Recently there has been a great deal of discussion with the continued budget limitations in organizations about the concept of bring your own device (BYOD). Utilizing devices as an organizations’ vessel to delivery virtual workspaces and leverage personal investments in technology to save on budgets isn’t a bad concept. From the perspective of an employee, they can now use whatever hardware they choose, and in some cases whatever operating system as well. The employee can have one device to carry, personal satisfaction of being able to make their own choice of device preference, and ability to administer their own machine. Wait! Is that a good idea? Most organizations restrict the ability to administer local computers for many security reasons, but there is also the IT support aspect. Who is going to support this army of employee’s with personal hardware/software/etc.? Geek Squad?
In a perfect world, let’s assume that the employee’s can self-support just fine. Now, what about the policies? The organizations who are developing these BYOD environments are also having to sit and evaluate all the policies and compliance issues that may arise. Like David Wilson wrote in his blog post Technology and the Workplace: BYOD:
“… a policy in place and do it now. Don’t just throw something together piece meal as you go along, do it right. “
Organizations need to start with policies around the physical device, minimum requirements have to be published for interoperability with corporate systems. Now what about policies around device maintenance and uptime, what are the requirements around the user ensuring their hardware/software is up and available for a workday? A general guideline for system maintenance and how much troubleshooting the corporate helpdesk should extend and to what types of devices and OS also needs documentation.
This is just the tip of the iceberg when working through these types of decisions. The security team needs to be involved in application testing to ensure the host is isolated completely from the corporate network and only a pass-through. Evaluation of the type of data that can or should be access needs to be taken into consideration by the security team. Should a person on their iPad in an airport network be able to access the most critical organizational information (Not that this is just a BYOD discussion).
Like all concepts, BYOD isn’t terrible, and as IT and Security professionals we all should embrace the fact that it is already occurring in environments we work for or with right now as people bring in their personal devices with and without permission. The time to take a look and define the organizations thresholds for acceptance is now. At least begin the discussion with Legal, IT, Operations, and Finance.