Friday 9 May 2014

BYOD Revisited

I wrote a piece on a pipedream called “Bring Your Own Device” back in November 2011 (

Like with all new concepts, I believe my attitude has changed and mellowed as I see it being used in the real world.  I still have a number of conversations about BYOD or CYOD (Choose Your Own Device), but more around people still being unsure what to do.

I remember being asked by an ex-boss, “What BYOD solutions do we sell?” to I replied “None… We sell solutions to support BYOD policies, not BYOD Solutions!”  If we consider this for a moment, your policy could be to not allow personal devices, it could be to only to allow personal devices on the guest wireless, or it could be full access to the corporate network where the administrators can remote wipe your device.  These are different policies, and would require different types of solutions to enforce these policies.

Previously I talked about network infrastructure, endpoint security, network access, compliance and device compatibility, I don’t feel they are as important any more.  The issues I believe we need to focus on are as follows.

Wireless Security
My stance has changed from whether the wireless network cope, to whether the wireless network be secure enough?  Can the organisation deal with rouge access points, denial of service attacks, or unauthorised devices connecting to your network?  Most people can’t say this about their wireless network, which in my opinion is not good enough!  There are Wireless Intrusion Prevention Systems out there that can offer wireless access, as well as act as an overlay to your existing wireless network.

Enterprise Mobility Management (EMM)
There was a time when the concern was how we can wipe a device if it’s lost or if the employee leaves.  This led to an employee pushback around it being their device and not the company’s.  This is where MDM (Mobile Device Management) was good enough, it started to get coupled with MAM (Mobile Application Management) and more recently MCM (Mobile Content Management).  This then provides comprehensive device and data management to the mobile devices.

Protecting the Data
I only care about the data!  As an organisation, should I worry if my employees loses their device, if the wireless connection they are on is insecure, what type of device they are on, or whether they run any security on their device?  The answer should be no…

My only concern as an organisation is, is my data safe? We should be protecting the data.

Find out which data is critical to the organisation and protect it.  There are many DLP (data leakage prevention) solutions, but these need to be coupled with means with which the data can leave your organisation.  Primarily, organisations will look at the web and email vectors, before considering that ActiveSync (the protocol most mobile devices use to collect their email from corporate email servers) is also a vector with which data can leave.

If you feel you have to protect the device, then look at a full EMM solution and not just an MDM.  If you have to provide wireless, please secure with a WIPS.  Although the key in my opinion is to protect your data!  

Companies rarely make the news for losing a device, but they do if they lose data!

No comments:

Post a Comment