If an employee walked into work one day clutching his shiny new iPhone, iPad, Android or other mobile smartphone or tablet, wanting to use it for official corporate business, would you say yes?
Plenty of IT managers are hearing that question these days, aware that it gives rise to security and management concerns. Should the employee-owned smartphone or tablet be managed or secured exactly as a corporate-issued mobile device might be? Can the employee and business data be separated somehow? Or should the whole “bring your own device” (BYOD) phenomenon be rejected as too much of a security risk and management ordeal?
Former White House cybersecurity adviser Richard Clarke, now partner at the firm Good Harbor Consulting, says employee-owned devices used for work may well “represent the newest and largest vulnerability in corporate America now.”
Employees are insisting they have these devices, and CIOs are giving in. But “the corporation has a responsibility to its shareholders to ensure that everything that is allowed there is secured,” Clarke says. That means ensuring that any app running on that device is secure, he says. Anything less is unacceptable.
The U.S. government itself is not rushing into the BYOD craze, according to Deborah Gallagher, acting director of the identity management division at the General Services Administration (GSA). She fielded questions on this at the recent Biometrics Consortium Conference.
Concerns about employee-owned devices include, “How do we make sure the device is the one we want on the network, and the person is who they say they are, and it’s secure?” said Gallagher. “We’re not sure yet.”
GSA is thinking about the BYOD question but wants to achieve the same levels of security required for government-issued computers. “We don’t want to throw out what we’ve done already,” she said, alluding to the enormous public-key certificate management infrastructure the government has fostered over the years. The government might consider using digital certificates on the new variety of smartphones.
Chad Plemons, vice president of IT at Knoxville, Tenn.-based Edfinancial Services, involved in student loans, says BYOD is not an option at all because contractual obligations with the Federal Student Aid division of the U.S. Department of Education require Edfinancial to use only company-owned devices.
But in the private sector, many companies are moving forward with BYOD.
Jon Martin, vice president of IT at Digirad, a maker of cameras used for medical purposes, said his firm is allowing employee-owned iPhones and iPads.
“What we’ve done is move from the company owning the device to the individual owning the device,” Martin says, noting there’s a formal procedure for that with a subsidy to the employee. He said it saves the company money and the employees are pleased with the situation.
There are limits, though.
“We’re only trying to support email,” he says. “And the users can’t contact us for advice. We say, check with your provider,” such as the wireless services provider, when the devices don’t work well. However, there’s a dual-management arrangement where Digirad’s cloud provider for Microsoft Exchange services, CenterBeam, with its CenterBeam 365+ service, does manage the email connectivity for the employee-owned device used at work.
VeriSign Chief Security Officer Danny McPherson says his company allows employee-owned devices for use at work – under some conditions, noting it’s been somewhat of a “struggle” to evolve a policy.
“It’s a subjective consideration based on the group the individual is in,” McPherson says. He says certain security software has to be run on employee-owned devices, as it might be on corporate-issued devices. Even then, “personal devices used for work are not given ubiquitous access.”
“Management of employee-owned devices is tricky because it is much more difficult to maintain standardization on these devices and to install software and agents designed to lock them down,” says Steve Brasen, managing research director, systems management, at consultancy Enterprise Management Associates.
Tablets vs. laptops vs. smartphones
Companies can introduce policies for BYOD, and the employee must be willing to conform to them, he says. But he says he thinks the BYOD approach may not be effective “in organizations and employee roles in which mobile-device use is essential to business success.”
A possible second BYOD option, Brasen points out, involves making use of endpoint virtualization to logically separate the user and work environment, with only the work environment managed by the business, and employees can switch between the two environments as required.
The high-tech industry is coming up with strategies, software and services for what some call the ‘dual-persona’ mobile device but much of this is still in the early stage.
“The smartphone is almost as powerful as the PC,” says Andy Hayter, anti-malcode manager at ICSA Labs.”The business should set policy as they would for the PC, with controls such as anti-virus or VPN.”
But companies shouldn’t necessary give the thumb’s up to every single mobile device the employee walks in with, he says.
“There’s a tide of new devices coming in and they need to put the brakes on it up front,” Hayter says. Companies should think of choosing specific mobile devices as a corporate standard, stipulate certain uses for them in business, and test what’s been approved thoroughly.