Alex Chapman - October 2013
Managing Bring Your Own Device (BYOD) within an enterprise environment poses a serious, continuous challenge for IT security professionals. As the line between the organisation and outside systems is blurred, the overall security of the enterprise can be affected. Organisations seeking to take full advantage of the numerous business benefits that widespread use of mobile devices by the workforce can offer, must strike a delicate balance between security requirements and the need to create a BYOD environment that users will be happy to utilise – in part because if users come to regard security measures as unacceptably onerous they may seek to bypass them, thereby creating additional security vulnerabilities.
In previous whitepapers Context has outlined best practice when securing enterprise provisioned mobile devices. But whilst those devices were fully owned and managed by the enterprise, in the era of BYOD this is no longer the case. Corporate pressure to reduce costs is also encouraging organisations to allow staff to use their own mobile devices to access sensitive corporate data.
Securing personal mobile devices presents a more difficult challenge for organisations than securing devices managed by the enterprise, in part because of the nature of the devices themselves: easy to lose, likely to be lent to friends and family and attractive to thieves. The software on these devices may also contain security vulnerabilities that could lead to a user leaking sensitive data unwittingly, or could be exploited by a malicious user.
Previous recommendations advising locking down mobile devices so that they can only be used in a corporate environment can no longer be applied to BYOD, because users are unwilling to give up control of their personal mobile devices in order to be able to access enterprise data. Yet organisations need to ensure that strong security controls are implemented to protect sensitive data.
Increasingly, in order to manage these risks, organisations are turning to Mobile Device Management (MDM) solutions. In this whitepaper we outline the results of Context’s assessments of three MDM solutions when used in conjunction with Android and iOS mobile devices; and provide recommendations for best practice in the secure use of these solutions.
Simply using good technology is no guarantee of success. Whenever any organisation implements security measures it must also draw on the cooperation and active efforts of end users. This is perhaps particularly important if it is attempting to secure BYOD environments. Whilst there is no realistic way to guarantee the security of a workable BYOD environment, organisations can take significant steps towards mitigation of security risks if they combine technical security controls with clearly defined acceptable use policies. These must clearly define acceptable use of all devices that will be connected to the enterprise BYOD environment and could be used to store or to access sensitive corporate data.