Trust, company culture and BYOD security
Trust, company culture and BYOD security

In a recent survey of senior security decision makers 38 percent cited device security as one of the top worries they have when it comes to mobile device use. For such organisations BYOD can be a daunting prospect. The idea of allowing employees to use their personal devices at work is still revolutionary for many, and as with any revolutionary idea, it will take some time to become accepted fully.

The issue is that all too often devices, and device security, are being used as a scapegoat for regressive and counterproductive IT policies. It also misses the point: employees are already using their own devices at work, regardless of their businesses' official policies on BYOD.

Organisations therefore have a clear choice: address the security challenge of BYOD and enjoy the benefits; or keep delaying until such a time as it may become too late.

For businesses that choose the former, the key to success lies in worrying less about the device. Device-centric approaches to security (such as mobile device management) can only ever solve the problems businesses have today – they do not provide a scalable, flexible way of securing the enterprise for the new world of mobility we are entering.

Instead, a true BYOD strategy is based on a mix of the right company culture and a robust, enterprise-wide take on security. Culturally, business executives need to be able to have complete confidence in their IT department and the technology framework they have in place to secure employee devices. Employees, meanwhile, need to rest assured that their device cannot compromise the enterprise and that, conversely, their own private data cannot be viewed by anyone in the business.

In business trust is never given freely, it is always earned. In the case of BYOD it clearly must be earned through a robust security framework. The good news for businesses is that BYOD security does not need to be a leap into the unknown and nor does it need to involve investing in new, unproven niche security ‘solutions'. Instead it can be built on that stalwart of enterprise security: identity management.

Identity management allows organisations to simplify identity lifecycle management and secure access from any device for all enterprise resources – within and beyond the firewall. Identity management allows organisations to easily extend the enterprise security layer to wherever the employee needs it to be. Businesses will thereby be able to trust BYOD devices every bit as much as corporately owned ones due to the fact that the same robust authentication, sign-on and authorisation processes are used.

If businesses and employees are to truly trust the use of personal devices in the workplace, there needs to be a strict separation between personal and private data. Mobile device management is great for securing information and hardware on a device, but it lacks finesse, securing everything and anything.  

This poses problems. What, for example, happens when an employee loses their device, or leaves the company? With MDM everything on the device – including their personal data – would be wiped. This means that employees can never really commit to BYOD. They cannot trust in the security solution in so far as it imperils their own data.

Due to this, mobile application management (MAM) is fast gaining currency. MAM delivers a secure container for application security and control that separates, protects, and wipes corporate applications and data. Crucially it secures corporate data only: the employees' personal data and applications are completely separate and unaffected by what goes on inside the enterprise container. This means that they can trust in the fact that none of their data will be wiped by the business and that the business cannot accidently see what they are doing with the device in their private lives.

We believe the key to securing the enterprise is to embrace a more holistic attitude to security that focuses on applications and identity. With this approach businesses can rest assured they are protected, regardless of what devices are being used.

Contributed by Alan Hartwell, vice president security & identity solutions, EMEA at Oracle