10 steps for writing a secure BYOD policy

10 steps for writing a secure BYOD policy

Summary: The 'Bring Your Own Device' trend is simply the latest vector to threaten corporate security, but there are remedies to these threats that will satisfy both IT and end users.

TOPICS: Mobility

The following is a guest post from Bill Ho, president of Biscom.

By Bill Ho

Bring Your Own Device, or BYOD, is a topic that is not going away – smartphones and tablets are being adopted at such a high rate that companies are almost compelled to support them. When a CEO, managing partner, or principal of a firm wants to use his or her device, IT sometimes has no choice but to support it and find ways to secure it.

Biscom-Exec-Bill Ho 2
With the right security policies, BYOD is a positive force: Bill Ho, president of Biscom

BYOD is a net positive for organizations as it promotes more responsiveness, more accessibility for workers, and higher worker satisfaction with being able to work on their schedule. However, IT staff responsible for corporate security now have a new and complex challenge to solve – supporting employees who bring their own devices into the corporate fold while maintaining the security and confidentiality of sensitive company data. CIOs know that it’s not just a technical issue but that BYOD may also require corporate policy changes and additional education for end users.

Corporate security policies vary by industry vertical as well as within specific verticals. The nature of electronic data that a company may gather, process, and disseminate can vary greatly. The increasing scrutiny required today, the demand for more privacy, and regulatory requirements, are forcing companies to create more stringent policies.

At odds with this is the increased porosity due to a more connected and networked environment. Synchronization applications, remote access, VPNs, and cor-porate portals create a sieve that IT must plug to ensure only au-thorized users have access to internal information or risk violating some information security policy. Personal apps also pose risks – rogue applications installed by the user potentially have access to sensitive corporate data because the device is now tied into the company’s network.

The main security challenge lies in the dual-use nature of mobile devices – a stolen or lost corporate laptop, on the one hand, will probably already have security measures built in such as whole disk encryption and authentication requirements. But smartphones and tablets, especially personal devices, eschew these added layers of protection in favor of ease of use, simplicity, and quick access.

One of the biggest new dangers of BYOD is the latest crop of Dropbox-style synchronization applications. By poking a hole in the corporate security fabric to synchronize files to a mobile device, the user is potentially creating a new channel through which confiden-tial corporate information could leak. Many companies have decid-ed to shut off access to these synchronization tools until there’s a way to manage them as enterprise applications with centralized control, granular permissioning, and integration with directory au-thentication services.

So how do you prepare your organization to handle these additional security risks? What steps can you take to extend your current network security to cover these mobile security holes?

Mobile devices are simply the latest vector to threaten corporate security, but there are remedies to these threats that will satisfy both the IT group and end users. The following is a 10-point list to help you think about the framework for a BYOD policy that can help you meet your security requirements. There’s no single solution that will solve all issues but rather a combination of policies, education, best practices, and third party solutions that can help protect your organization:

  1. Review your current security policies for web applications (CRM, email, portals), VPN, and remote access. Most of these will apply to mobile devices as well.
  2. Determine which devices you are willing to support. – Not all devices will meet the security requirements of your organization. Also, physically inspect each device and make sure it hasn’t been jailbroken or rooted.
  3. Set expectations clearly. IT may have to radically change people’s current mindset. Yes, security adds additional layers to wade through, but what havoc would a security breach cause?
  4. Write clear and concise policies for all employees who want to use their personal device. Have anyone participating in BYOD sign your terms of use. Those who choose not to follow your policies should not expect to use their devices.
  5. Make a personal identification number (PIN) mandatory.
  6. Enforce encryption of data at rest – any apps that download and store data on the device should protect that data. If a PIN or passcode is cracked, you want to make sure that data is still protected.
  7. Determine which types of apps are off-limits. With hundreds of thousands of apps available, which will you permit? Are there any specific applications or class of applications you want to keep off the device?
  8. Provide training to employees to make sure they understand how to correctly use their applications, make the most of their mobile capabilities, and watch for suspicious activity. Once you’ve embraced BYOD, promote it.
  9. As mobile devices become conduits for information to flow, look for apps that include auditability, reporting, and centralized management. Many current apps will not meet this requirement.
  10. Consider mobile device management software that can provide secure client applications like email and web browsers, over the air device application distribution, configuration, monitoring, and remote wipe capability. Note that some providers require applications to be re-written specifically to support their platform, so you may find some of your applications will not run in the solution you pick.

As technology evolves, so will BYOD policies and practices. Just when you think you’ve covered all your bases, a new “must have” app demanded by your user population will break it – and you’ll have to find ways to accom-modate the app. But by defining your overall goals and setting up guidelines and policies early you can lay the foundation as well as provide the flexibility you need to meet your security requirements to keep up with changing trends.

