Blog: Technology Consulting

Developing a BYOD Policy to Work Safely, Securely, and Effectively

March 8, 2016 - by Synoptek

When a firm properly prepares policy, processes, and programs to enable a safe, secure BYOD Policy, productivity increases dramatically. Since the devices are always with them, the firm’s personnel finish that last bit of work they were doing in the office while on their commute home. They get ahead of the next day by checking email, safely, while have their morning coffee. Employees don’t have to copy files haphazardly in preparation for an out-of-town trip. Everything they need to get everything done is always available to them wherever they are.

Bringing these productivity gains and operating cost reductions to your firm requires careful planning and an intelligent approach to security, information privacy, regulatory compliance, and human behavior.

8 tips to develop a secure BYOD Policy:

1.   Assessment of Your Network’s Current State of Readiness to Accommodate a BYOD Policy

Assessment of a given network’s readiness to accommodate a BYOD policy must be. This includes a careful examination of the wide area and local area infrastructure, communication capacities, server capabilities and storage availability, network access control functionality, security, regulatory compliance and other specifics.

Since this assessment will only be performed once, prior to the actual deployment of BYOD technologies, and it should be an objective examination, it will be more effective and informative to have it performed by Synoptek, whose experts are experienced in performing such assessments.

2.   Selection of Preferred Network and Systems Technology Platforms

As with any information technology initiative, care must be exercised to balance the initial investment in the solution against the long-term total cost of ownership (TCO).  Selecting a lower-cost, less-effective data security solution, for example, can result in very costly theft, corruption, or loss of valuable data assets.  A less reliable communication solution can leave mobile users disconnected at crucial times.

Project the total investment over time carefully before making decisions. Take into account the business value proposition represented by the investment and perform a thorough analysis of potential strengths, weaknesses, opportunities and threats before determining which technology will serve your firm best over the long term.

3.   Network Infrastructure Optimization

Recognize that even the most finely tuned network may not be fully prepared to optimally support remote connections. The additional network access control, encryption, authentication, persistence of connection, bonded and redundant bandwidth provisions and other capacities required to truly accommodate mobile users may been to be added or improved before your BYOD policy can succeed.

Learn How Synoptek can help you optimize your IT Infrastructure >>

4.   BYOD Policy Endpoint Device Requirements

More and more manufacturers are introducing endpoint devices that are truly designed for BYOD. These have features that support superior security, authentication, encryption and regulatory compliance.  Some of the newer tablets accommodate business applications by running Microsoft Windows and thus all compatible software.

Over time and experience, network managers have expressed their frustration with the difficulty in supporting some popular devices’ access to their networks.  Approval of a BYOD policy does not necessarily imply that any and all devices are acceptable and will be supported. As suggested earlier, a firm’s BYOD policy should clearly indicate which devices are acceptable and which are considered incompatible. Any devices not appearing on either list should be submitted for approval before being connected.

One of the characteristics of an acceptable device should be the security provisions available to protect the device itself. How effective is the user locking mechanism that must be satisfied before the user can actually start using the device?  How easy is it to defeat that mechanism? How easy is it to monitor activity on the device? Does the device facilitate mobile device management including remote blanking of the entire device or selected portions of it?

5.   Protecting the Data

When considering the protection of the firm’s most valuable asset, the data, it is important to consider the two states in which data exists; in transit and at rest.  Most people think of securing data while in transit, perhaps because data only gains value when it is in transit. Many encryption/decryption strategies and other security provisions exist to protect the data in transit.

However, it is equally important to protect the data when it is at rest with special focus on where it is at rest. Protecting data at rest in your firm’s data center’s storage is relatively straightforward, but where else will data come to rest?  Will it come to rest, for example, on a user’s mobile device?  When there, can it truly be protected not only from external intrusion but also from misuse by the user?

6.   Protecting Data from the User’s Mobile Device

The obvious point of greatest data vulnerability occurs when data is resident on the user’s device. The mobile device is more vulnerable to attack than the corporate network, and the user may inadvertently overcome all security measures by simply forwarding data using their own personal email account.

Two strategies have emerged to further secure valuable data from the device and its user.

i. Containers

Various technologies have been introduced to “containerize” corporate data residing on mobile devices, keeping it completely segregated from the user’s personal information and applications. This prevents users from forwarding corporate data using personal means. It also insulates the corporate data from malware that may attack the user through personal gaming, file transfer, or communications.

