Bring Your Own Device (BYOD) Management

Bring Your Own Device (BYOD) is a new phrase which has entered the IT lexicon with the advent of Smartphones, PDA’s, Tablets and other mobile computing devices. With the consumerization of IT these devices, which were invented with the aim of targeting the consumer market, have entered into the business world. BYOD is a concept of employees bringing their own devices into the workplace and using their devices to access the corporate network, organization’s applications, emails and other confidential data of the organization. Employees today carry smartphones, personal laptops and tablets to the workplace for personal or professional use and find it extremely difficult to work in an environment where such devices are restricted. Many companies encourage their employees to bring such mobile computing devices to work because it reduces the cost of hardware and the employees find it work friendly environment. However keeping the corporate data confidential and the organization network secure are major security concerns associate with BYOD. Therefore to implement the BYOD program, the organizations need to embrace the BYOD policy.

BYOD Policy should address the following security requirements for mobile computing devices.

• For which job roles will be the BYOD program applicable.
• Specify the BYOD devices that will be permitted in the corporate environment.
• Specify what services should be accessible, which applications are allowed and which are banned depending on the job responsibilities, since it’s just not about covering the hardware devices but also the software used on the devices. On Windows machine the administrator can create an employee account as limited account type by which the employees can access only installed applications but cannot install new hardware or software on their own. Some program can be installed on users machine which will ask for a password each time they are trying to download anything on their machine. For limiting access on unwanted websites, internet content filtering software’s can be installed on user’s machine and it ensures users don’t have access to unwanted websites in workplace.
• Define information security and access management policies for the various devices.
  The policies should mention the user’s devices should have screen lock / password configured, antivirus software should be installed, activation of firewalls, encryption of corporate data on mobile computing devices, updating security patches regularly etc.
• Policy should be defined in case of device is broken or damaged. Regular backup of the corporate data on the device should be done so that there is no loss of data and important emails if any.
• The BYOD policy should be communicated to all the applicable employees and they should be aware of the serious consequence in case of policy violation and security breach.
• Regularly monitoring the devices can help organizations to identify security breach, check policy violation and ensure device conform to the organizations compliance requirements. Monitoring data transfer from internet to computer and from computer to internet can help in keeping a check whether any confidential data is being transferred to unknown and unauthorized person. This can be on windows machine using a utility called “Resource Monitor”.
• Employee exit policy should specify disabling the corporate email id, removing his access from various other organizations applications as well as removing remote and wifi access to corporate network and deleting the corporate confidential data from the employee’s personal device.
• Include locking down mobile devices and wiping the data on the device in cases where the device has been stolen, lost or the employee is absconding with his device. This will prevent unauthorized access to the corporate network and also prevent confidential data loss.

While BYOD creates a work friendly environment, increases productivity and is cost saving for organizations, it has its own security issues for e.g. lack of physical security controls when the user is not in workplace, the user might buy a new device and sell the old one without confirming that there was no sensitive data stored in it, unauthorized access etc. By implementing a strong BYOD policy the organization can secure their IT environment and confidential data. Organizations can also implement Mobile Device Management and Application Management to address the security issues and make the BYOD program work in favor of the organization.

About Author:

Nikhil Vaishnav is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, he actively contributes to the areas of Technology and Information Security. He can be contacted at nikhil.v@spluspl.com