There is a growing trend to use consumer computing devices in the enterprise, aka bring-your-own-device (BYOD).
It's understandable that users want to use their preferred device for everything. Since most applications expose a web user interface (UI), this shouldn't be an issue. Actually, what corporate users need most is an office suite, browser, email client, instant messaging application and file system access. Most smartphones can do that.
Users who already have a smartphone or laptop don't want to carry both their personal and corporate devices. The problem with BYOD is risk management, especially with the constantly changing threat landscape.
While the user's device may be compatible, how does the corporation know that there isn't malware installed on it, leaking corporate passwords and other data? What protections are there against data theft if the device is lost or stolen? How can a corporation know if a user's laptop is infected with a virus that will propagate when it's plugged into the corporate network? Users don't seem to understand these serious risks.
Since BYOD seems unavoidable, organizations should consider these basic steps which will hopefully help with audit and regulatory requirements:
- Make the device stateless, or at least keep all the corporate data in a virtual machine, on which configuration is managed. This protects against device theft leading to data loss.
- Require users to run an anti-malware program to protect against basic attacks like keyloggers.
- Require users and IT staff to collaborate in ensuring that consumer devices meet these requirements.
- Absolve the IT staff from supporting the device, beyond basic security validation.
However, will users accept these constraints? They seem pretty foundational.
In his role as Chief Technology Officer, Idan Shoham is responsible for defining product, technology strategy and the overall development of Hitachi ID Systems solutions.