availability of multiple platforms and different types of devices has caused a headache for businesses. Users are approaching the IT department requesting access via multiple devices, including smartphones, tablets and laptops, some of which are managed and provided by IT, some of which are not. Businesses are also giving the user options to purchase their own equipment, rather than via a central IT purchasing department. This is causing a security worry, as more and more data is stored on these devices that are more mobile than traditional laptops and desktops. IT departments are also expected to provide connectivity for these devices, whether at head office, branch or remote to the network.
Head Office and Branch Office Secure Wireless Acces
Solutions are available to enable devices to connect wirelessly at head office and the branch via a single management platform to include device type identification to allow access by device type, certificate on device or user credentials. Users can generate their own certificate, via a self-registration portal, reducing the reliance on IT and the Service Desk, or access can be granted on an ad-hoc basis to allow guest or third party access. Access can then be limited to specific applications or services, including Virtual Desktop Infrastructure (VDI) for full access to non-web based services or to control security.
Remote Access
When the user is out of the office they still require the same level of access to the same applications and services although in this case we can provide different methods of access, such as only allowing access to the Intranet when on site, but redirecting to an external version when away from the office or only allowing a VDI access to the accounts system when away. The same systems can also allow secure access to email via Microsoft Activesync without exposing the Outlook servers to the Internet, giving the users access to email, calendar and contacts.
User Authentication
When providing access to corporate resources in local and remote locations it is important to ensure that only those users authorised to access those resources gain access. With multiple methods of connectivity comes multiple methods of authentication. When users utilise corporate laptops the authentication can be as simple as using existing Active Directory credentials and a certificate on the device. This ensures the user does not have to re-authenticate, as the system transparently connects utilising the cached credentials and preinstalled certificate.
In the case of users accessing via non-corporate devices, such as a home device or in a web café, 2 factor authentication should be specified. Modern tokenless systems allow the user to access using mobile phone applications, software applications or via SMS text message reducing cost and the reliance on traditional physical tokens.
Data Leakage Protection (DLP)
It is important to take account of what data is available on the device, and how that data is protected. Again, different devices need different levels of access, and controls should be placed on these devices as to which types of data can be viewed or saved. For instance, in a web café environment it is important that no information is left on the device when the user signs out so the system must perform a cleanup.
Mobile Device Management
With a multiplicity of devices to secure, a single point of control is required to manage these devices. This is essential to ensure that if a device is lost or stolen, then any data can be securely and quickly removed. Any solution should also be capable of tracking that device, and controlling which applications and services are available. Further consideration should be given to the control of web access on those devices, when they are devices owned by the business. Other solutions allow a sandbox type environment to run on a user’s own device to contain corporate data. This allows the user to make the decision as to which applications to run on their device, but allows the business to control corporate data and remove that data if the device is lost or that user leaves the company.
Methodology
With the wide range of devices and levels of access it is important that the systems and policies are designed and implemented correctly to ensure the security and usability of the BYOD process. This should include identifying user requirements, writing policy, designing and implementing the system and on-going management and support. This can be achieved by partnering with SecureData, and our experienced project management, design, build and support services.
Summary
Businesses cannot get away from the concept of BYOD, whether they provide and support the devices or allow users to connect utilising personal devices. Users can often be better informed on new technologies than the IT departments who are expected to support them.
Consideration needs to be given to wireless access, access to corporate applications and services, how that access is authenticated, and which information is allowed to be stored on that device. Conversely, consideration should be given as to how that data would be removed in the event of a device being lost or the user leaving the company. It is important that these functions are available via a single platform due to the large numbers of differing devices available.
In considering all of the above the business needs to consult with trusted and experienced partners to ensure that their BYOD project delivers all that it can to allow the users to access those resources that they need to perform their tasks. Only by doing this can the business ensure that security and IT functions become an enabler to the business rather than a blocker, allowing ultimately the users to perform their tasks whether in the head or branch office, travelling to remote offices or at their homes or other web enabled locations.
Useful links
Remote Access Solutions
Affinity Managed Services for Remote Access
Wireless solutions
Affinity Managed Services for Secure Wireless Access
Authentication Solutions
DLP
Endpoint Solutions