BYOD: Bring Your Own Policy. Bring Your Own Device (BYOD) is already making a significant impact on the way the private sector works.

Transcription

1 BYOD: Bring Your Own Policy Bring Your Own Device (BYOD) is already making a significant impact on the way the private sector works.

2 BYOD: Bring Your Own Policy Bring Your Own Device (BYOD) is already making a significant impact on the way the private sector works. Employees using consumer devices to access their organization s information has become the norm, a trend the public sector should note. The austerity pressures being placed on local authorities will provide a fertile environment for the growth of BYOD. By allowing employees to use their own devices to access corporate resources, public sector organizations can make savings on capital expenditure as well as ensuring that workers are more productive. Maintenance costs would fall significantly as employees regularly update their own devices, providing organizations with more advanced technology at no expenses to the organization. The major concern for IT departments is how they can enable BYOD while maintaining control of the information users are accessing. A significant amount of the information that will be accessed is of a sensitive nature so it is vital that organizations fully understand the regulatory processes and technical controls that need to be put in place. This is all on the backdrop of recent high profile announcements from public sector organizations, such as the Metropolitan Police Service who have lost or had stolen 809 devices and the BBC who lost 785 devices at a cost of 750,000. 2

3 The productivity benefits of BYOD BYOD can bring a number of real benefits to public sector organizations. Employees will be able to access information at any time and from anywhere, using devices they are familiar with. In order to avoid these benefits being negated, it is crucial that the public sector thinks about how it will expose its services to BYOD. In the private sector BYOD has reached a tipping point and evidence suggests that the public sector will follow suit. Now is the time for public sector organizations to implement the required controls that permit the use of personal devices within the workplace to manage and control the use of personal devices in the workplace. These controls have not been implemented and as a consequence there have been a number of highly publicized security incidents. There are a myriad number of devices that do not belong to the organization and yet they hold sensitive information without any controls in place. These organizations are unaware of such issues and therefore cannot determine the extent of any potential information loss, should these devices fall into the wrong hands. As Public sector organizations have already implement physical controls that prohibit the use of any employee USB memory sticks. These are more controlled and are password protected and encrypted and only permit employees to use these types of USB memory sticks. These memory sticks are not readily available to everyone within the organization and employees find ways to circumvent the controls that are in place so they can take their work home. On the whole, this is not for malicious gain but simply a fact of life. Employees are now working longer and harder as employers place more and more demands on employees to do more work with less resources. This presents a significant risk for the public sector as dropbox, services and other file-sharing services are not located in the UK, and some are not located within Europe. This means confidential information is being placed on file-sharing services and external services that are not protected by UK law, and more importantly the security controls, such as password policies that support these services are not as stringent as those that are implemented within the Public Sector. There are a number of documented cases, where information loss has been reported to the Information Commissioners Office (ICO) and public sector organizations have been fined. An example of this was Greater Manchester Police, who were fined 120,000. Once the information leaves the organization there is no control over who, what and how that information is being used. Information on an uncontrolled device, is like information that has been printed on paper. i.e. Once printed it becomes un controlled. If an employer does not know where the information is located, such as dropbox, external services or on the employees personal devices how they can retract the information when a given employee leaves the business. As an employer can I erase the ex-employees personal device once they leave the business? These are some of the many challenges organizations are facing today. Employers need to ask the simple questions: How do I allow my employees to work smarter and not harder, and at the same time not lose control of the information within the organization. Can I afford not to implement the appropriate controls and technology within my organization that does not expose the organization to fines being imposed by the ICO and at the same time allow the employees to work securely. Therefore it is critical the public sector finds a balance that permits employees access to technology such as the use of their own mobile devices, in a secure manner that is not intrusive but also protects the information assets within the organization. How do I allow my employees to work smarter and not harder, and at the same time not lose control of the information within the organization. 3

4 How can public sector bodies adopt BYOD securely? A balanced approach to BYOD is required. How securely BYOD is adopted depends entirely upon the risk appetite of the organization. There are a number of options that are open to the public sector such as the extent to which the employee can use their own device, who can access it and whether the information will be encrypted. Adopting a more intrusive stance will make it more difficult for employee to work on their personal devices, whereas the adoption of a relaxed approach will leave the organization open to security threats and lose of data. Overall, it will be organizations Senior Information Risk Owner (SIRO) responsibility and their risk appetite by balancing the benefits against the information assets and the level of technical controls that need to be put in place. When they are thinking about adopting BYOD, right at the very top of the list should be overall policy. Considerable amount of thought is required when it comes to deciding what the content of the policy will be and the impact this will have upon the employees within the organization there are many vendors that provide solutions in this space. Once this has been achieved then the underlying technology vendor should be selected. It will be necessary to involve many key areas of the organization, from Human Resources, Legal, IT and Security. The technology choice of what vendor to be used isn t trivial, as many of the vendors offer similar functionality. Overall the policy definition will take far more time that which solution to select. Organizations must remain in control of their information regardless of the device that is being used to access it. For this reason it is crucial that public sector bodies clearly define the boundaries within which users can access information and what devices they can access this information on. 4

