Companies are no longer asking whether or not they should embrace Bring Your Own Device (BYOD) — they're asking how.
In adopting BYOD, every company must have a policy that balances the interests of the business with those of its employees. While there's no one-size-fits-all approach to crafting a BYOD policy a good policy does the following: gives IT access to devices while minimizing liability, prioritizes data security, recognizes the needs and rights of employees, and identifies ways the policy can be enforced.
IT access to devices
IT departments should leverage mobile virtualization and have complete manageability and visibility over devices, said Andy Chen, vice president of business development at Armor5, a cloud service provider specializing in BYOD solutions and enterprise mobile security. Such a BYOD policy would outline IT's ability to restrict, enable and block access to apps, files and activities that may pose a threat. IT should also be able to distribute apps across the organization, as well as take the necessary measures to protect company properties remotely should devices get lost or stolen.
While some companies require IT departments to remotely wipe data from devices that have been compromised, Chen says this practice risks legal liability, as proven by lawsuits filed over the issue. Instead, businesses should look at 'zero-touch' solutions that protect the companies from compliance and privacy liabilities.
"The current Mobile Device Management (MDM) and Mobile Application Management (MAM) approach requires client software to be installed on the device to create a sandbox that separates personal stuff from corporate stuff," said Chen. "Armor5 uses Web and mobile virtualization technology, and there's nothing to be installed. Hence, we call it zero-touch."
This zero-touch approach relies on a cloud service that gives users instant access to apps and data without storing information on the device. A BYOD policy like this means IT will get its "complete manageability and visibility" via the cloud, while minimizing the liability of accessing employee-owned devices.
BYOD security is two-fold: securing data and securing devices. In today's mobile landscape, the multitude of different versions of hardware, platforms and operating systems makes securing data a necessary priority.
Jason Reese, a mobile engineer who specializes in BYOD and enterprise mobility at NCR Corporation, says that while sandboxing business space from personal space on a device will remain a necessity, businesses also need to know how to mitigate security risks.
"MDM is good for corporate assets, but employees don't want MDM restrictions on their personal devices," said Reese. Yet, businesses need to accommodate for the different devices employees will use. This is particularly the case with Android, which currently has nearly 20 versions spread across different types of hardware.
"Employees are going to bring Android," Reese continued. "While manufacturers like Samsung are leading in security capabilities, Android is still perceived as a risk."
Reese said this makes it necessary for companies to limit access and app function based on device type, such as by establishing a BYOD policy that secures data first. "MAM and data security will continue to dominate BYOD," he said.
Employee needs and rights
While the biggest concern over BYOD is protecting company interests, a good BYOD policy also addresses employee needs and rights when it comes to their devices.
First, there are financial concerns. BYOD policies should outline who pays for devices and carrier plans, as well as whether or not employees are expected to cover additional costs that are incurred in doing their jobs. In the case of traveling employees, for example, apps could affect users financially due to data overages and roaming charges, Reese said.
Employees also have expectations, said Naeem Zafar, CEO and founder of Bitzer Mobile, an enterprise mobility solutions provider. Employees embrace BYOD because of the increased convenience and efficiency of using their preferred devices. One such convenience is the user experience, which employees want to preserve, Zafar said.
"Put all the company stuff in one location so I don't have to wonder," Zafar said, speaking from an employee's perspective. He continued, "Do not wipe my personal data and apps just because I call you. I should be able to lock or wipe [my device] if I ever lose or leave it behind."
How to Enforce BYOD Policy
As with any other company policy, there's no way to completely guarantee that everyone from end users to IT will follow the rules when it comes to BYOD. Businesses can, however, take certain measures to promote compliance.
For instance, Zafar advises companies to use Single Sign-On (SSO), an authentication process that requires users to only sign in once to access multiple applications. From an employee's standpoint, Zafar says, "IT should have SSO so I am forced to sign in to each asset if I want access to it."
Because SSO requires users to sign on to an entire system to access multiple applications, each application the employees want to use automatically forces them identify themselves first. SSO allows IT departments to set authentication parameters within their own identity infrastructures, eliminating the need for management of multiple profiles and automatically enforcing IT manageability and visibility.
Rob Tiffany, a mobile strategist at Microsoft, also suggests businesses let employees know which devices, platforms and operating system versions meet BYOD standards. The entire point of BYOD is to allow employees to use their preferred devices, but that doesn't mean workers can use any device they want. For BYOD policies to work, organizations should establish minimum device requirements (for example, iOS 5.0 or later) that are compliant with their network and security systems.