solving the BYOD riddle
the journal of Michael Werneburg
twenty-seven years and one million words
This article presents a policy that allows employees to bring their own mobile devices to work, while at the same time avoiding the security and support issues raised.
Putting it simply, people are bringing their own mobile devices to work. These devices—smartphones, tablets, even laptops—are designed to work on networks, have substantial storage capacity, and can run powerful applications. They can connect to an organization's wireless network, they can connect to a LAN, and they can be connected via systems like USB and Bluetooth to existing LAN equipment (PCs, printers, etc). And once they're outside the office they're prone to loss and theft. This combination of portability, capability, and private ownership makes mobile devices a substantial issue when it comes to securing an organization's assets.
Naturally, a security-conscious IT department—perhaps also wary of supporting countless mobile platforms—is inclined to ban the devices from the organization's network.
But employees use these devices in support of their work, doing things like staying on top of their email, managing workflow, working with documents, etc. They therefore expect that they should be able to use those devices to access company assets.
We decided to have it both ways.
Portfolio Aid is a Toronto software company that sells compliance solutions to the financial industry. We host a solution on a cloud platform that involves sensitive financial data. Moreover, we do development on some of the very platforms in question—our clients require that they use our platform on their tablets. What's more, we have contractors, vendors, and even clients in our office on a regular basis who want Internet connectivity but who are not authorized to use our LAN.
Our clients, being heavily regulated firms, require that we undergo regular audits of operations and security. We simply had to produce a policy on mobile computing, and it had to guarantee the security of our client's data while meeting all of these other demands. We'd been thrust directly into the mobile computing dilemma.
Our LAN had already been hardened with end point security policies on PCs (where Bluetooth, USB, and optical drives are disabled) as well as the usual firewalls and central control of identity and entitlements. Supporting this, we banned mobile devices from the secured company LAN, and told our employees that we would not support their devices.
Then we provided a Wi-fi network to enable mobile devices to be used in the office. The Wi-fi network is password protected, and furnished with a dedicated Internet connection. In this respect, walking into our office is very much like walking into a coffee shop. The ban on mobile devices for our company LAN is enforced by a network switch configuration that denies IP addresses to unfamiliar mobile devices as identified by their MAC address. Our IT personnel will support only those tablets our firm provides for development purposes.
With this solution, we've covered all of our requirements in a cost-effective way. Our obligations to our clients are met. Our auditors are happy. And we encourage employees to bring their own devices in a way that frees us from having to support and understand those devices, worry about their security, and cause hassles for all concerned.