I've written many times about the Bring Your Own Device movement (BYOD) and the need for increasing security controls.
For years, we've controlled device settings on Blackberry devices with the Blackberry Enterprise Server (BES). We force passwords, encryption, and device memory wipes for ten failed passwords so that every user has enterprise enforced security
With iPhones and Android devices it's harder to control settings and behavior on personal equipment.
We think the best we can do within the limitations of present server-side technology is to enforce the use of passwords on all devices using Active Sync, require a timeout of 10 minutes, and eliminate the use of the most simple passwords (1234, 1111 etc). Microsoft Exchange/Active Sync can query the device for the settings currently in place and only synchronize email if the device adheres to enterprise security policies.
We'll eliminate support for POP and IMAP protocols because these cannot be used to inspect and enforce desirable device settings.
We've debated the use of settings that automatically wipe the device for 10 failed password attempts, as we do with Blackberry. However, given that we cannot selectively purge corporate verses personal data, we'll likely avoid that setting for now.
BYOD management is a journey. Server side tools that inspect personal devices and only allow synchronization of corporate data such as email when settings are consistent with policies seem like a cool solution.
In the future, we may add client software (Mobile Device Management) to each device to provide more control over encryption on Android devices and permit selective memory wiping of corporate data.
I welcome comments on what others have done. BYOD is here to stay. Compliance and IT departments need to collaborate on a set of policies and technologies that will meet the needs of regulatory requirements while maintaining service capabilities and user productivity.
You mention purging corporate versus personal data--is this really possible with the current design of iOS and Android?
ReplyDeleteI think BYOD makes more and more sense, but as you have pointed out, security is essential and not optimal right now. I don't know much of anything about the specific technical methods for implementing security on these devices. But from a purely conceptual standpoint, I think it would be useful to "partition" these devices into corporate and personal spaces on the device. You could dedicated one app screen to all of the corporate-controlled apps and settings, leaving the rest of the screens for the user to fill with their own personal content. Essentially, this could create two walled gardens, separate and distinct from each other on the same devices. In case of a lost device that needs to be wiped, the administrator from the corporate side could always have the authority to wipe everything in the corporate space and ask the user if they wanted all their data in the personal space to be wiped as well.
Interested to see how this develops and what Apple/Google/Microsoft/etc come up with to manage these challenges.
The ability to decipher between corporate and personal data requires first that data be classified. While data classification is one of the cornerstones of information security, I have not had the pleasure of working in organizations with such programs established (too often the "operational and/or administrative” side of information security is forgone in favor of the “cool techie side” that draws great interest; or the organizational view of information security is purely technical). Organizations, as well as mobile devices, must also be able to adapt to the evolving information security landscape, manage this content, and organize it. The advent of BYOD is not only a game changer for information consumption but also a game changer for information security. We need to be able to adopt holistic information security programs and identify cutting-edge techniques to protect our sensitive information without compromising the efficiency of mobile computing. Only then will we be able to conquer this challenge.
ReplyDeleteI just recently attended a panel hosted by CDW and cio.com in Houston about BYOD and i was surprised on how many other companies are on the fence about a BYOD policy. We are in the same situation and the panel of experts gave some great incite into how this trend is moving towards and the challenges that companies will face.
ReplyDeleteJohn the panel goes to boston on the 24th of may here is a link to register https://www.eiseverywhere.com/ehome/35103/56668/?&
I agree with Josh. I would put in an MDM solution to partition the corp from the personal data. We certainly have a solution for this and use it internally, but there are many others. For example, MD Anderson uses BoxTone. You should also get a handle on physician SMS texting. That is just now becoming an issue for us. However, ActiveSync is a "good enough" for most organizations versus doing nothing.
ReplyDelete#iwork4dell
I am surprised that virtual desktops didn't come up. I know of at least one health plan that uses that technology to keep the data separate and secure. VMWare and Citrix both have that kind of solution and there is a lot of potential for providers there. I also wonder if smarter app design along with more use of cloud based services like ec2 will start to become more popular.
ReplyDeleteWe have found great success with MobileIron. We needed to track and manage our agency iPhones, Android phones, and iPads. It lets us track who has what on which carriers, what software is installed, deploy profiles and security settings, and wipe them. It also lets us use the Apple Volume License Program to easily deploy apps to many devices with just one purchase. It's met all of our needs very well, and then some.
ReplyDeleteI've really enjoyed reading your blog for a couple of years now. I am an IT leader, and appreciate your insights. Please keep it up.
Our company uses an MDM product called MaaS360 from Fiberlink. We use it to manage iOS and Android smartphones and tablets (ok... no Android tablets in use yet), although for now we only manage devices supplied to our end users by the company (no BYOD devices are on the MDM product).
ReplyDeleteOur company is in the healthcare space so we wrestle with many of the same issues you raise.
Funny - MaaS360 and MobileIron are the two we are strongly considering for an MDM sitting on top of our Exchange and ActiveSync environment. We will also be using PKI for device and host authentication. We've studied these technologies, use cases, and attack vectors for the last ~7 months and these seem like an ideal combination of controls for devices.
ReplyDeleteRegarding separating corp vs personal data on these devices - many approaches use containerization (e.g., Good) or virtualization (eg VM View or Citrix Reciever) to keep data separate and secure. Think about these technologies as ways to get what you need.