The times when Mom and Dad left their young teenaged son at home was a perfect time to phone the friends and tell them the party’s at my parents’ house and to bring their own bottle, BYOB! Not thinking too clearly about the ramifications and risk associated to our home or personal belongings or even my parents getting sued by my friend’s parents. Those so-called friends would show up and inevitably things were broken and almost always things would come up missing. I would scramble to try and repair everything before my parents returned.
Our place of work is much like our home, and we invite friends or colleagues to bring their own mobile device to the party and consume some sensitive data, BYOD! They are intoxicated with the excitement of the ability to get their work data on their personally owned device and do not understand the implications of that data being removed from the house. What is the real impact to us and them? After all, it’s not like they are worried about their parents coming home.
If we are going to have the BYOD house party and allow the team to bring their own risk of personal applications comingling with corporate data, we need to set expectations before they show up at the door and explain the policies and rules to them. This way, when they violate them we can have our large football playing friend remove them from the house. But, how do we detect when people are sneaking off to our parents room to do inappropriate things? What will alarm us? Do I have the controls in place? Have I given them application protection around their BYOD so I am not cleaning up broken glass before the parents get home? Do I even know who did it? Did I have them Authenticate to the rooms in my home so I don’t get stuck cleaning up the mess by myself? If we get hungry while they are over, do I let them risk driving after consuming some beverages to get food or do we order out?
With the movement to BYOD and now we have added more acronyms such as BYOA (Bring Your Own Applications) we need to look at controls that are a hybrid of Mobile Device Management (MDM) and Information Management, and also layer in user and device authentication, application security and some level of application control. Most organizations patch the PC environment fairly well these days but what about mobile? Certificates for Corporate WIFI and VPN can also be tied into the solution. Data Loss Prevention (DLP) will play an important role in determining if sensitive data is on a mobile device and then how do we handle it from there? Do we move it? Encrypt it or both?
Plan out the house party and define the rules upfront, but do not get too wrapped up in the D in BYOD. We cannot marry ourselves to the devices of today as it is the information on that device we ultimately want to protect.
So how do you want to remember your BYOD House Party; for the good times had or the cleanups that were done in panic?
Cross-posted from In Defense of Data.