How government does BYOD

How government does BYOD

Summary: Allowing users to bring their own devices (BYOD) needn't be difficult, even for the government, according to the senior manager for the ACT Government's IT security, Peter Major.


Allowing users to bring their own devices (BYOD) needn't be difficult, even for the government, according to the senior manager for the ACT Government's IT security, Peter Major.

Speaking at the 2012 AusCERT security conference this morning, Major highlighted up front that organisations have to establish a clear device-use policy.

Major said that due to the blurring of corporate and personal information on the device, it is possible for the organisation to be liable for the destruction of the user's personal information — if the organisation has to completely wipe the device for security purposes.

To help clarify what personal and corporate information can be placed on the device, Major advocated generating acceptable usage guidelines and further education for users to teach them what is right and wrong. He also recommended that organisations protect themselves by having users physically sign to waive their rights.

In the ACT Government's case, these forms of governance are, at times, the only measure against certain applications.

"Cloud storage scares me. I have not had a solution in place to stop it. I rely heavily on governance and education for our staff. Once I get a solution, I'll put it in place," he said.

Despite these concerns, Major has moved ahead with a BYOD pilot, which he feels has experienced a certain measure of success. The first thing he did in the pilot was to take his newly created policies and run them by the people in the office who could grease the skids of the project.

"The chief minister was actually on the pilot study. We had a deputy chief minister on the pilot study. We had most of the CEOs from the agencies on the pilot study. We had doctors, we had specialists, we had the bigwigs."

Major said that one of the key benefits of having the critical players involved was that he was able to push the policies, in pilot form, "through the gods first", so that they could assess whether they would be willing to sign off on them.

"We had senior buy-in," he said.

The next step was to select a mobile device-management solution, and, after trialling several from different vendors, they settled on Mobile Iron, since it has the best end-user experience.

"[The end experience is] what we're trying to get at. You can't degrade the user experience by rolling out this device. You have to give them what they deserve."

Delving deeper, Major looked at application control. Although there is the option to have a controlled whitelist of known, secure applications, a blacklist of bad, undesirable applications is used to control what can and can't be installed on the devices.

"You can have carte blanche, unless, of course, it undermines the security of the network. [Then] it gets blacklisted. Simplify management. If you haven't got simple management, you won't manage it, and it will fail."

This also doesn't mean that users have free rein of their devices, with other security constraints in place; for example, to prevent users from rooting or jailbreaking their phones.

"If you jailbreak ... or root the phone, we will serve a bullet. We will blow it away. We will not hesitate. We will blow your personal information away. We will do the whole lot. You will have a blank device; you will have to reload."

Finally, when it comes to the choice of devices itself, Major said that the government is trying to limit its exposure only to Android, Apple and Microsoft, in order to deliver them in a phased approach.

Major acknowledged the existence of Research In Motion (RIM) and Symbian, but said, "RIM's dying", and "Symbian is dead".

One of the end results is that the ACT Government can now use an approved iPad for its Cabinet meetings, which, according to Major, have essentially become paperless.

"They take an iPad in there with all their Cabinet documents they can annotate and do what they like with. All we did was we used a [Defence Signals Directorate] DSD-recommended solution to convert the iPad into a Kindle. But anyway, people are happy, and they can work with it."

Topics: AUSCERT, Android, Apple, Google, iPad, Security, Tablets

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I don't understand why anyone would want to use a personal device for work purposes. Asking a number of people in different age ranges no one seems interested. I wonder if the big wigs mentioned above are using devices procured for them by the departments or are truly their own.
    Knowledge Expert
    • As a contractor, I have generally not been entitled to the smaller portable devices, like a phone, though I have had client laptops at times.

      However, I have used my own phone, even entering it into the client's directory, but then it was not allowed to access the emails directly, nor was I allowed to bounce them to my private email address so my phone would notify me. I could not even bounce the headers.

      I could redirect all the calls from the Cisco work phone to my mobile, probably because it was not tied into the AD system to be able to create policies to exclude non-official numbers.

      For me it was about using my own phone, rather than two, but then I had no work info on it.

      Most people that I have seen using their own stuff were using it offline from the rest of IT, except when using VPN.
  • The gorilla in the room is Information Privacy Principles. I'm not so sure that providing arbitrarily developed acceptable usage policies is sufficient justification to blow away somebody's device when you feel the need to do so. A more elegant, user acceptable approach is to adequately separate corporate from private data - if you don't then users will get creative and dodge the security setup you put in place.
    Also interesting to note that when the BYOD acronym is tossed around, visions of rogue blackberries and iPhones appear and when the article focusses on govvie people actually using BYODs for work, it details the use of iPads and tablets for accessing documentation which has, and always will, drive the machinery of government.
    My observations at the Auscert conference showed Pads outnumbered handsets about 5 to 1...
    Rowan Williams