5 The technical solutions available to combat BYOD security threats Any personal device should at the very least be registered to the organization. Registration allows the organization to identify which devices are being used to access its information and allow decisions to made regarding the levels of policy enforcement that are to be applied for the devices that are being used. One such way of enforcing this is to use Mobile Device Management (MDM) will provide the technical enforcement of the organizations BYOD policy. Without MDM there is no enforcement and BYOD almost becomes a free for all. The extent to which MDM controls the use of personal devices is entirely dependent upon the organization. It can vary from no control to full control. For those that find the correct balance, there will be a BYOD deployment that will not only allow users access to organizational information, but ensure the users are allowed to use their own devices. It will enable employees to work from any place at any time, allowing a greater flexible approach to how they work. No users should be able to access information from any BYOD device without signing up to the organization s acceptable usage policy. This is the agreement between the organization and the user and clearly defines the responsibilities of the employee when using their device. Once more the level of control comes down to the individual organization. It may be that the organization restricts the level of access based upon the device type, the ability to enforce policy upon the types of devices, and if the user has agreed to the usage policy. All information stored (data at rest) on the device must be encrypted within the restrictions of the companies encryption/ cryptography policy. It is critical that BYOD policy recognizes the need to encrypt all information on any device used by employees. 5

6 What can be done? It is un-realistic to expect the CIO or any organization to keep up with the speed of technological and commercial changes that sees new devices enter the market on an almost daily basis. The budgetary constraints that CIOs are operating within have left them between a rock and a hard place. On one hand they need to appease staff wanting to use the latest devices that will help them do their job more efficiently, while on the other hand they need to ensure information remain secure and does not violate any data privacy policies. Inevitably people will choose to use their own, higher performance device to access corporate systems and they will adopt to use the simplest mechanism which allows to them to continue working away from the office. This sometimes leads to the temptation in transfer confidential information to their own personal systems, which they access from their own personal devices which is a breach of the security policies the organization has in place. Organization should allow employees to use a single device for both personal and work use. There is no infringements of the employee s use of their personal device, such as disabling applications or erasing information, due to the device being split into the two distinct (ring-fenced) areas. The ring-fenced area of a device should be controlled by the organization and the end user should only be able to use applications in the ring-fenced area that have been downloaded via the approved enterprise application stores. To prevent information leakage, copying and pasting of information between the two areas of the device are not be permitted, meaning that a common problem such as the loss or theft of a device need, is no longer an issue. The organization will have total control of the sensitive information in the organization owned area and information can be wiped if necessary, removing the risk of the information being made widely available. In this case, ring-fencing information is the best approach to handling the growth of BYOD. By taking an open minded, positive approach to the issue, the public sector can be seen by its employees as taking a proactive approach to addressing how an employee can use their own mobile device. This approach will give employees the flexibility that they can use their own device to access organization information. As a direct consequence of this proactive approach it lowers the IT costs for IT departments, increase productivity of employees and more importantly removes the risk of information leakage. 6

7 Why public sector bodies must take the lead on BYOD policy BYOD is not just a trend that the public sector can afford to ignore. The reality is simple. BYOD has already played a big role in the enterprise and the public sector should embrace it by adopting BYOD securely at the same time as maximizing the benefits that it provides. Advice from security experts must be sought if organizations are not familiar with the types of controls that need to be enforced. It is crucial that BYOD is initiated from the top down in order for the public sector to maintain control over its information. Currently personal devices are not permitted to consume PSN services. PSN sets a baseline impact level of IL2, therefore by design; personal devices are prohibited as they operate at an IL0 level. If they are to be integrated in the public sector, the SIRO should understand the risks and how these risks can be mitigated with process, policies and technology. Once this is understood they should work with organizations that leverage the knowledge of CLAS consultants who fully understands Information Assurance and have practical experiences in the implementing this across an organization. This will provide the SIRO the confidence they need, in that a secure solution can be devised that allows personal devices to be used in a secure manner at IL2. This does not mean that efforts should not be undertaken to change this and PSN providers are working with the Cabinet Office to formulate a policy for the use of BYOD within the PSN. BYOD must happen by design, not trial and error The public sector must accept that personal devices are already being used today in an insecure fashion. Ignoring BYOD will only push employees to find ways around security barriers, putting public sector bodies and the information they have access to at further risk. If organizations take a haphazard, trial and error approach to BYOD, they will put their information at risk and fail to harness the advantages that BYOD can bring. The policies must be clear and precise, educating end-users and organizations aware of their responsibilities and what they can and cannot do on their own devices. By accepting BYOD as a reality, the public sector will be able to control BYOD and implement it securely. The public sector must not be scared by the inherent risks posed by BYOD but recognize, assess and develop appropriate policies followed by implementation. By acting swiftly PSN can ensure BYOD enhances the public sector as opposed to threatening it. 7

8 About Unify Unify is one of the world s leading communications software and services firms, providing integrated communications solutions for approximately 75 percent of the Fortune Global 500. Our solutions unify multiple networks, devices and applications into one easy-to-use platform that allows teams to engage in rich and meaningful conversations. The result is a transformation of how the enterprise communicates and collaborates that amplifies collective effort, energizes the business, and enhances business performance. Unify has a strong heritage of product reliability, innovation, open standards and security. unify.com Copyright Unify GmbH & Co. KG, 2015 Hofmannstr. 63, D Munich, Germany All rights reserved. The information provided in this document contains merely general descriptions or characteristics of performance which in case of actual use do not always apply as described or which may change as a result of further development of the products. An obligation to provide the respective characteristics shall only exist if expressly agreed in the terms of contract. Availability and technical specifications are subject to change without notice. Unify, OpenScape, OpenStage and HiPath are registered trademarks of Unify GmbH & Co. KG. All other company, brand, product and service names are trademarks or registered trademarks of their respective holders.