This focus on device security may stem from the fact that many large businesses still have deep roots in old ways of running enterprise IT. Such organisations are used to IT having complete control over the devices that their employees use. As security is also mandated and controlled by IT, businesses can, therefore, have a reasonable expectation that their sensitive data is secure.
For such organisations, BYOD can be a daunting prospect. The idea of allowing employees to use their personal devices at work is revolutionary, and as with any revolutionary idea, it will take some time to be accepted fully.
The issue is that some businesses are using concerns over device security as an excuse for not investigating seriously what BYOD could do for their businesses. All too often devices, and device security, are being used as a scapegoat for regressive and counterproductive IT policies.
TO DO NOTHING IS NOT AN OPTION
The major flaw with this position is that employees are already using their own devices at work, regardless of what their businesses' official policies on BYOD are. Indeed, as mobile devices become ever more powerful and the 'Gen-Y' demographic comes into the workplace, an increasing number of people are going to use their devices at work.
Businesses have a clear choice to make: address the security challenge of BYOD now and start enjoyingthe benefits it brings; or keep delaying it until it may be too late.
For those businesses that choose the former path, the key to success lies in one fundamental characteristic of BYOD security: it is about much more than simply locking down the device. Device-centric approaches to security (such as mobile device management) can only ever solve the problems businesses have today - they do not provide a scalable, flexible way of securing the enterprise for the new world of mobility we are entering.
Instead, a true BYOD strategy is based on two foundations: the right company culture within the enterprise and a robust, enterprise-wide take on security that is capable of securing the enterprise today and well into the future.
A QUESTION OF TRUST
When it comes to company culture, BYOD will only flourish in companies where trust is absolute. Business executives need to be able to have complete confidence in their IT department and the technology framework they have in place to secure employee devices. Employees, meanwhile, need to rest assured that their device cannot compromise the enterprise and that, conversely, their own private data cannot be viewed by anyone in the business.
This is a two-way street of course.
In business, trust is never given freely, it is always earned. In the case of BYOD it clearly must be earned through a robust security framework. The good news for businesses is that BYOD security does not need to be a leap into the unknown. Nor does it need to involve investing in new, unproven niche security 'solutions'. Instead, it can be built on that stalwart of enterprise security: identity management.
BRINGING ENTERPRISE SECURITY TO THE DEVICE
Identity management allows organisations to simplify identity lifecycle management (that is, who can access what part of the network and for how long) and secure access from any device for all enterprise resources - both within and beyond the firewall.
The key words here are 'any device'. In essence, identity management allows organisations to easily extend the enterprise security layer to wherever the employee needs it to be extended. At a stroke, businesses will be able to trust BYOD devices every bit as much as corporate-owned ones due to the fact that the same robust authentication, sign-on and authorisation processes are used.
There is a little more to this, of course. If businesses and employees are to truly trust the use of personal devices in the workplace, there needs to be a strict separation between personal and private data. This is where mobile device management (MDM) reaches the limits of its usefulness. MDM is great for securing information and hardware on a device, but it lacks finesse, securing everything and anything that happens to be on the device.
In the case of BYOD, this poses some problems. What, for example, happens when an employee loses her device, or leaves the company? With MDM everything on the device - including her personal data - would be wiped out. It is the nuclear option. This means that employees can never really commit to BYOD. They cannot trust in the security solution in so far as it imperils the data that arguably means most to them: their own.
LOCKING DOWN APPLICATIONS
Due to this, mobile application management (MAM) is fast gaining currency. MAM delivers a secure container for application security and control that separates, protects, and wipes corporate applications and data. Crucially it secures corporate data only: the employees' personal data and applications are completely separate and unaffected by what goes on inside the enterprise container. This means that they can trust in the fact that none of their data will be wiped out by the business and that the business cannot accidently see what they are doing with the device in their private lives. In short, MAM provides the peace of mind that employees want to be able to use their own devices at work. They know the company data is secure and they know that their data is separate.
BYOD is an unstoppable force. Employees are going to use their devices at work regardless of whether you want them to or not. The key to securing the enterprise in this new world is to embrace a more holistic attitude to security that focuses on applications and identity. With this approach, businesses can rest assured they are protected regardless of the device used.
The author is Vice President of Fusion Middleware Business at Oracle India.