BYOD security: It's about company culture - not just devices

For such organisations, BYOD can be a daunting prospect. The idea of allowing employees to use their personal devices at work is revolutionary and as with any revolutionary idea, it will take some time to become accepted fully. 

The issue is that all too often devices, and device security, are being used as a scapegoat for regressive and counterproductive IT policies. It also misses the point: employees are already using their own devices at work, regardless of their businesses’ official policies on BYOD. 

 

Doing nothing is not an option

Organisations, therefore, have a clear choice: address the security challenge of BYOD now and start enjoying the benefits; or keep delaying it until such time as it is too late.

For businesses that choose a BYOD approach, the key to success lies in worrying less about the device. Device-centric approaches to security (such as mobile device management) can only ever solve the problems businesses have today – they do not provide a scalable, flexible way of securing the enterprise for the new world of mobility we are entering.

Instead, a true BYOD strategy is based on a mix of the right company culture and a robust, enterprise-wide take on security. Culturally, business executives need to be able to have complete confidence in their IT department and the technology framework they have in place to secure employee devices. Employees, meanwhile, need to rest assured that their device cannot compromise the enterprise and that, conversely, their own private data cannot be viewed by anyone in the business. 

 

A question of trust

In business, trust is never given freely; it is always earned. In the case of BYOD, it clearly must be earned through a robust security framework. The good news for businesses is that BYOD security does not need to be a leap into the unknown and nor does it need to involve investing in new, unproven niche security ‘solutions’. Instead it can be built on that stalwart of enterprise security: identity management. 

Identity management allows organisations to simplify identity lifecycle management and secure access from any device for all enterprise resources – within and beyond the firewall. Identity management allows organisations to easily extend the enterprise security layer to wherever the employee needs it to be. Businesses will thereby be able to trust BYOD devices every bit as much as corporately-owned ones due to the fact that the same robust authentication, sign-on and authorisation processes are used.

If businesses and employees are to truly trust the use of personal devices in the workplace, there needs to be a strict separation between personal and private data. Mobile device management (MDM) is great for securing information and hardware on a device, but it lacks finesse, securing everything and anything. 

This poses problems. What, for example, happens when an employee loses their device, or leaves the company? With MDM everything on the device – including their personal data – would be wiped. This means that employees can never really commit to BYOD. They cannot trust in the security solution in so far as it imperils their own data. 

 

Locking down applications

Due to this, mobile application management (MAM) is fast gaining currency. MAM delivers a secure container for application security and control that separates, protects, and wipes corporate applications and data. Crucially, it secures corporate data only: the employees’ personal data and applications are completely separate and unaffected by what goes on inside the enterprise container. This means that they can trust in the fact that none of their data will be wiped by the business – and that the business cannot accidentally see what they are doing with the device in their private lives. 

We believe the key to securing the enterprise is to embrace a more holistic attitude to security that focuses on applications and identity. With this approach, businesses can rest assured they are protected, regardless of what devices are being used. 

 

Praniti Titavunno is country director, Oracle Fusion Middleware, Oracle Corporation.