The rise of BYOD and its rapid propulsion of mobile devices into the global workplace has created an entire new industry of mobile device management (MDM) solutions designed to protect corporate devices and the information now living on them.
However, this line of corporate thinking and purchasing is flawed for a few reasons. Yes, there are several security factors surrounding the device, such as a lost phone, but an employee could access information from any number of devices. Will they secure each and every one? Businesses should be more concerned about protecting the actual company data, regardless of which device it's accessed from. This poses an interesting security question that many businesses are grappling with – do we protect the device, or the data?
BYOD poses many security concerns; if left unmanaged, they can impact your network availability and cause data loss. According to Gartner, more than half of all global employees participated in a BYOD program in 2013; those companies that have opened up their doors to allow corporate data access on any device will need the right network access strategies and data policies in place to secure their environment and proprietary content.
The key to a secure BYOD-enabled enterprise is having well-managed content, but there are obviously several ways to go about this. There are three key security concerns that companies should consider as they navigate BYOD territory:
· Where data sits and for how long: When data is in motion it's at a higher risk of being hacked, no matter how strong the encryption levels used. Many public cloud solutions constantly sync content between all devices, putting sensitive corporate information at a higher risk of a breach. Also at higher risk of data leakage is public cloud storage, which many companies choose to use for mobile access. Public clouds co-mingle data, which means that your proprietary product information is mixing with a consumer's vacation photos. Before choosing a solution to support a BYOD program, companies should consider looking at private cloud architecture, so that data is only synced when an employee chooses to sync, and when data is at rest it remains inside the corporate network.
· Access permissions: A crucial element of implementing a BYOD policy is establishing how users can access your network from their personal devices. Many companies integrate their LDAP or Active Directories into this process to ensure that only authorised employees are accessing data. For instance, just because a marketing employee can access the network from a mobile phone, doesn't mean they should be able to open HR documentation – all established information access protocols need to be left in place, no matter the device
· Authentication methods: Approving any number of new devices to access a network requires updated authentication methods. Whether this is done through a protocol like Kerberos or through password-authenticated key agreements is up to each individual enterprise. Businesses that are especially serious about their security are creating triple-layer architectures so that the web, app and data layers all have their own authentication tokens, dramatically reducing the risk of data loss, no matter how many devices are accessing the network.
BYOD security concerns aren't going to disappear. In fact they'll only continue to grow – two-thirds of the mobile workforce will own a smartphone in 2016, and 40 percent of the workforce will be mobile, according to Gartner. Companies need to decide what asset they'll protect first with their BYOD policies – the device or the data – and move to do so immediately. My personal choice is to secure my data, so it's protected across all devices. What would you do?
Contributed by Dr. Paul Steiner, GM of EMEA, Accellion