The mass proliferation of consumer computing devices is in full force with only escalation on the horizon before us and any technologist who thinks that they can stop it or officially banish it from their little kingdoms should think again. Those troglodytes will only lead a frustrating existence in a world where resistance is truly futile.
The best approach is to intelligently manage technological change rather than pursue the book-burner’s philosophy.
At a fundamental level, there is no discernible difference in mobile technology from other forms of computing technology. They all have connectivity to networks and peripherals; they all have storage capabilities; they all have operating systems and they all interface with information through the usage of applications. So my question to you is this; why treat mobile devices any differently than any other computing endpoint?
The real focus of our efforts should be in the control of intellectual property which includes sensitive information. Let’s not forget there is nothing new about our mission only the increasing amount of endpoints that may access that same information. Let’s not lose sight of what our successes and failures have been in managing this situation to date and not suddenly declare that consumer electronic computing devices pose a brand new threat to our organizations and our personal identities. The real threat is in the exponential increase in our lack of control being exposed and once again, we are relegated to troglodyte status.
The consumerism of computing devices has forced the issue into the spotlight as these gizmos infiltrate our corporate bastions. Who doesn’t want to take advantage of the benefits brought to us by smartphones and tablets? Employees and executives alike are all clamoring to use their personal choice of endpoint for more than personal purposes. Why carry a personal smartphone and the company issued mobile device when one will do the task better? I’ll be the first to raise my hand in support of this trend. Despite the new challenges in corporate management which should not be diminished to accommodate this new technology wave, information security executives have everything already available to accomplish this task from enterprise grade software management tools to policies.
The biggest challenge is when the organization does not own the mobile device and so finding that prudent point of symbiotic mutualism between embracing the usage of these devices in our corporate environments and ensuring that employees comply with the rules of engagement is crucial. The bring-your-own-device (BYOD) movement is in motion!
For starters, the proper application of existing intrusion prevention systems (IPS), data loss prevention (DLP), digital rights management (DRM) and other information proxy infrastructure devices are more than capable at preventing intellectual property and sensitive information from being transferred to mobile endpoints, or any endpoint for that matter. Assuming you have already conducted an enterprise information security risk assessment, the critical information should already be identified or at least you will know what needs to be accomplished from the gaps that need remediation.
Another aspect that is widely underutilized in my travels is data classification and labeling of electronic intellectual property and sensitive information which is essential to adding another control layer that you will need when implementing your individual and role based access controls. You will want to begin this effort with governance policies that establish the baseline before you deploy technology to support your policies.
Additional challenges which really impact the BYOD movement impact the device owner. These smartphones and tablets must only be allowed into our environments when we have the ability to ensure that fundamental security has been verified. Things like encryption of storage media, anti-virus and malware software, remote wipe, remote locate, and VPN capabilities must comply with the corporate standard. This means that employees must accept a level of corporate control and usage responsibilities articulated in an acknowledged corporate usage policy.
Your employees lose a little control but gain the pleasure of being permitted to BYOD into the workplace. While employees are connected to the corporate infrastructure they will need to understand that the same levels of usage expectations still exist and that monitoring still occurs. Everyone should receive some awareness training on a regular basis including the administrators of those enterprise controls.
Say yes to BYOD as long as the end user accepts your basic expectations and management capabilities. It’s true that with every paradigm shift we have new challenges but when considering the BYOD movement, we possess every capability to find symbiotic mutualism between employee’s needs and corporate requirements.
Article first published as Symbiotic Mutualism: A BYOD Love Story on Technorati.