Current Filter: Network>>>>>Feature>

   

A 2013 study conducted by IDG Research Services found that 85 per cent of organisations support BYOD for their employees, and this number has increased significantly since then. There has been mixed coverage about employers' agreement to BYOD, which is perceived to increase end-user satisfaction. However, claims that it saves money on technology provisioning making it more likely to be encouraged by employers may need some clarification. That said, Gartner predicts that by 2017 half of organisations will require that employees supply their own devices for work purposes, and it will be interesting to see how that is received.

Increased acceptance and adoption is only a small part of the transformation. We are entering into a post-BYOD era. Employees want to work on any device, at any time, from anywhere, so really it's becoming BYOE or bring your own everything. If you think BYOD is complex now, just give it a few years - the landscape will be very different. We need to approach this in a disciplined fashion and stop scrambling for a last-minute approach.

POST-BYOD SECURITY POLICY
Network and security professionals have their work cut out. Keeping organisations secure in a post-BYOD world means thinking about security in new and different ways. For example, historically, controls like network segmentation and endpoint-based controls were paramount. The migration away from homogenous endpoints makes universal controls at the endpoint harder to effect, while the increasingly porous nature of the network means perimeter segmentation is more complicated. These controls still have a role to play but it's important to recognise that new avenues need to be sought as well.

So how do IT professionals approach security against the backdrop of the post-BYOD landscape? Recognise that security policy goals haven't necessarily changed. The policy may need to change, but the core intent is true regardless of the technology. Consider a security policy that permits only approved users with access to corporate resources. This policy is valid regardless of the technology being used, but how it is enforced may need to vary.

It's important to emphasise this because sometimes organisations create policy that is bound tightly to specific technology, for example mobile policy. I recommend reviewing existing policy for those items that can't be delivered. Also, consider BYOE and other changes, such as cloud transformation and application container proliferation, and how they could interact with BYOE in unexpected ways.

IMPROVING SECURITY VIA BYOD/BYOE?
BYOE is not all downside from a security perspective. There can be areas where you can leverage BYOE to actually improve the organisation's security profile. This isn't as bizarre as it might first sound. Most security practitioners have experienced challenges getting budget and attention to secure internal resources when the internal network is viewed as trusted. BYOE can give a solid basis to reconsider ways to more thoroughly lock down internal resources. This applies to other historical pain points too: asset management and inventorying, application performance management, incident response, application logging and auditing. If you have a pain point that was unaddressed in the past, BYOE might provide justification to address it going forward.

Moreover, BYOE can shift focus away from managing the endpoint and toward other areas. For example, authenticating users, authorising their access and logging what they do, might become more important as endpoints become less trusted and especially because users originate from multiple endpoints.

I recommend that you plan ahead because the reality is that BYOE is here and more devices with more adaptable and ubiquitous usage are arriving. This means you need to revisit policy and controls - and this could benefit the organisation when organised as part of a systematic approach to managing your security program.