- Security TWENTY
- Women in Security Awards
Ronan Lavelle, CEO of Azurati writes about the BYOD boom: and argues that making it secure is key for your business.
Irrespective of the collaboration and file sharing environment within a business, there may be hundreds of employees bringing all manner of smartphones and tablets into the office and when working remotely. Not just iPads and iPhones, but Netbooks and Android phones/tablets from a plethora of manufacturers. So how do you make access to your business apps secure? And what about corporate policy: do you embrace the concept or firewall the lot?
Some organisations are addressing this by deploying mobile devices themselves, but for the vast majority, the proliferation of ‘Bring Your Own Device’ (BYOD) introduces many security issues for enterprises to consider before they invest in mobile computing. According to Microsoft Trust in Technology survey (2012), 67 per cent of people are already using personal devices in the workplace, however company policy on BYOD seems not to be keeping pace. Only 53pc of organisations reported having a BYOD policy in place, for 23pc the response was either that no BYOD policy or guidance existed, and 24pc of companies had policies banning the use of personal devices in the workplace. While for end-users, clearly they want to use their own devices: 68pc of respondents cited BYOD as important to them, 40pc of which said ‘very important’.
This sudden explosion in BYOD is a trend that while understandable from the user’s perspective, is giving IT departments the world over the shivers. Protecting the organisation from security breaches – which are often caused inadvertently by the users – has long been a big challenge and it has suddenly taken on a whole new dimension with employees and contractors introducing their own tablets and smartphones into the workplace, in effect blurring the lines between personal and business computing devices.
So it is hardly surprising that IT and security chiefs in many organisations, both large and small, are hesitating before taking the plunge into truly embracing the concept of the mobile enterprise. However, like it or not, enterprises are going to have to face this problem head on and sooner rather than later. Conversely, this could be viewed as a positive step. The exponential growing of business mobile usage could actually be helping to improve productivity by making better use of existing applications and services in which organisations have already invested. However, as these apps are traditionally hard to access on mobile devices, companies are not making maximum use of them.
This potential conflict is removed with the latest wave of mobile applications or services that have been adapted or developed to take advantage of the BYOD trend. A good example of this is Microsoft SharePoint, which has until recently been cumbersome to access on mobile devices, yet has represented a massive investment for organisations the world over. New products have removed this barrier, making SharePoint simple and secure to access, thus helping CIOs and IT directors to recoup better return-on-investment and improve user engagement.
That does not negate the security challenge, so before enterprises can truly exploit BYOD to their own advantage, what needs to happen? Mobile security is a hugely complex and oft-debated topic, and there is also the challenge of balancing accessibility and flexibility against strong security measures. Make security too tough and employees will encounter usability problems.
What does work? At Azurati, during our own research and development process over the past few years, we’ve invested a lot of time and effort working out what constitutes mobile security best practice and have had that independently validated. So, here are our top pieces of advice in what to look for in a secure BYOD app.
1) Authentication – CIOs need to realise that an employee using a mobile device to access corporate systems is essentially an external user, as far as authenticating securely across the firewall is concerned. Make sure that your mobile applications vendor is able to support (or recommend) the authentication regime that works best for your organisation, whether that is using federated profiles, token-based authentication, 2-factor or forms-based authentication, for example.
2) Encryption – it is advisable to minimise the amount of content or data stored on the mobile device, but if it has to be so, ensure that it is properly encrypted. 256-bit SSL encryption should be the standard to aim for.
3) Zero footprint – let’s face facts, people are always going to leave their devices lying around. So, insist on ‘zero footprint’: in other words, no corporate data or content is left on a smartphone or tablet.
4) Single sign-on – something that vendors often struggle to achieve, but something that enterprises should be demanding. For instance, if SharePoint users have single sign-on to multiple SharePoint sites, then they only need to remember one user-name and password to access their mobile SharePoint world.
5) Don’t go native – some of the world’s leading analysts have begun to query the sense of native apps. If you choose mobile web apps, then they can still act like a native app to keep users happy, but they support ‘zero footprint’ and also make it a lot easier to manage user and administration rights (which is vital for efficient security strategies). Purchasing, deploying and ensuring that users have downloaded the latest software version are all challenges that CIOs will face with native apps in the enterprise. Some mobile web applications are able to incorporate device features previously only available through native apps, like accessing the device’s GPS functions, camera, alerts and notifications and placing an application badge/icon on the device home screen.
The mobile channel is undoubtedly driving business engagement and productivity. Research suggests by 2016 smartphones and tablets will be used by a billion business application buyers and/or users. This relentless trend is fuelling a shift to new engagement channels for both the marketing and IT departments which must not be ignored.
If IT departments can encourage their workforce to use applications like SharePoint better on mobile devices, then the mobile security headache could actually be a saving grace. That depends on having extremely robust security measures, without limiting access or usability, but the technology and techniques are all there: it’s just a question of researching the best fit for the organisation in question.