In a recent post, I discussed how Bring Your Own Service (or Software) is becoming an issue in many enterprise environments as organizations embrace the concept of Bring Your Own Device (BYOD). As with any transformative technology, it is still too early in the adoption cycle to have established industry-recognized best practices surrounding the security of BYOS. However, there are five key tasks that should be addressed before supporting the use of BYOS in the enterprise environment.
1. Adoption of BYOD and BYOS requirements within your acceptable use policy.
I am always amazed to see that BYOD and BYOS are often never mentioned in the acceptable use policy. If you are deploying and supporting BYOD and BYOS (either directly or indirectly), what are the mechanisms and policies guiding the use of those devices and services within the enterprise? The acceptable use policy should address how your employees can appropriately use these technologies within the context of their day-to-day work activities and it should specifically state which uses are prohibited and the potential consequences of unacceptable use.
2. Modification of employment contracts to provide lawful access to devices or services.
Is your contract of employment or employee handbook clear about your rights to inspect, modify and delete all and any data on any device or service connected to your network? It is unclear how far current intellectual property provisions within employment contracts can be extended to provide corporate access to employee-owned devices or services. As such, it is prudent to include provisions within your employment contracts and employee handbook that provide you with the right to inspect devices and/or services and to modify and delete data that may reside in those environments.
3. Adoption of a process to define minimum requirements for BYOD and BYOS support.
What processes do you use to inspect and validate each device to ensure appropriate software licensing and virus protection? Do you have the staff and requisite skills to execute these inspections? How will you insure that corporate data is excluded from BYOS personal backups? How will you meet certain industry regulatory requirements, such as the recording of customer conversations? What are your minimum security requirements for BYOS services to support the storage of corporate data? Many of these processes are not being implemented in support of BYOD and BYOS deployments. In my opinion, the failure to define and deploy these processes and requirements is one of the primary risks of supporting BYOD and BYOS in the enterprise environment. The level of risk increases exponentially with the number of devices and services present in the corporate infrastructure.
4. Adoption of security policies for BYOD and BYOS.
It is imperative that your corporate security policy covers the use and storage of company data on personal devices and in personal cloud services. The sensible approach is to take the time to evaluate the security attributes of the devices and services generally available on the market and to carefully choose those devices and services that meet or exceed your security requirements. This is also an opportunity to use additional encryption and tokenization technologies to provide additional protection for corporate data that may be stored on a BYOS service.
5. Don’t get sucked into the notion of supporting the world.
Until some of the challenges of the BYOD and BYOS phenomena can be resolved, we are recommending to our customers to choose one or two devices and/or services to support as opposed to boiling the ocean and supporting all comers. No one has the staff and skills to support every smart device and cloud service available on the market today. Carefully evaluate the smart devices and services available and create a corporate standard in order to address all of the challenges implicit in BYOD/BYOS deployments.
In the final analysis, the most important consideration is to insure the security of corporate data that may reside in the BYOD and BYOS environment. While the environment is still admittedly chaotic, your primary focus has to be on securing corporate data. Security amongst all of this chaos is quickly becoming the primary dilemma of BYOD and BYOS deployments. As with most things in this world, simplicity and specificity, adherence to process and standards and good common sense are the best tools to tackle the challenges of BYOD and BYOS deployment and support.