Fotolia
5 steps to approach BYOD compliance policies
It can be difficult to ensure BYOD endpoints are compliant because IT can't configure them before they ship to users. Admins must enforce specific policies to make up for this.
Endpoint usage policies need to stay updated as users' behavior changes, especially when organizations have to deal with compliance and data protection laws.
BYOD endpoints present especially complicated challenges where organizations have to ensure all endpoints can meet data privacy and security regulations despite not owning the devices.
Develop a BYOD policy and communicate it to users
As with any security initiative, building a BYOD policy foundation will have the greatest likelihood of success. Take the time to clearly articulate the boundaries of personal device use within an enterprise. Enterprise BYOD security policies should answer many common questions about personal device use for both end users and IT professionals. Here are some questions to consider:
- Who's authorized to access enterprise data from personal devices?
- Under what conditions may personal devices connect to enterprise networks?
- Does the organization require explicit approval for each BYOD instance?
Build BYOD policies around user needs, if possible
Setting BYOD policies in an IT silo tends to be counterproductive in the end, especially as more workers are outside the traditional network of endpoints. Work to build alliances and partnerships with workers in business units to set a positive foundation for the BYOD initiative. Resist the pull of giving HR an outsized voice as employee representatives in BYOD policy creation and maintenance.
Rather, treat it as any other business unit. The reason is that IT departments want to get unfiltered and firsthand feedback about how BYOD policies affect their productivity. Building relationships with end users will also improve the feedback because IT will know what policies are working, and which are hindering productivity.
5 steps to manage BYOD security policies and stay compliant
Simply establishing BYOD security policies isn't sufficient to meet mobile device compliance obligations. Users must follow the requirements of the policy, and this is only possible if they're familiar with the policy details in the first place. That's where training and awareness efforts come into play.
BYOD training and subsequent personal device onboarding should become part of employee onboarding if it's not already. Current employees who opt in to the BYOD program later should receive more extensive training on what the policy allows and prohibits. At a minimum, every employee should know BYOD security policies exist and they should consult IT staff before using personal devices for work.
It's important to be realistic with BYOD policy decisions, which might include limiting the mobile OSes that IT can support without falling out of compliance. For example, if users work in financial services or healthcare, IT may want to restrict BYOD users to one mobile OS. This will make it easier to support mobile device compliance and not overwhelm the security team.
1. Implement MDM
Mobile device management (MDM) platforms offer the ability to conduct policy-based management of mobile devices. MDM offerings enforce corporate security requirements, such as encrypting device contents, requiring a passcode to access the device, locking certain apps behind a passcode and facilitating the remote wiping of lost or stolen phones and tablets. Some MDM products also allow IT staff to specify the applications that may run on a device or those that may access sensitive corporate information.
Leading third-party MDMs today include Jamf Pro, Kandji and Esper. An organization should install and configure an MDM for BYOD devices to meets its compliance obligations and fit within the constraints of the corporate culture. Quite often this translates into a back-and-forth between users and IT about the device policies their employer can implement on their personal devices.
Having an MDM in place to implement a BYOD program enables IT to establish policies on enrolled device, such as the following:
- Require the device be running the latest mobile OS and security updates without depending on users doing it themselves.
- Require strong and unique passwords or even multifactor authentication for device access.
- Enforce encryption on all devices to protect sensitive corporate data both at rest and in transit.
- Enable remote wipe capabilities on devices that connect within the corporate network.
IT must also prepare for employees who may not want an MDM client on their personal devices and respect their decision. Come up with equitable options depending on the organization's culture and internal politics.
2. Segregate data with containerization and virtualization
One of the greatest challenges for BYOD in organizations is protecting corporate information without adversely affecting personal use of the device. After all, employees are unlikely to react well to stringent corporate security requirements when they target the device they use for non-work tasks. Organizations can approach this segregation issue using containerization or virtualization to separate corporate data and apps from the user's personal data. These technologies help mitigate the risk of data leakage and enable the easy removal of any corporate resources without impact on personal data.
If an organization is subject to strict compliance obligations such as HIPAA or the Sarbanes-Oxley Act, it may choose to approach BYOD through the use of application containerization. Samsung Knox is perhaps the best-known application containerization technology on the market right now.
With this approach, employees working with enterprise data on a personal device will access that data through a secure container that lives as an application on the device. When the employee opens the application, they may access corporate information through the application's interface. When the application closes, it deletes all enterprise information from the device, removing the need for restrictions during users' personal tasks and communications. Enterprise organizations may view this approach as a secure island on an otherwise unmanaged personal device.
3. Factor in generative AI to a BYOD compliance plan
The recent release of ChatGPT for iOS raises the question of how much AI will factor into the future of BYOD security and compliance. Organizations that ban generative AI on corporate-owned IT will be able to implement this policy easily. However, organizations that implement BYOD will need to work with IT and security teams to assess the potential risks of generative AI apps running on BYOD endpoints. The risks of running these apps on an endpoint that can access business data include data leakage and otherwise sharing company data or content with the program.
Either way, it means setting restrictive MDM policies on employee-owned devices. That may raise some pushback from employees who want to have generative AI apps or services on their devices.
4. Conduct regular risk assessments
Regularly assess the risks associated with a BYOD implementation to address new or overlooked issues. Identify potential threats, vulnerabilities and compliance gaps. The risk assessment strategy should include evaluating network infrastructure, data storage, access controls and user behavior.
5. Audit regularly and practice continuous improvement
No matter what approach an organization chooses for handling BYOD issues, it should regularly audit the reality of its IT operations against stated BYOD security policies. Even if an organization prohibits BYOD entirely, its security team should take steps to verify that only corporate-owned devices connect to enterprise networks. Organizations that allow BYOD should verify that BYOD users operate within the bounds of enterprise computing policies and external compliance obligations.
Organizations that conduct regular BYOD audits can hone and improve BYOD security policies and practices continuously. They can bring together the results of these audits with user feedback to improve the creation and management security policies.
Remember the words of Ronald Reagan during the Cold War: "Trust, but verify." Organizations that follow this approach will find it is possible to balance the desires of end users for BYOD with the organization's compliance requirements.