Additional access control factors including device type, NAC profile, and geolocation can be used to make more informed access control decisions in a BYOD environment. With device type restrictions, certain data can be accessed only on approved devices such as company issued laptops or restricted on mobile phones. NAC profile can also play a role in access decisions. Access might be denied to devices that do not have the latest virus definitions or patch levels. [Also see: "NAC access control: A multi-dimensional puzzle"]
Lastly, geolocation features that report a device's global position are built into many new devices and this allows access control systems to grant or deny access based on where the device is in the world. This is especially important in complying with regulations that might stipulate that data not leave the country or when data must be treated differently for certain countries or states, however it is not completely reliable since geolocation data can be modified by the user on their device. If BYOD is in your future, consider adopting applications that support some of these access controls.
4. Data containment
It is almost certain that data exists on personal devices in BYOD organizations. This is a concern for both companies and individuals, necessitating data containment. Companies run the risk that data could be lost if personal devices are shared, compromised or stolen and individuals are concerned that the presence of company data on their devices could result in seizure if the data is part of a legal hold. [Also see: "Corporate-owned vs. employee-owned devices"]
The best method, of course, is to ensure that company data does not reside on personal equipment. Proponents of virtualization and terminal servers argue that data containment is effectively handled when access is through a virtual machine or terminal server because the data a user accesses stays on a machine residing within the corporate network. However, even with virtual desktops, data is sometimes accessed through other channels such as mobile phones and Web applications.
The combination of device encryption and remote wiping technology provides a level of assurance that data will not be purloined before it can be wiped. Encrypted devices increase the amount of time and effort required to obtain data on the device, giving organizations time to erase all data remotely. Devices can also be configured to wipe all data if an incorrect password is used too many times.
DRM (digital rights management) has found new life in the BYOD environment by allowing data owners to specify acceptable actions that can be performed on the data. For example, data can expire after 24 hours after download or data can be read but not printed and functionality like copy and paste can be removed.
In the end, BYOD can create significant savings in equipment and support costs and it can improve employee satisfaction through the use of preferred devices, but it comes with security considerations that should not be taken lightly. If you are considering BYOD, the use of technologies such as virtual desktops and thin computing can effectively provide access and a consistent user experience to users on a variety of platforms.
Furthermore, common delivery methods such as Web-based applications and SSL technologies can make the organization's key applications accessible to business and personal equipment alike. These, coupled with more intelligent access controls, can help companies stay compliant and secure when data is increasingly available while data containment strategies reduce the risk of data loss. Now, when the BYOD policy crosses your desk you will know that the challenge is not insurmountable.
Eric Vanderburg, CISSP, and director of Information Systems and Security at consultancy JurInnov. JurInnov is a provider of security, legal and forensic consulting services. The author holds over 25 certifications and is completing a doctorate in information assurance.