The caveats: virtualization and terminal servers shift a portion of equipment expenses from the end user to the data center, diminishing the savings ascribed to BYOD. And both solutions increase the impact of link loss, with loss of connectivity greatly impeding employee productivity. [Also see: "Can employee-owned devices save companies money?"]
These solutions may be cost prohibitive for smaller organizations as terminal server licensing can add up quickly and high availability virtual systems and the data centers they reside in can be quite expensive. However, outsourced and cloud-based solutions can offer smaller businesses the opportunity to use such services but the security of such solutions requires serious scrutiny.
2. Common delivery methods
A common delivery method can greatly aid in bringing content to a multitude of devices while avoiding the cost of supporting various services tailored to specific sets of devices. One thing most devices have in common is their support of HTTP and SSL so SSL-based technologies and Web-based applications are being used to bring content to employees no matter what system they use. Additionally, firewall rules can be simplified when services run over SSL instead of other ports.
For example, L2TP, PPTP or IPSec VPNs can be replaced with SSTP (Secure Sockets Tunneling Protocol). Phones, tablets, PCs and Macs all support SSTP so a single form of entry can be established, secured and audited to save money and reduce possible attack vectors. If virtualization or terminal servers are used, the traffic can be encapsulated over SSL.
The common delivery concept can be extended to network shares through Web-based repositories that can be accessed from anywhere. In addition to their accessibility, Web-based repositories offer additional auditing features over network shares and the ability to utilize metadata for searching, data mining and business intelligence.
Similarly, other Web-based applications like Salesforce or Outlook Web Access make key business tools available when and where they are needed, even on personal devices. User experience may vary depending on the browser used, especially for mobile users with smaller displays or tablet users lacking support for features such as Flash, but Web-based applications are accessible from a majority of devices out of the box.
3. Intelligent access controls
The common delivery method makes data that was previously hidden behind many layers of security more accessible to users and appetizing to attackers. The BYOD organization, therefore, needs more intelligent access controls.
Access control decisions are typically based on user role or in some cases by access time or machine designations. Roles define the functions a user performs which are mapped to groups with permission to resources. Thus, a branch accountant might have access to financial data for his or her branch but not to customer data. Time based controls might restrict access to financial data to business hours only and machine designations are lists of allowed or denied machines denoted by name or a unique identifier.