Don’t let BYOD become BMNP (Bring Me New Problems)

The Bring Your Own Device (BYOD) trend presents enterprises with a number of significant challenges to go along with the potential benefits. Certainly there are positives associated with letting employees use their own computing devices to access enterprise resources, especially mobile technologies such as tablets and smart phones, including reduced costs and enhanced productivity.

 There are also some rather serious complications as well though, including security, manageability, and control. For the medical industry there are additional compliance issues to be aware of and enterprises must ensure that regulatory standards continue to be met. The medical community also has to contend with unique elements including compliance with insurance practices and acceptable levels of legal risk.

A successful BYOD implementation strategy will have to include a rigidly enforced acceptable use policy. Within regulated industries including medical I believe that in order to enforce a solid acceptable use policy enterprises must maintain complete management control of the device, enterprise data, and enterprise connectivity.

Enforcing enterprise standards on mobile devices generally begins using Mobile Device Management (MDM) and Mobile Application Management (MAM) systems. MDM/MAM systems enable the enterprise administrators to remotely configure and provision devices, install applications, troubleshoot, administer, and secure the device, and if required remotely wipe the device in accordance with established policies.

Additionally, MAM platforms enable the enterprise to implement version control, patch enforcement, and administrative access to the applications that are installed on the remote device. MDM and MAM are essential if mobile devices are going to be allowed to access and utilize enterprise systems and are an essential tool in enforcing acceptable use policies.

Because of the level of control needed to effectively implement an access control policy that satisfies the legal, regulatory, and best practices requirements of the medical community it may prove difficult to broadly implement BYOD with existing user devices. For this reason some organizations are adopting a hybrid model where the enterprise develops a list of acceptable devices and then offers them to employees at a discounted price in conjunction with the acceptable use policy.

One of the biggest, and most publicly known, challenge of BYOD is ensuring the security of data on the device and when transmitting to and from the enterprise. Effectively securing enterprise data includes encrypting data both at rest and in motion. Securing data at rest includes encrypting the data on the local storage medium so that if an unauthorized user attempts to read it there will be nothing useable. For mobile devices it is best to encrypt the entire device. Data at rest security must also incorporate user access controls including effective passwords and enforced logins to the device including screen timeouts and logouts for inactivity.

Securing data in motion includes the use of VPN connections to the enterprise and the use of access controls to ensure that only authorized users and applications are able to connect. Although most mobile devices support establishing VPNs, there are enterprise specific capabilities available that provide enhanced management and control of the connection and access. By enforcing secure connections and access control in conjunction with encrypting the data on the device, a strong level of overall data assurance can be provided.

BYOD can be a useful and effective element in an enterprise’s overall plan; there are a number of precautions that should be taken though to ensure successful implementation. Sound policies, effective enforcement, and good communication between enterprise administrators and end users will go a long way towards getting the most out of any BYOD effort.