BYOD: Is it like inviting your boss into your house when you’re not there?
Should you bring your own device to work?
May 28, 2014 1:58 by kippreport
By JJ Sundberg, Security Solutions Architect at F5
The ‘Bring your own device’ (BYOD) debate is one that divides many in the IT industry. Some think it’s hyped up, while others believe it is one of the biggest challenges facing the enterprise today. People want to use one device for work and pleasure, and they want to be the ones to choose which device they use.
IT, however, wants to remain in control. That means IT has to move from provisioning devices (which workers don’t really want to use anyway) to provisioning applications, instead. Letting workers use their own devices mean IT just has to control the applications, access policies and data flow, just as it does away from the mobile side of things.
An article popped up on ZDNet recently that I found very interesting (http://www.zdnet.com/byod-like-inviting-your-boss-into-your-house-when-youre-not-home-7000021468/). It makes the point that with BYOD, your device isn’t really your device. The article points out that if a company needs to see what’s on your device then it can and there is not much the employee can do about it. The article likens BYOD to letting your boss snoop around your house while you’re not there.
If a worker is using their own device for work purposes, then the business may want to access and analyse the phone or tablet at some point. There are a variety of reasons for this; the article suggests it could be over fears the worker is leaking sensitive emails or something much more mundane, like the need to update apps and settings. The only way to completely protect your personal data and information is to not keep any on the device you are using for BYOD, the article concludes. However, we, at F5, do not totally agree with that. There are ways to totally separate the personal and business sides of a device.
This means the business only has access to the business part of the device and, perhaps more importantly, business data can only be accessed while using the business side of the device. When a worker is using it as their personal device, they are unable to access any sensitive data.
It also means IT can manage a device just as if it had handed it out itself. If it has security concerns about an app, then that app cannot be downloaded. Worried about accidentally sharing information on Facebook? Then don’t allow Facebook to run when the device is in business mode; save that for personal time.
With Mobile App Management (MAM), the device can only access the corporate network when it is in business mode, meaning IT can manage it like any other device that wants to connect to the network. Access to policies will determine exactly what the worker can access from their device. If they cannot access certain data from their work PC, policies should dictate that they cannot access that data from their mobile device.
There is no doubt that it is a fine balancing act – making sure workers can access the data they need to do their jobs, while ensuring that appropriate levels of authentication are in place to protect all of that sensitive data. Once businesses have a full understanding of what types of devices are being used, what data needs to be accessed and where it is being accessed from, a fully robust set of access management policies can be put in place.