“As soon as you allow a user to have access to the cloud applications, let's say it's a file sharing service, inevitably they want to do it from their own device, from home, from their ipad, from their android device, inevitably this will happen” – Neil MacDonald, Gartner Analyst
Given the abundance of mobile devices, coupled with the productivity and cost reduction benefits they bring, the number of companies that allow employees to access sensitive corporate data from their personally-owned devices has continued to flourish. According to Gartner, by 2017, over half of organizations will actually FORCE users to bring their own device to work.
This proliferation of data that is now moving outside of company networks, down to things like employee-owned smartphones, tablets and laptops can increase the chance of data leaking out and getting into the wrong hands. This is perhaps why BYOD has become a huge pain point for professionals looking to secure mobile devices (I’m sure a lot of you are already cringing at the thought of BYOD security). It also doesn’t help that the employees themselves have a false sense of mobile security savvy.
It turns out that surprise, surprise, smartphone users are making silly and unsafe mistakes when it comes to privacy. A survey of 1,000 smartphone users done by security firm Lookout, found that of those that said they were security savvy –52% admitted to not read privacy policies before downloading mobile apps, 34% didn’t set a PIN or passcode on their phones and 35% downloaded mobile apps from unofficial marketplaces. It's also important to point out that 76% connect to public wifi networks, increasing the risk of cyber criminals getting their hands on sensitive data coming down to mobile devices.
So, how do you solve for BYOD security?
If you want to secure BYOD devices you should invoke a "managed" vs. "unmanaged" device profile policy within your company. Here is a diagram that demonstrates what a policy like this might look like.
As you can discern from the diagram there are very different contextual access controls, application access and data protection techniques used for managed vs. unmanaged devices. Since “managed” devices pass the contextual access control test they can then access any cloud application they would like, and have full access to all data stored within them. Because of the managed device profile, these pose significantly less risk to your corporate data then “unmanaged” devices.
Unmanaged devices do not pass the contextual access control test, limiting their application access capabilities to sensitive data and increasing the data protection methods used to protect against them. This profile involves controlled acccess. A clear example of this would be forcing unmanaged devices into an encrypted container for all downloads made from cloud apps, and redacting certain keywords before they hit the device.
The managed vs. unmanaged approach to security works because no matter what your security posture may be, it allows for BYOD security while providing the productivity, and cost reduction benefits companies were aiming for to begin with.
Now that you know how to achieve BYOD security, it’s time for you to take a look at your own infrastructure and start building your device profiling strategy. Here's how to get started
Product Marketing Manager | Bitglass