How government does BYOD
Allowing users to bring their own devices (BYOD) needn't be difficult, even for the government, according to the senior manager for the ACT Government's IT security, Peter Major.
Speaking at the 2012 AusCERT security conference this morning, Major highlighted up front that organisations have to establish a clear device-use policy.
Major said that due to the blurring of corporate and personal information on the device, it is possible for the organisation to be liable for the destruction of the user's personal information — if the organisation has to completely wipe the device for security purposes.
To help clarify what personal and corporate information can be placed on the device, Major advocated generating acceptable usage guidelines and further education for users to teach them what is right and wrong. He also recommended that organisations protect themselves by having users physically sign to waive their rights.
In the ACT Government's case, these forms of governance are, at times, the only measure against certain applications.
"Cloud storage scares me. I have not had a solution in place to stop it. I rely heavily on governance and education for our staff. Once I get a solution, I'll put it in place," he said.
Despite these concerns, Major has moved ahead with a BYOD pilot, which he feels has experienced a certain measure of success. The first thing he did in the pilot was to take his newly created policies and run them by the people in the office who could grease the skids of the project.
"The chief minister was actually on the pilot study. We had a deputy chief minister on the pilot study. We had most of the CEOs from the agencies on the pilot study. We had doctors, we had specialists, we had the bigwigs."
Major said that one of the key benefits of having the critical players involved was that he was able to push the policies, in pilot form, "through the gods first", so that they could assess whether they would be willing to sign off on them.
"We had senior buy-in," he said.
The next step was to select a mobile device-management solution, and, after trialling several from different vendors, they settled on Mobile Iron, since it has the best end-user experience.
"[The end experience is] what we're trying to get at. You can't degrade the user experience by rolling out this device. You have to give them what they deserve."
Delving deeper, Major looked at application control. Although there is the option to have a controlled whitelist of known, secure applications, a blacklist of bad, undesirable applications is used to control what can and can't be installed on the devices.
"You can have carte blanche, unless, of course, it undermines the security of the network. [Then] it gets blacklisted. Simplify management. If you haven't got simple management, you won't manage it, and it will fail."
This also doesn't mean that users have free rein of their devices, with other security constraints in place; for example, to prevent users from rooting or jailbreaking their phones.
"If you jailbreak ... or root the phone, we will serve a bullet. We will blow it away. We will not hesitate. We will blow your personal information away. We will do the whole lot. You will have a blank device; you will have to reload."
Finally, when it comes to the choice of devices itself, Major said that the government is trying to limit its exposure only to Android, Apple and Microsoft, in order to deliver them in a phased approach.
Major acknowledged the existence of Research In Motion (RIM) and Symbian, but said, "RIM's dying", and "Symbian is dead".
One of the end results is that the ACT Government can now use an approved iPad for its Cabinet meetings, which, according to Major, have essentially become paperless.
"They take an iPad in there with all their Cabinet documents they can annotate and do what they like with. All we did was we used a [Defence Signals Directorate] DSD-recommended solution to convert the iPad into a Kindle. But anyway, people are happy, and they can work with it."