Containers can protect the firm from employee litigation in the event a device is lost or stolen. The most popular response to this is usually to lock and blank out the device so there is no data on it any longer. Firms may violate their employees’ rights by blanking the personal data resident on the device. These firms may now blank only the corporate container, leaving the personal data intact.

ii. The Virtual Experience

Some companies have chosen to use a “virtual” approach in which the actual processing of corporate applications takes place on a server back in the data center.  The results of the process are then displayed on the user’s device. None of the data are ever transferred to the device and therefore can’t be relayed outside the firm and don’t require storage on the device.

Companies have used remote or virtual desktop technology strategies for years to deliver complex, data-intensive or highly transactional applications to distant locations more effectively.

This technology performs all processing and data handling on a computer residing within the data center itself. In fact, no data or applications ever travel outside of the data center or beyond the corporate firewall.

The remote user’s computer or other device simply acts as a viewer, showing the user what they would ordinarily see if the processing were happening on their own device. To accomplish this only the screen appearance and the keyboard and mouse input are transferred between the user’s device and the data center.  Since this is very little data, the transmission is much faster resulting in a user experience that approximates what they would experience if the entire process were happening locally.

For remote offices and mobile computer users this has represented a tremendous improvement in the user experience. From the user’s perspective, their computer seems to be operating as it would were they at the office connected to the data center servers by the local network. From the network manager’s perspective much greater control over the desktop environment becomes available as does the ability to update, upgrade, and support applications and users centrally.  User experience improves, support improves, and costs are reduced dramatically.

New technology has extended this virtual experience beyond desktop and laptop computers to smartphone, tablet, and other devices. Again, one of the biggest advantages is the improvement to the usability of the mobile device which is inherently much faster because far less is being communicated between it and the data center. In fact, no data at all is being exchanged between the two, and this is the true underlying value of a virtual approach to mobile computing. Since all processing is taking place within the data center, no corporate data is ever communicated to any mobile device, and therefore there is no need to protect data resident on the mobile device.

7.   How to Protect Your Network When Implementing Your BYOD Policy 

Every device on any network must be considered an opening, a doorway through which many different things may enter. Most of what enters is valuable input required to fulfill the intended functions of the network, but often what can enter is far more insidious. Attempts to exploit the network, compromise the data on it, and cause other damage can be introduced in far too many ways.

This must be kept front-of-mind when designing strategies for connecting any device to any network. As much as the network must be designed to protect its endpoints from harm, the endpoints must similarly be configured to prevent malicious content from entering the network.

This begins with the selection of devices that will be allowed on the network. Some devices simply do not have sufficient measures built into them to protect the device itself adequately for business use. If the device cannot protect itself it cannot protect the corporate network.

The measures built into compliant mobile devices are still valueless unless they are properly used. In some cases this is the responsibility of the user, and this must be stated clearly and in detail in the corporate BYOD policy. In other cases, network managers can employ their network access control systems to determine if device security measures are being used properly before allowing the device to connect. This protects both the network, and the device itself.

8.   Protecting the User’s Identity in your BYOD Policy Development 

Identity-theft is a term most people feel inherently familiar with. Stories abound regarding mass thefts of identifying information from retail and other huge databases. Everyone knows someone whose personal accounts have been compromised resulting in painful recovery and restoration processes.

Identity-theft is just as pervasive in the legal data network environment. This can be as simple as a compromised password or a stolen mobile device. Since most users find it inconvenient to constantly re-enter passwords on their mobile device, many defeat the security of their device by storing passwords in it. When such a device is lost or stolen, whoever then possesses it has free access to all of the user’s accessible corporate resources until such time as the user realizes they have lost the device and contacts network management to close out access from it.

To the extent that network managers can prevent users from making such mistakes, they should. Beyond that, corporate BYOD policy must be published and enforced precluding such password management errors. Identity management technology should also be considered to provide further protection against this most difficult threat.

Seek Expert Counsel for your BYOD Policy 

Synoptek resembles your firm in many ways. Our people are experts at what they do and at finding the ideal solution to the problems our clients bring to us.  When it comes to protecting your firm and its data there are many matters to be dealt with. Information privacy, security from disruption due to lost network resources, user identity management, regulatory compliance, device safety, user malfeasance and much more.

Turn to Synoptek for the same reason your clients turn to you, to find one expert resource that can address all of their matters with consistent excellence and attention to detail. Contact Synoptek today for an assessment.