Graham Titterington, principal analyst at Ovum said the ideal solution for managing BYO computers was client virtualisation – particularly if the solution allows for the employee’s machine to support at least two virtual environments: one for business, the other for personal use.
“The IT department can then stop managing the laptop and just provide a standard VM for business use on all clients,” he said.
The alternate route involves too much work, he said. “Potentially, there are great difficulties in requiring an over-pressed IT admin function to manage a wide range of devices that are out of their control and not ideally suited to the corporate role.”
Sophos senior technical consultant Sean Richmond said there were many ways to ensure security, from use of virtualisation to new IT policies.
“Treat the machines as un-trusted and hostile,” he advised. “Quarantine it to a certain area of the network until you’ve loaded agent software to allow access to the virtualised infrastructure or to the gateway. Ensure before people add a device that they scan and update the software until it’s approved for use.”
BYO policies should ban jail-broken devices, he said.
The policy should also note that the organisation has the right to deny access to non-compliant machines, and it should specify and limit the provision of technical support to employee-devices, Richmond said.
Microsoft chief security advisor Stuart Strathdee made some further recommendations.
Individual documents should be locked or only accessible until an expiry date, he said. Web applications would also be secured to assume the client is hostile and track transactional behaviour (as banks have done for online banking). Systems would also require role-based permission and it would be mandatory for staff to use encryption.
The policy should also restrict the local storage of company data on BYO machines and instead make use of administrator-approved cloud storage solutions.
“Cloud can be a half-way house,” Strathdee said. “While it’s not a traditional way to look at cloud, it can be done for security.”
A quick checklist when formulating policy:
- Apply to BYO computers the same security settings as an outsider connecting to the network.
- Only allow BYO computers onto the network after administrators have cleared the machine for use.
- Consider use of virtualisation to lock down a virtual machine for work use.
- Ban the storage of corporate data on the device and offer secured cloud services as an alternative.
- Ban jailbroken devices.
- Insist on encryption.
- Lock sensitive documents to devices and/or time-limits.
Not for everyone
But even as these policies mature, BYO is clearly not for everyone.
In researching this piece, iTnews spoke to two large software houses that are dreading the trend. Both declined to be identified.
One said non-corporate devices were strictly forbidden as is desktop virtualisation.
“We’re heavily into standardisation,” the IT manager said, admitting that BYO Computing was a “touchy political subject” internally.
Another IT controller said although there were potential cost-savings associated with BYO computing, it “was not a good deal”.
“It would make sense if we didn’t have a budget, but we do, so as a company we provide the tools for the job – the computer, the smartphone plus the security on the devices,” he said.
Many large companies approached by iTnews declined to comment on their policies - either because they had not yet formulated one, or because they were not ready to unleash staff demand for flexibility.
Rob McMillan, research director for security, risk and privacy at Gartner recommended that those making the BYO decision in the enterprise fully understand the company’s security risk profile.
“The person who makes the decision should bear the risk,” he said. “If that person happens to be the accountant, then they need the security budget and the authority to control it.
“I don’t want to discourage people from it – I can see the budget and the cultural attraction of it. But highly security-conscious environments like government, share trading and customer service are not the industries to do it. Unfortunately in IT, we sometimes get carried away.
“It will be good, but only for some,” he said.