Topic: Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • seems a little contradictory

    The list you make is a good one, but to me shows why BYOD is not a net positive. Business leaders (not IT or security) inside a company are going to balk at a majority of those requirements because they will feel it inhibits their ease of use.
    • Re: "...because they will feel it inhibits their ease of use."

      And that, child, is the security dilemma in a nutshell.
  • "secure BYOD policy

    An oxymoron? Any organization that is truly concerned about security will pass on BYOD.

    Given the rate and success of break-ins by miscreants into corporate networks, this is just making a bad problem worse.
    Rabid Howler Monkey
    • Secure BYOD

      I think BYOD is only secure if the organization completely embraces, supports and manages it. "BYOD" has been around for a while with staff take-home laptops, and for the most part that's been successful practice. Go by the author's guidelines and I think the company will be ok.
      • You seriously have no clue about what BYOD means

        Here is a hint: It has nothing to do with taking a company device home.

        Oh hell!! Here is the definition;
        Bring Your Own Device (as in your personal device/smartphone/computer paid by you and not the company)
  • Not a net positive

    It is not a net positive because the extra effort entailed in supporting the additional OSes well outweighs any benefits.
    It is time for corporations to supply their employees with phones that get the job done and allow a good User Experience instead of expecting their employees to buy their own.
    This will allow the support staff to focus on just one OS.
    Susan Antony
  • Fashionable article, remotely!

    I am not touching the 9-10 other steps, as we all know THEY ARE REQUIRED - and they are required in even in operational security discipline currently, not just with BYOD.

    Though the article focuses highly on mobility, it opens few interesting points to share elsewhere also. I'll call 'it' mobility here to distinct it as just one area of endpoints).

    I've been 'checking' phenomenon called BYOD inside and outside for some time now and my verdict is for the application stack provided on top of the current technologies to make 'BYOD' happen, safely and by the policy they say, is NO - BYOD can not be made any secure than the base is.

    However, I do have to say - YES, BYOD is happening - unfortunately to very un-solid ground. So I believe, as well, that there is need for proper operational security management and for good discipline to maintain.

    I believe the qualities such as providing more response is pretty much up from the organization business and tendency to utilize technology in their operations.

    What I am totally against is that 'new and complex challenge' - Sir, here YOU are WRONG! The issues surrounding the security of 'BYOD' is age-old and exists even now with corporate desktops, cellphones and other devices. The same issues shall cumulate through BYÖD world and leave organizations standing on two crippled legs on hazardous, unsolid grounds.

    The severe amount of security issues organizations currently encouter are somehow related to end point vulnerabilities and misuse of them.

    How you push security policy to ones own device, mobile or laptop, while the basement is not secure at all? Does'nt that corrupt the policy itself and render it unusable? How you then measure the effectiviness or KPI:s of such policy implemented?

    Thing I agree, and appreciate highly, is you've put it on display is those cloud services, such as DropBox. Taking DB as an example, I was recently in discussions with their people about the data security within the DB; well, its not encrypted. That's violates the idea "data in rest is encrypted".

    So yes, this is just one example for the place where private and "secure" corporate data goes messed up together. However, no BYOD solution solves the issue.

    Unfortunately the whole thing, having all the fruits (mine, company’s, crowd) in same basked makes things go dramatically wrong. Whatever vendors promise YOU, its going wrong, will be expensive and create a un-paralleld information security management paradigm in which You do not want to be involved within.

    There is NO WAY that requirements even with basic controls for safety can be implemented with any of the BYOD concepts in wild.

    So what to do - well, here is a glimpse of thoughts I am building at the moment:

    Create imaginary 'enclave' that surrounds your device, mobility or stationary. Now imagine to put one enclave inside of the device so that it is 'streched' from the cloud service(s) provided by distinct service providers. The whole environment you are utilizing inside the enclave is your corporate environment, with its rules and policies, mdm capabilities etc. Lets even think so that the whole enclave is loaded to the device. There may be several, at least isolated enclaves within your device. The latter one is for private stuff.

    There we should go, that is the way for secure operating: in current desktops and in 'BYOD', mobility and stationary. Virtualization technology allows this.

    I am going through all this in more detail with article to be released near future and I am going to deliver my insane arguments against, the current theorem in wild and introduce, potentially, a way (“model”) to dismantle discussion around BYOD.
  • Great Article!


    we use for BYOD in our company, the free mobile device management solution from AppTec 360. It is really a great solution and free!