(Editor’s Note: This guest column by Brian Egenrieder, CRO of SyncDog, is part of an occasional series on mobile security appearing here.)
When it comes to planning out enterprise security in a world increasingly dominated by mobile-savvy employees, even veteran CISOs have to navigate by trial and error, and new lessons are still being learned all the time.
Nowhere is that truer than when it comes to how security managers have scrambled to deal with the Bring Your Own Device (BYOD) phenomenon.
BYOD was a reaction to a demographic shift that burst upon the workplace when a couple of trends came together at around the same time. First, the technology world kept putting extraordinary computing power into the hands of anybody willing to pay the price for a new smartphone. Meanwhile, more Millennials were working or looking for jobs than either the Gen X or Boomer cohorts who preceded them, forcing organizations to deal with a decidedly unique generation when it came to technology.
The fact is that most users nowadays have greater expectations for what they should be able to do with their mobile devices.
Unlike previous generations of employees, who took whatever technology devices their company handed out, these more discriminating Millennials demanded a lot more. This generation, born after 1981 through 1996, understood the technical ins and outs of mobile devices long before starting their first jobs. The upshot: They came into jobs already knowing and appreciating the productive value of smartphones in their personal lives, and couldn’t accept less as they moved into the workforce.
But even if we acknowledge the extra challenge for people who knew smartphones, the challenge applies to a broader set of the population than simply Millennials. The fact is that most users nowadays have greater expectations for what they should be able to do with their mobile devices. They want greater simplicity in how they go about doing it and they accept security measures but expect them to be more seamless within the full user experience.
It also means that users are not going to abide by the seemingly arbitrary security rules laid down by IT when it comes to accessing corporate data. Many preferred to use their own private devices for work and increasingly insisted on that as a right, not a convenience. That soon presented security teams with a myriad of questions. Many organizations initially balked at the idea of allowing employees to utilize their own devices to pull data off the corporate cloud. Eventually, however, most got in line and dealt with it as a fact of life. In fact, more than 78% of US organizations said BYOD played a part in their operations last year. As far as security went, the default plan was to make sure the company included a mobile device management (MDM) solution to their BYOD plan and hope for the best.
You Want Me to Use THAT?
The primary alternative is to provide employees company owned and managed devices – but that approach is quickly losing its luster. It used to be that employees who owned older devices like Palm Pilot or Blackberry would react with delight when their bosses handed them a new iPhone 5. Nowadays, however, employees are often being handed corporate smartphones that lag beyond the mobile devices they own privately. Trust me when I say that their reaction is anything but delight.
The problem is cost. Companies understandably shy away from the thousand-dollar price tags attached to top-of-the-line mobile devices and make the calculation that their workers can still get by with something that’s good, but not necessarily state-of-the-art. Given the frequency of new product releases, companies typically need 2 to 3 years to amortize the cost. They’re not going to throw these devices away and will try to repurpose them by keeping them in circulation with their staff.
At the same time, employers installing MDM solutions on privately owned devices have had a degree of control that some employees might describe as awkward, if not altogether creepy. But there was no avoiding the fact that the corporate demand for security was always going to trump the employee’s expectations of privacy. Security teams understandably will always have the final say in how companies create their mobility policies.
The consequence is that we’re seeing many instances where employees wind up carrying around two mobile devices with them, one for work and one for private use.
Thinking About a Better Approach to BYOD
The endless push-pull between mobile-savvy employees, who just want to get the job done and security teams anxious to protect corporate data from leaking out, is not going away. And despite disagreements about implementation, there’s no longer any dispute that the increased use of smartphone technology leads to improvements in business productivity. So how do we get to a better place that accommodates the needs of all concerned?
Let’s acknowledge that MDM by itself is not the end-all, be-all answer to mobile security. Most companies’ strategies center around MDM solutions where they basically put passwords on devices enabling a full data wipe in case the phones ever get lost or stolen. But users can still search any site and download any documents they choose. You might think that putting a password on the phone is enough but any CISO will know that it’s not enough. If a document is corrupt or infected or malware somehow gets texted into device, the company’s data is at risk.
The goal is to embrace mobility without fear and that means taking measures that incorporate adequate protection and actionable defense into your plans. Organizations need to have the ability to unlock the efficiency and flexibility of BYOD scenarios without sacrificing security.
You might think that putting a password on the phone is enough but any CISO will know that it’s not enough.
A containerized workspace that is bolstered with strong encryption, such as 256-bit AES compliant with the Federal Information Processing Standard (FIPS) 140-2, can allow organizations to keep business and personal data separate on either iOS or Android devices. Furthermore, It will protect business data even if a device itself is compromised, and if a remote wipe of corporate data is required, it can be done without erasing a user’s personal data - guaranteed.
A container can host productivity applications tailored for mobile use, from office suites and collaboration apps, to file management applications and location-based services such as geo-location. Applications such as Office 365, Skype for Business, SharePoint and File Sync — to name just a few — can function and collaborate securely in a defense-grade container.
Flexibility is also an important factor in mobile security, with the ability to be deployed via the cloud, including hybrid clouds, as well as on-premises and to be run on Apple or Android devices.
Security is never easy, but it doesn’t have to come with a trade-off in productivity. An isolated, containerized environment can protect data and guard user privacy while enhancing usability. It can simplify security by separating applications into a secure workspace without separating users from their devices. And most importantly, it can do it without slowing down the pace of business.